Virtual Machines Networking

This documentation covers essential networking concepts and configurations for Azure Virtual Machines.

Table of Contents

Introduction to Azure VM Networking

Networking is a fundamental aspect of deploying and managing virtual machines in Azure. It dictates how your VMs communicate with each other, with other Azure resources, and with the internet.

Azure provides a robust set of networking services to enable secure, scalable, and highly available virtual machine deployments. Understanding these services is crucial for designing an effective cloud infrastructure.

Virtual Networks (VNets)

An Azure Virtual Network (VNet) is the fundamental building block for your private network in Azure. It represents your own network in the cloud, offering:

  • Isolation: VNets are isolated from each other.
  • Segmentation: You can segment your VNet into subnets.
  • Connectivity: Enables communication between Azure resources.
  • Hybrid Connectivity: Allows you to connect your on-premises network to Azure using VPNs or ExpressRoute.

When you create a VNet, you define a private IP address space. This address space is a set of private IP addresses that your VMs will use.

Azure Virtual Network Address Spaces

Subnets

Subnets are subdivisions of your VNet's address space. You can create multiple subnets within a VNet to organize and secure your resources. Each subnet must have a unique address range within the VNet's address space.

Subnetting helps in:

  • Resource Organization: Grouping VMs based on their role or function.
  • Security: Applying Network Security Groups (NSGs) to control traffic flow between subnets.
  • Routing: Directing traffic to specific network appliances or gateways.
Important: Once a subnet is created, you cannot change its address range or split it. It's best to plan your subnet strategy carefully before deployment.

Network Interfaces (NICs)

A Network Interface (NIC) connects an Azure resource, such as a virtual machine, to an Azure Virtual Network. A VM can have one or more NICs.

Each NIC is associated with:

  • A subnet within a VNet.
  • One or more IP configurations, each with a private IP address and optionally a public IP address.
  • Optionally, an Application Security Group (ASG) for finer-grained access control.

For VMs with multiple NICs, each NIC must be connected to a different subnet for proper functionality.

IP Addresses

Azure VMs use both private and public IP addresses.

Private IP Addresses

Assigned from the address space of the VNet and subnet the VM's NIC is connected to. They are used for communication within the VNet and connected networks. Private IPs can be static or dynamic.

Public IP Addresses

Allow your VM to be reachable from the internet. Public IPs can be associated with a VM's NIC or with a load balancer. They can also be static or dynamic.

Note: For production workloads, it's highly recommended to use static private and public IP addresses to ensure predictable connectivity.

Network Security Groups (NSGs)

Network Security Groups (NSGs) are a fundamental component for filtering network traffic to and from Azure resources in an Azure virtual network. You can associate an NSG with a subnet or a specific network interface.

NSGs contain a list of security rules that allow or deny inbound network traffic to, or outbound network traffic from, various Azure resources.

Key features of NSGs:

  • Inbound/Outbound Rules: Define rules based on source/destination IP address, port, and protocol.
  • Priority: Rules are processed in order of priority.
  • Default Rules: Azure provides default rules for common scenarios.

# Example of an inbound NSG rule to allow SSH (port 22)
{
    "properties": {
        "priority": 100,
        "access": "Allow",
        "direction": "Inbound",
        "protocol": "Tcp",
        "sourceAddressPrefix": "*",
        "sourcePortRange": "*",
        "destinationAddressPrefix": "*",
        "destinationPortRange": "22",
        "name": "AllowSSH"
    }
}

Load Balancing

Azure Load Balancer provides high availability and network load balancing for your applications. It distributes incoming traffic across multiple VMs or instances, ensuring that your application remains responsive and available.

Types of Azure Load Balancers:

  • Standard Load Balancer: Offers advanced features like zone redundancy and integration with Availability Zones.
  • Basic Load Balancer: A simpler offering suitable for basic load balancing needs.

Load Balancers can operate at Layer 4 (TCP/UDP) and can distribute traffic based on various algorithms.

DNS Configuration

Azure provides built-in DNS services for resolving names of Azure resources. You can also integrate your custom DNS servers.

When you create a VNet, it automatically comes with Azure-provided DNS. You can also configure custom DNS servers for your VNet, which is essential for hybrid environments or when using domain-joined VMs.

Network Monitoring

Monitoring network traffic is crucial for troubleshooting and performance optimization. Azure offers several tools for this:

  • Network Watcher: Provides tools for monitoring, diagnosing, and viewing metrics for your Azure network resources.
  • NSG Flow Logs: Capture information about IP traffic flowing through your NSGs.
  • Traffic Analytics: Analyzes NSG flow logs to provide visualizations and insights into network traffic patterns.
Tip: Enable NSG Flow Logs for your critical subnets to gain visibility into traffic patterns and identify potential security threats.