Basic Azure Network Connectivity
This document outlines fundamental scenarios for establishing network connectivity within Azure, focusing on the core components that enable communication between resources.
1. Single Virtual Network Connectivity
The most basic scenario involves resources communicating within a single Azure Virtual Network (VNet). This provides an isolated and private network in Azure.
Scenario Description
Virtual machines (VMs), containers, and other Azure resources deployed within the same VNet can communicate with each other directly using their private IP addresses. This is the default behavior and requires no explicit configuration for internal communication.
Key Components
- Azure Virtual Network (VNet): A logically isolated private network in Azure.
- Subnets: Divisions within a VNet that host specific resources.
- Network Interface Cards (NICs): Attached to Azure resources, providing them with IP addresses within the VNet/subnet.
Diagram
In this diagram, Resource A and Resource B are within Subnet A, and they can communicate freely. Resource C is in a different subnet, and inter-subnet communication is also enabled by default within the VNet.
2. Connectivity with On-Premises Networks (Hybrid Connectivity)
This section briefly introduces the concept of extending your on-premises network to Azure.
Scenario Description
Azure provides secure ways to connect your on-premises network to your Azure VNet, allowing resources in both environments to communicate as if they were on the same network. This is crucial for hybrid cloud strategies.
Key Components
- VPN Gateway: Enables encrypted traffic between your on-premises network and Azure VNet over the public internet.
- ExpressRoute: Provides a private, dedicated connection between your on-premises network and Azure, offering higher bandwidth and lower latency.
For detailed information on hybrid connectivity, please refer to the Hybrid Connectivity Scenarios document.
3. Internet Connectivity
Enabling resources in Azure to communicate with the internet, and vice versa.
Scenario Description
Azure resources often need to access public endpoints (e.g., for updates, external APIs) or serve content to the internet.
Key Components
- Public IP Addresses: Assigned to Azure resources (like VMs or Load Balancers) to make them accessible from the internet.
- Network Security Groups (NSGs): Act as a distributed firewall to control inbound and outbound traffic to Azure resources.
- Azure Firewall / NAT Gateway: Provide more advanced control and security for internet egress traffic.
Network Security Considerations
Ensuring secure communication is paramount. Network Security Groups (NSGs) are the primary tool for controlling traffic flow at the subnet or NIC level.
Important
Always implement the principle of least privilege for network access. Only allow necessary ports and protocols between resources.
This document provides a high-level overview. Each component and scenario can be configured and secured in various ways to meet specific application and organizational requirements.