Introduction to Azure Networking

Azure Networking provides a comprehensive set of networking capabilities that enable you to connect Azure resources to each other, to the internet, and to your on-premises networks. This section covers the foundational components that form the basis of all Azure networking solutions.

Understanding these core concepts is crucial for designing, deploying, and managing secure, scalable, and highly available applications in Azure.

Virtual Network (VNet)

A Virtual Network (VNet) is the fundamental building block for your private network in Azure. It allows Azure resources, such as Virtual Machines, to securely communicate with each other, the internet, and on-premises environments.

  • Isolation: VNets provide network isolation for your Azure resources.
  • Segmentation: You can segment your VNet into subnets for better organization and security.
  • Connectivity: Enables secure communication between resources within Azure and hybrid connectivity to on-premises networks.

Subnets

A subnet is a range of IP addresses within your VNet. By dividing your VNet into subnets, you can logically isolate resources that require different security or routing policies.

  • Each subnet must have a unique name within the VNet.
  • Subnets are defined by a contiguous range of IP addresses in the CIDR notation (e.g., 10.0.0.0/24).
  • Azure reserves the first four and the last IP address in each subnet for protocol conformance.

IP Addressing

Azure networking supports both Public IP Addresses and Private IP Addresses.

  • Private IP Addresses: Used for communication within a VNet, between VNets, or to/from on-premises networks via VPN or ExpressRoute. Resources get private IP addresses from their subnet's address range.
  • Public IP Addresses: Used to enable resources to communicate with the internet. They can be assigned to services like Virtual Machines, Load Balancers, and NAT Gateways. Public IPs can be static or dynamic.

Tip: Carefully plan your IP address space to avoid conflicts and ensure scalability.

Network Interfaces (NICs)

A Network Interface (NIC) is a logical construct that connects an Azure resource, typically a Virtual Machine, to a VNet. A NIC enables an Azure resource to communicate with other Azure resources, the internet, and on-premises networks.

  • A NIC can be associated with one or more IP configurations (private and public IP addresses).
  • NICs support IP forwarding, allowing a VM to receive traffic destined for an IP address that is not its own.

Network Security Groups (NSGs)

Network Security Groups (NSGs) are fundamental to securing your Azure network. They act as a distributed firewall, enabling you to filter network traffic to and from Azure resources in an Azure virtual network.

  • NSGs contain a list of security rules that allow or deny inbound network traffic to an instance, or outbound traffic from an instance.
  • Rules can be associated with NICs or subnets.
  • Rules are evaluated based on priority, and the first matching rule determines whether traffic is allowed or denied.

Common NSG Rules:

  • Allow RDP (port 3389) for Windows VMs from specific IP ranges.
  • Allow SSH (port 22) for Linux VMs from specific IP ranges.
  • Allow HTTP/HTTPS (ports 80/443) for web servers.
  • Deny all other inbound traffic by default.

Route Tables

User-defined route tables (UDRs) allow you to control how traffic is routed between subnets, VNets, the internet, and your on-premises networks. By default, Azure routes traffic automatically.

  • You can create custom routes to override Azure's default routing.
  • Common use cases include forcing traffic through a network virtual appliance (NVA) for inspection or filtering.
  • Routes can be associated with subnets.

Load Balancing

Azure Load Balancer distributes incoming traffic across a pool of backend resources, such as Virtual Machines. This improves application availability and responsiveness.

  • Layer 4 Load Balancing: Operates at the transport layer (TCP/UDP).
  • High Availability: Distributes traffic to ensure no single point of failure.
  • Scalability: Handles varying loads by distributing traffic to multiple instances.

Azure also offers Azure Application Gateway for Layer 7 (HTTP/HTTPS) load balancing and Azure Front Door for global HTTP/HTTPS load balancing.

VPN Gateway

An Azure VPN Gateway allows you to send encrypted traffic between your on-premises data center and Azure over the public internet. It's a secure way to establish a hybrid cloud network.

  • Site-to-Site VPN: Connects your on-premises network to an Azure VNet.
  • Point-to-Site VPN: Connects an individual client device to an Azure VNet.
  • Cross-Premises Connectivity: Enables hybrid cloud solutions.

ExpressRoute

Azure ExpressRoute enables you to establish private connections between Azure data centers and infrastructure that is either on-premises or in a colocation environment. These connections are not over the public internet.

  • Increased Bandwidth: Offers higher throughput than VPNs.
  • Lower Latency: Provides more consistent performance.
  • Enhanced Security: Traffic remains on a private network.

ExpressRoute requires a connectivity provider for setup.