MSDN Documentation

Azure Networking Basics

Introduction to Azure Networking

Azure networking provides a comprehensive set of cloud networking capabilities to connect Azure resources to each other, to the internet, and to on-premises networks. This section covers the fundamental building blocks of Azure networking, enabling you to design secure, scalable, and highly available solutions in the cloud.

Understanding these basics is crucial for deploying and managing any service on Azure, from simple web applications to complex enterprise-grade solutions.

Virtual Networks (VNet)

A Virtual Network (VNet) is the fundamental building block for your private network in Azure. It enables you to provision private IP address spaces in Azure and to create a private cloud that resembles your on-premises network. You can then associate Azure resources, such as Virtual Machines, with the VNet to leverage its network isolation and security features.

  • Private IP Address Space: Define your own private IP address ranges (e.g., 10.0.0.0/16).
  • Isolation: VNets are isolated from each other by default, providing a secure environment for your resources.
  • Connectivity: VNets can be peered with other VNets or connected to on-premises networks.
A VNet is regionally scoped. When you create a VNet, you choose a region. Resources deployed in that VNet will be in that region.

Subnets

A subnet is a range of IP addresses within your VNet. Once you've created a VNet, you can divide it into smaller sub-networks called subnets. Each subnet can contain Azure resources, and you can control routing and security policies at the subnet level.

  • Segmentation: Divide your VNet into logical segments for better organization and security.
  • Resource Assignment: Assign resources like Virtual Machines to specific subnets.
  • Routing: Subnets enable granular control over network traffic flow.

For example, you might create subnets for your application servers, database servers, and management tools.

Network Interfaces (NIC)

A Network Interface (NIC) connects an Azure resource, typically a Virtual Machine, to a Virtual Network. Each NIC can have one or more private IP configurations, and optionally a public IP address.

  • Connectivity: The primary mechanism for a VM to communicate within a VNet and to the outside world.
  • IP Configurations: Multiple IP configurations can be associated with a single NIC.
  • Security: Network Security Groups (NSGs) are associated with NICs or subnets to filter network traffic.

Load Balancers

Azure Load Balancer is a Layer 4 (TCP/UDP) load balancer that distributes incoming traffic among healthy instances of your services. It provides high availability and fault tolerance for your applications.

  • High Availability: Distributes traffic across multiple VMs to ensure your application remains available.
  • Scalability: Can scale to handle varying levels of incoming traffic.
  • Health Probes: Monitors the health of backend instances and routes traffic only to healthy ones.

Load Balancers can be internal (private IP addresses) or public (public IP addresses).

Application Gateway

Azure Application Gateway is a web traffic load balancer that enables you to manage traffic to your web applications. It offers Layer 7 (HTTP/HTTPS) load balancing, SSL termination, cookie-based session affinity, and Web Application Firewall (WAF) capabilities.

  • Layer 7 Load Balancing: Operates at the application layer, allowing for more intelligent traffic routing based on URL paths, host headers, etc.
  • SSL Termination: Offloads SSL decryption from your web servers.
  • Web Application Firewall (WAF): Protects your web applications from common web exploits.

VPN Gateway

Azure VPN Gateway enables you to send encrypted traffic between your on-premises networks and your Azure Virtual Networks through the public Internet. It is also used to send encrypted traffic between your Azure VNets.

  • Hybrid Connectivity: Connect your on-premises data centers to Azure.
  • Site-to-Site VPN: Securely connect your on-premises network to Azure.
  • Point-to-Site VPN: Securely connect individual client devices to Azure.
VPN Gateways are a cost-effective way to establish hybrid connectivity.

ExpressRoute

Azure ExpressRoute extends your on-premises networks into the Microsoft cloud over a private connection. Using a connectivity provider, you can establish direct, private connections to Microsoft cloud services like Azure and Office 365. ExpressRoute connections do not go over the public Internet.

  • Private Connection: Bypasses the public Internet for increased reliability, speed, and lower latency.
  • Higher Bandwidth: Offers dedicated, high-bandwidth connections.
  • Service Providers: Requires a partnership with an ExpressRoute connectivity provider.

Network Security Groups (NSG)

A Network Security Group (NSG) is a collection of security rules that allow or deny network traffic to resources connected to Azure Virtual Networks. NSGs can be associated with network interfaces (NICs) or subnets.

  • Firewalling: Acts as a virtual firewall for your Azure resources.
  • Rule-Based: Define inbound and outbound security rules based on IP address, port, and protocol.
  • Priority: Rules are processed in order of priority.

# Example NSG Rule: Allow SSH inbound on port 22 from anywhere
{
    "name": "AllowSSH",
    "properties": {
        "priority": 100,
        "access": "Allow",
        "direction": "Inbound",
        "protocol": "Tcp",
        "sourceAddressPrefix": "*",
        "sourcePortRange": "*",
        "destinationAddressPrefix": "*",
        "destinationPortRange": "22"
    }
}

Azure Firewall

Azure Firewall is a managed, cloud-based network security service that protects your Azure Virtual Network resources. It's a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability.

  • Centralized Policy: Enforce network traffic policies across subscriptions and virtual networks.
  • Threat Intelligence: Built-in threat intelligence-based filtering.
  • Advanced Features: Supports network and application rules, SNAT and DNAT, and custom routes.

Azure DNS

Azure DNS provides a reliable and secure DNS hosting service for your Azure resources. It uses the same infrastructure as Microsoft Azure to provide name resolution. By hosting your domains in Azure, you can manage your DNS records using the same credentials, APIs, and billing as your other Azure services.

  • Domain Hosting: Host your DNS zones in Azure.
  • Record Management: Create and manage various DNS record types (A, CNAME, MX, TXT, etc.).
  • High Availability: Azure DNS is highly available and resilient.

Conclusion

Azure networking offers a robust and flexible platform for building and managing your cloud infrastructure. By mastering these basic components, you can establish secure, reliable, and scalable network architectures for your applications and services.

Continue exploring Azure documentation for advanced networking topics such as VNet peering, service endpoints, private endpoints, and global load balancing.