Virtual Network Connectivity

This document provides an in-depth guide to establishing and managing connectivity within and between Azure Virtual Networks (VNets), as well as connecting to on-premises environments and the internet.

1. Intra-VNet Connectivity

Connectivity within a single VNet is seamless by default. Resources deployed within the same VNet can communicate with each other using their private IP addresses.

Subnetting and Communication

While resources in the same VNet can communicate, the use of subnets logically partitions your network. Communication between subnets within the same VNet is automatically routed by Azure's infrastructure.

2. Inter-VNet Connectivity

Connecting multiple VNets is crucial for distributed applications and hybrid cloud scenarios. Azure offers several methods to achieve this:

2.1. VNet Peering

VNet peering connects two Azure VNets securely. Once peered, resources in either VNet can communicate with each other as if they were within the same network. This connection is made over the Azure backbone network.

  • Global VNet Peering: Connects VNets across different Azure regions.
  • Local VNet Peering: Connects VNets within the same Azure region.
Note: VNet peering does not support transitive routing. If VNet A is peered with VNet B, and VNet B is peered with VNet C, VNet A cannot communicate directly with VNet C through VNet B.

To configure VNet peering, you need to establish a peering connection from each VNet to the other. Key settings include:

  • Address space of the remote VNet.
  • Virtual network gateway (optional, for accessing on-premises networks).
  • Service endpoints and private endpoints configurations.

2.2. VPN Gateway

Azure VPN Gateway provides a secure and reliable way to send encrypted traffic between your on-premises networks and your Azure VNets, or between Azure VNets. This is often referred to as a Site-to-Site VPN.

Use cases:

  • Connecting your on-premises datacenter to Azure.
  • Connecting Azure VNets in different regions or subscriptions.
  • Remote user access (Point-to-Site VPN).

// Example of deploying a VPN Gateway (Conceptual Azure CLI)
az network vnet-gateway create \
  --name MyVPNGateway \
  --resource-group MyResourceGroup \
  --location eastus \
  --sku VpnGw1 \
  --gateway-type Vpn \
  --vpn-type RouteBased \
  --vnet MyVNet

2.3. ExpressRoute

Azure ExpressRoute provides private, high-bandwidth, low-latency connections between your on-premises infrastructure and Azure. It bypasses the public internet, offering greater reliability and security.

Benefits:

  • Increased reliability and uptime.
  • Higher bandwidth options.
  • Reduced latency.
  • Enhanced security.
Tip: For mission-critical applications requiring guaranteed performance and connectivity, ExpressRoute is the preferred solution.

2.4. Azure Virtual WAN

Azure Virtual WAN is a networking service that brings many networking, security, and routing functionalities together in a single operational interface. It is designed for large-scale, globally distributed environments.

  • Centralized network management.
  • Global transit connectivity.
  • Integration with security services.

3. Connectivity to the Internet

Resources within an Azure VNet can be configured to access the internet. This is typically managed through:

  • Default Internet Outbound Access: Azure VNets have default internet outbound connectivity.
  • NAT Gateway: Azure NAT Gateway provides outbound internet connectivity for subnets.
  • Azure Firewall: A managed, cloud-based network security service that protects your virtual network resources.
  • User-Defined Routes (UDRs): Used to force internet-bound traffic through specific devices like firewalls or network virtual appliances (NVAs).
Warning: Unrestricted internet access should be carefully managed with appropriate security controls like Network Security Groups (NSGs) and Azure Firewall.

4. Connectivity Scenarios

4.1. Connecting to On-Premises

Use VPN Gateway or ExpressRoute to establish secure connections between your on-premises datacenter and Azure VNets.

4.2. Connecting VNets in Different Regions

Utilize Global VNet Peering or Azure Virtual WAN for cross-region VNet connectivity.

4.3. Connecting VNets in Different Subscriptions

VNet peering (both local and global) supports connecting VNets across different subscriptions within the same Azure Active Directory tenant. Ensure appropriate RBAC permissions.

4.4. Hub-and-Spoke Architecture

A common design pattern where a central "hub" VNet (often containing shared services like firewalls, VPN gateways, or NVAs) connects to multiple "spoke" VNets. This allows for centralized management and security.

This architecture can be implemented using:

  • VNet peering (hub-to-spoke).
  • Azure Virtual WAN.