Azure Virtual Network Connections Documentation

Virtual Network Connections

This document outlines the various ways to connect Azure virtual networks (VNets) to other networks, including on-premises environments and other VNets. Understanding these connection options is crucial for designing secure, scalable, and highly available cloud architectures.

Connection Methods

Azure provides several services to establish connections:

1. VNet-to-VNet Connections

Connect Azure VNets to each other. This is useful for creating hybrid cloud solutions where resources in different VNets need to communicate. You can use:

VNet Peering: A simple and cost-effective way to connect VNets within the same region or across different Azure regions. It allows resources in different VNets to communicate with each other as if they were in the same network. Data transfer between peered VNets occurs over the Azure backbone network, ensuring low latency and high bandwidth.
VPN Gateway: Use Azure VPN Gateway to connect VNets through an IPsec/IKE VPN tunnel. This is suitable for scenarios where you need encrypted transit or when connecting VNets that are not eligible for peering (e.g., different subscription administrators).
Virtual Network Service Endpoints for ExpressRoute: While not a direct VNet-to-VNet connection in the traditional sense, service endpoints can be used to secure access to specific Azure services from multiple VNets.

2. VNet-to-On-Premises Connections

Connect your Azure VNet to your on-premises network to create a hybrid cloud. This enables resources in Azure to access on-premises resources and vice versa.

VPN Gateway (Site-to-Site VPN): The most common method. It establishes an encrypted tunnel between your on-premises VPN device and Azure VPN Gateway over the public internet.
Azure ExpressRoute: Provides a private, dedicated connection between your on-premises network and Azure. This offers higher reliability, faster speeds, and lower latencies than VPN over the internet.

Important: When planning your network connections, consider factors such as bandwidth requirements, latency tolerance, security needs, and cost.

Key Concepts

VNet Peering

VNet peering allows you to seamlessly connect VNets. Key features include:

Connectivity is established directly over the Azure backbone.
No gateway is required for basic peering.
Supports global peering (across regions) and local peering (within the same region).
You can enable forwarding traffic from a gateway in a remote peered VNet.

VPN Gateway

Azure VPN Gateway is a managed service that allows you to deploy virtual network gateways and establish secure connections.

Site-to-Site (S2S) VPN: Connects an on-premises network to an Azure VNet.
VNet-to-VNet VPN: Connects two Azure VNets.
Point-to-Site (P2S) VPN: Connects individual client devices to an Azure VNet.

ExpressRoute

ExpressRoute circuits offer a dedicated connection to Azure, bypassing the public internet. It's ideal for:

Mission-critical applications requiring predictable performance.
Large data transfers.
Enhanced security and compliance.

You can connect to ExpressRoute through a connectivity provider.

Considerations for Connection Design

IP Addressing

Ensure that your virtual networks and on-premises networks have non-overlapping IP address spaces to avoid routing conflicts.

Security

Implement Network Security Groups (NSGs) and Azure Firewall to control traffic flow and enhance security between connected networks.

High Availability and Disaster Recovery

Design for redundancy using multiple VPN gateways or ExpressRoute circuits, and consider multi-region deployments for disaster recovery.

Tip: Use the Azure Network Watcher tools to monitor network performance and troubleshoot connectivity issues.

For detailed configuration steps and best practices, please refer to the specific documentation for VNet peering, VPN Gateway, and ExpressRoute.