In this blog post, I have discussed the overview of Virtual Networks and their components in Azure. This blog will help you to learn how to secure your application using Azure Virtual Network.
This post also describes the services that provide connectivity between Azure resources, connectivity from an on-premises network to Azure resources, and the branch-to-branch connectivity in Azure – Virtual Network (VNet), ExpressRoute, VPN Gateway, and Azure Peering service.
Check my previous blog on Azure Compute Options to get an overview of the important computes options in Azure.
In this blog, I’ve covered:
Basics of Networking: Subnetting & CIDR
Understanding networking is a fundamental part of configuring complex environments on the internet. This has implications when trying to communicate between servers efficiently, developing secure network policies, and keeping your nodes organized.
Subnetting is the process of stealing bits from the HOST part of an IP address in order to divide the larger network into smaller sub-networks called subnets.
CIDR or Classless Inter-Domain Routing provides the flexibility of borrowing bits of the Host part of the IP address and using them as Network in Network, called Subnet. By using subnetting, one single Class IP address can be used to have smaller sub-networks which provides better network management capabilities.
To know more about this concept, refer to Understanding IP Addresses, Subnets, and CIDR Notation for Networking
What Is Virtual Network?
- Azure Virtual Network (VNet) is the fundamental building block for your private network in Azure.
- It enables many types of Azure resources, such as Azure Virtual Machines (VM), to securely communicate with each other, the internet, and on-premises networks.
- It is similar to a traditional network that you’d operate in your own data center but brings with it additional benefits of Azure’s infrastructure such as scale, availability, and isolation.
Also Read: Our blog post on Azure Notification Hub. Click here
Use of Virtual Network?
The main purpose of Virtual Networks is to act as a communication channel between resources launched in the cloud. Why Virtual? Because there are no actual routers or switches in the cloud.
For example, if you launch a database server and a website server in the cloud, they would need a medium to interact. This medium of interaction is called a Virtual Network.
Virtual Network Key Components
Key components of Azure VNets, include:
1. Subnets: Subnets enable segmenting a virtual network into one or more subnet networks and allocating a portion of the virtual network addresses space to each subnet. Azure resources are deployed to a specific subnet that is segmented using VNet address space. A subnet can further be divided into:
- Private Subnet – A network in which there is no internet access.
- Public Subnet – A network in which there is internet access.
2. Network Security Groups (NSG): Use to permit or deny traffic (inbound or outbound), via rules, to a subnet or network interface.
Any Azure virtual network can be placed into a security group where different inbound and outbound rules can be configured to allow or deny certain types of traffic. For each rule, you can specify source and destination, port, and protocol.
Benefits of Virtual Network
- Isolation: Virtual networks provide isolation and segmentation, which helps in reducing the attack surface and improves network security.
- Customization: Virtual networks are highly customizable, allowing you to configure IP address ranges, subnets, routing tables, and other network settings to meet your specific requirements.
- Connectivity: You can easily connect your virtual network to other virtual networks in Azure or to your on-premises network using VPN or ExpressRoute.
- Scalability: Virtual networks are highly scalable and can be easily expanded to accommodate growing workloads.
- Cost-effective: Using a virtual network in Azure can be more cost-effective than building and maintaining your own physical network infrastructure.
- Monitoring and logging: Azure provides a range of monitoring and logging tools that can help you identify and troubleshoot network issues.
- Integration with other Azure services: Virtual networks can be integrated with other Azure services, such as Azure Virtual Machines, Azure App Services, and Azure SQL Database, making it easier to deploy and manage your applications in the cloud.
How Does it Work?
- First, you create a virtual network.
- Then, in this virtual network, you create subnets.
- You associate each subnet with the respective Virtual Machines or Cloud Instances.
- Attach the relevant Network Security Group to each subnet.
- Configure the properties in the NSGs and you are set!
VNet Peering (Connection Between Azure VNets):
Virtual network peering enables you to seamlessly connect two or more Virtual Networks in Azure. The virtual networks appear as one for connectivity purposes. The traffic between virtual machines in peered virtual networks uses the Microsoft backbone infrastructure. Like traffic between virtual machines in the same network, traffic is routed through Microsoft’s private network only.
VNet peering doesn’t use a VPN gateway and has different constraints. Additionally, VNet peering pricing is calculated differently than VNet-to-VNet VPN Gateway pricing.
Azure supports the following types of peering:
- Virtual network peering: Connect virtual networks within the same Azure region.
- Global virtual network peering: Connecting virtual networks across Azure regions.
For more information, see Azure VNet Peering
ExpressRoute (Connection Between On-prem to Azure):
ExpressRoute is an Azure networking service that privately connects (connections don’t go over the public Internet) an enterprise’s on-premises infrastructure to the Microsoft public cloud via a third-party connectivity provider. Because the connection is private, it offers lower latency and greater reliability than the public internet. Azure ExpressRoute connectivity providers include Comcast, AT&T and Equinix.
With ExpressRoute, you can establish connections to Microsoft cloud services, such as Microsoft Azure, Microsoft 365, and Dynamics 365.
