MSDN Documentation

Microsoft Developer Network

Virtual Network Design Guidance

This article provides comprehensive guidance for designing and implementing robust and scalable virtual networks. Effective virtual network design is crucial for security, performance, and manageability of cloud-based applications and services.

1. Core Principles

Before diving into specific components, understand these fundamental principles:

  • Scalability: Design for future growth and fluctuating demands.
  • Security: Implement layered security to protect resources.
  • Availability: Ensure high availability and disaster recovery capabilities.
  • Manageability: Create a network that is easy to monitor, troubleshoot, and update.
  • Cost-Effectiveness: Optimize resource usage to manage expenses.

2. Planning Your Virtual Network

A well-planned network starts with a clear understanding of your requirements.

2.1. Understanding Workloads

Identify the types of applications and services that will run on the virtual network. Consider:

  • Application tiering (web, application, data)
  • Connectivity needs (internal, external, hybrid)
  • Performance requirements (latency, bandwidth)
  • Security zones and access controls

2.2. IP Addressing Scheme

A well-defined IP addressing scheme is vital for avoiding conflicts and simplifying routing.

  • Allocate address spaces thoughtfully, considering future expansion.
  • Use private IP address ranges for internal resources.
  • Plan for Network Address Translation (NAT) if external access is required.
Note: Avoid using RFC 1918 address spaces that might conflict with on-premises networks if you plan for hybrid connectivity.

2.3. Subnetting Strategy

Divide your virtual network into logical subnets for better organization and security segmentation.

  • Create subnets for different tiers or security zones.
  • Assign appropriate Network Security Groups (NSGs) to each subnet.
  • Consider the size of subnets based on the number of IP addresses required.

3. Security Considerations

Security should be a primary concern from the outset.

3.1. Network Security Groups (NSGs)

NSGs act as a distributed firewall, allowing or denying network traffic to resources in an Azure virtual network.

  • Apply NSGs at the subnet or network interface level.
  • Define rules based on the principle of least privilege.
  • Use pre-defined security rules where appropriate.

3.2. Firewalls and Intrusion Detection/Prevention

For advanced security, deploy Azure Firewall or third-party Network Virtual Appliances (NVAs).

  • Use firewalls to centralize security policy management.
  • Deploy Intrusion Detection/Prevention Systems (IDPS) to monitor for malicious activity.

3.3. Private Endpoints and Service Endpoints

Securely connect to Azure services without exposing them to the public internet.

  • Private Endpoints: Provide a private IP address from your VNet to an Azure PaaS service.
  • Service Endpoints: Extend the identity of your VNet to an Azure service.

4. Connectivity Options

Connect your virtual network to other networks and the internet.

4.1. Internet Connectivity

All virtual networks can access the internet by default. Control outbound traffic using NAT Gateways or Azure Firewall.

4.2. Hybrid Connectivity

Connect your Azure virtual network to your on-premises network for a seamless hybrid experience.

  • VPN Gateway: Securely connect over the public internet.
  • ExpressRoute: Establish a private, dedicated connection to Azure.
Tip: ExpressRoute offers higher bandwidth, lower latency, and increased reliability compared to VPN Gateway for hybrid connections.

4.3. VNet Peering

Connect Azure virtual networks together privately using VNet peering.

  • Allows resources in different Vnets to communicate as if they were in the same network.
  • Supports transitivity: if VNet A is peered with VNet B, and VNet B is peered with VNet C, VNet A cannot communicate with VNet C through VNet B.

5. Deployment and Management

Tools and strategies for deploying and managing your virtual network.

  • Infrastructure as Code (IaC): Use tools like ARM templates, Bicep, or Terraform for repeatable and automated deployments.
  • Monitoring: Utilize Azure Network Watcher for monitoring, diagnostics, and performance analysis.
  • Traffic Analytics: Gain insights into network traffic flow and security.

Conclusion

Designing a virtual network is a critical step in cloud adoption. By following these guidelines, you can create a secure, scalable, and manageable network infrastructure that supports your business objectives.

For more detailed information, refer to the official Azure Virtual Network Design Guidance.