Azure Virtual Machines Networking

Comprehensive guide to networking concepts for Azure VMs.

Introduction to Azure VM Networking

Networking is a fundamental aspect of deploying and managing Azure Virtual Machines (VMs). It dictates how your VMs communicate with each other, with on-premises resources, and with the internet. Understanding these concepts is crucial for building secure, scalable, and reliable cloud solutions.

This document covers the core networking components and concepts relevant to Azure VMs, including Virtual Networks, subnets, network security groups, IP addressing, load balancing, and connectivity options.

Virtual Networks (VNet)

An Azure Virtual Network (VNet) is the fundamental building block for your private network in Azure. It represents your own network in the cloud, allowing you to:

  • Isolate your cloud resources.
  • Control traffic flow between Azure resources.
  • Connect Azure resources to the internet.
  • Connect Azure resources to on-premises networks.

VNets are regional resources. A VNet spans across all availability zones within an Azure region.

Azure VNet Diagram Placeholder

Conceptual diagram of an Azure Virtual Network.

Subnets

A subnet is a range of IP addresses within your VNet. You can divide your VNet into multiple subnets for better organization and security. Each subnet can host different types of Azure resources, such as Virtual Machines.

Subnets must have a contiguous range of IP addresses in CIDR notation (e.g., 10.0.1.0/24). Azure reserves the first four IP addresses and the last IP address in each subnet for protocol conforming. You cannot have overlapping IP address ranges between subnets.

Key considerations for subnets:

  • Segmentation: Divide your network logically for security and management.
  • Routing: Subnets enable granular control over traffic routing.
  • Network Security Groups (NSGs): NSGs can be associated with subnets to filter traffic.

Network Security Groups (NSG)

A Network Security Group (NSG) is a firewall that you can associate with a subnet or a network interface (NIC) attached to a VM. NSGs contain a list of security rules that allow or deny network traffic to Azure resources.

Rules are processed based on priority, and evaluated to allow or deny traffic. NSGs support both inbound and outbound traffic filtering.

Common NSG rules:

  • Allowing SSH (port 22) for Linux VMs.
  • Allowing RDP (port 3389) for Windows VMs.
  • Allowing HTTP/HTTPS (ports 80/443) for web servers.
  • Denying all other inbound traffic by default.

# Example NSG Rule (Inbound)
{
  "name": "AllowSSH",
  "properties": {
    "priority": 100,
    "protocol": "Tcp",
    "access": "Allow",
    "direction": "Inbound",
    "sourceAddressPrefix": "*",
    "sourcePortRange": "*",
    "destinationAddressPrefix": "*",
    "destinationPortRange": "22"
  }
}

Public IP Addresses

A Public IP address is an IP address that is accessible from the internet. You can associate a Public IP address with a VM's network interface (NIC) to allow direct inbound connections from the internet or to enable your VM to initiate outbound connections to the internet.

Public IP addresses can be:

  • Static: The IP address does not change.
  • Dynamic: The IP address can change when the VM is stopped and restarted.

Consider using Azure Load Balancer or Azure Application Gateway for managing internet-facing applications and distributing traffic.

Private IP Addresses

A Private IP address is an IP address within your VNet that is not accessible from the internet. VMs communicate with each other and with other resources within the VNet using private IP addresses.

Each VM's network interface (NIC) is assigned at least one private IP address from the subnet it's connected to. These can be:

  • Dynamic: Assigned by DHCP from the subnet's address pool. The IP can change if the VM is deallocated.
  • Static: Manually assigned to the NIC. The IP remains the same until the NIC is deleted.

Load Balancing

Load balancing distributes incoming network traffic across multiple backend targets, such as VMs. Azure offers several load balancing services:

  • Azure Load Balancer: A Layer 4 (TCP/UDP) load balancer that distributes traffic to VMs within a region.
  • Azure Application Gateway: A Layer 7 (HTTP/HTTPS) load balancer that provides advanced routing capabilities, SSL termination, and Web Application Firewall (WAF).
  • Azure Traffic Manager: A DNS-based traffic load balancer that directs user traffic to the most appropriate endpoint based on traffic-routing methods.

Load balancing is essential for high availability and performance of your applications.

DNS Configuration

Azure provides built-in DNS resolution for resources within a VNet. By default, VMs in the same VNet can resolve each other using their hostnames.

You can also configure custom DNS servers or use Azure Private DNS zones for more advanced name resolution scenarios.

  • Azure-provided DNS: Automatic resolution within a VNet.
  • Custom DNS Servers: Configure VMs to use your own DNS infrastructure.
  • Azure Private DNS: Manage DNS records for your private domain names within Azure.

Connectivity Options

Azure VMs can be connected in various ways:

  • VNet Peering: Connect two or more VNets together. Traffic between peered VNets is private and stays within the Azure backbone network.
  • VPN Gateway: Establish a secure, encrypted connection between your on-premises network and your Azure VNet (Site-to-Site VPN) or between individual clients and Azure (Point-to-Site VPN).
  • ExpressRoute: A dedicated private connection from your on-premises network to Azure, offering higher bandwidth and lower latency than VPNs.

Choosing the right connectivity option depends on your specific requirements for security, bandwidth, and latency.