For information on how to connect your network to Microsoft using ExpressRoute, see ExpressRoute connectivity models.
VPN Gateway (For Encrypted Connections):
VPN Gateway helps you create encrypted cross-premises connections to your virtual network from on-premises locations, or create encrypted connections between VNets. It is composed of two or more VMs that are deployed to a specific subnet you create called the gateway subnet.
There are three different configurations available for VPN Gateway connections:
1. Site-to-Site (S2S): A Site-to-Site VPN gateway connection is used to connect your on-premises network to an Azure virtual network over a VPN (Virtual Private Network) tunnel. This type of connection requires a VPN device located on-premises that has an externally facing public IP address assigned to it.
Also, when you follow the Site-to-Site IPsec steps, you create and configure the local network gateways (a specific object that represents your on-premises location (the site) for routing purposes) manually. The local network gateway for each VNet treats the other VNet as a local site.
2. Point-to-Site (P2S): A Point-to-Site (P2S) VPN gateway connection lets you create a secure connection to your virtual network from an individual client computer. A P2S connection is established by starting it from the client computer. This solution is useful for telecommuters who want to connect to Azure VNets from a remote location, such as from home or a conference.
3. VNet-to-VNet: When you connect a virtual network to another virtual network with a VNet-to-VNet connection type (VNet2VNet), it’s similar to creating a Site-to-Site IPsec connection to an on-premises location. Both connection types use a VPN gateway to provide a secure tunnel with IPsec/IKE and function the same way when communicating. However, they differ in the way the local network gateway is configured.
When you create a VNet-to-VNet connection, the local network gateway address space is automatically created and populated.
Also Read: Our blog post on AZ 305 Exam: Learn how to prepare for this exam.
Interconnection between Azure and Oracle Cloud:
Microsoft and Oracle offer direct interconnection between Azure and Oracle Cloud Infrastructure (OCI) through ExpressRoute and FastConnect. Through the ExpressRoute and FastConnect interconnection, customers can experience low latency, high throughput, private direct connectivity between the two clouds.
Using this cross-cloud connectivity, you can partition a multi-tier application to run your database tier on Oracle Cloud Infrastructure (OCI), and the application and other tiers on Microsoft Azure. The experience is similar to running the entire solution stack in a single cloud.
Pricing of Virtual Networks
There is no charge for using Azure VNet, it is free of cost.
- Standard charges are applicable for resources, such as Virtual Machines (VMs) and other products.
- You are charged for the public IP address and reserved IP address inside your VNet.
- The incoming and outgoing data of VNet Peering is chargeable.
- Also, you can calculate the resources price using the Azure pricing calculator.
Summary
A virtual network is a network of IP addresses in a range connected together. It is an important aspect of consideration while designing solutions in the cloud. In order to secure each layer of application architecture inside a highly secured network, it is recommended to create different subnets for different tiers of an application and attach each subnet with a network security group with limited inbound and outbound security rules.
Frequently Asked Questions
Q1) What are Azure Virtual Networks
Ans. The Azure Virtual Network service serves as the foundation for your private network in Azure. An instance of the service (a virtual network) allows numerous types of Azure services to securely connect with one another, the internet, and on-premises networks.
Q2) What is the difference between a subnet and a virtual network?
Ans. A subnet is a component of an IP network that allows for easier management and security. A virtual network, on the other hand, is an isolated network environment within a cloud provider's infrastructure in which resources such as virtual computers may safely connect. Subnets are virtual network components that define smaller address ranges to help organize and regulate network traffic.
Q3) What is VNet peering in Azure?
Ans. Virtual network peering enables you to easily connect two or more virtual networks in Azure. To simplify communication, the virtual networks look as one. Peered virtual network traffic is routed through Microsoft's backbone infrastructure.
Q4) What is VPN gateway Azure?
Ans. A VPN gateway in Azure is a virtual network gateway that establishes safe and encrypted connections between Azure virtual networks and on-premises networks, remote users, and other Azure virtual networks. It allows for secure communication over the public internet via protocols such as IPsec and SSL/TLS, extending on-premises networks to Azure or linking several Azure virtual networks together.
Q5) What is an express route in Azure?
Ans. ExpressRoute is a dedicated private connection service that provides dependable, high-speed connectivity between on-premises networks and Azure services. By avoiding the public internet, it offers consistent performance, decreased latency, and increased security while accessing Azure services and enabling hybrid cloud connectivity.
Q6) Is ExpressRoute layer 2 or 3?
Ans. It operates in layer 3.
References
- Activity Guides/Hands-on Lab & Projects
- Cloud Services Model
- Cloud Computing – Overview & Benefits
- Azure Region and Availablity Zone
- How to create a free tier account on Azure
- Microsoft Azure Core Services For Beginners
Next Task For You
Begin your journey toward Mastering Azure Cloud and landing high-paying jobs. Just click on the register now button on the below image to register for a Free Class on Mastering Azure Cloud: How to Build In-Demand Skills and Land High-Paying Jobs. This class will help you understand better, so you can choose the right career path and get a higher paying job.
Leave a Reply