Azure Virtual Networking Overview

Azure Virtual Networking (VNet) is a way to represent your own network in the cloud, providing logical isolation and full control over IP address blocks, DNS settings, and subnets. VNets allow you to build secure cloud environments and connect them to other VNets or on-premises networks.

Key Benefits of VNets

1. Private cloud-only networks: VNets allow services and VMs within the network to communicate securely without connecting to the internet.

2. Extend on-premises data centers: Site-to-Site VPNs (IPSec) let you expand your datacenter capacity securely.

3. Hybrid cloud scenarios: Connect cloud applications to on-premises systems (like mainframes or Unix systems) securely.

Subnets

Subnets divide a VNet into smaller logical networks, helping with security, performance, and manageability.

• Each subnet has a unique IP address range within the VNet (CIDR format).

• Important considerations:

  • Service requirements: Certain Azure services need their own dedicated subnet (e.g., VPN gateway subnet).

  • Virtual appliances: Traffic can be routed through Network Virtual Appliances (NVAs) if needed.

  • Service endpoints: Restrict access to Azure resources (like Storage or SQL) for specific subnets.

  • Network Security Groups (NSGs): Control traffic at subnet or NIC level.

Tip: Azure reserves the first 3 and the last IP in each subnet.

IP Addressing

Types

1. Private IPs: Used within VNets or on-premises via VPN/ExpressRoute.

2. Public IPs: Used for internet communication or public-facing services.

Assignment

• Static: Fixed IP for DNS, SSL, firewalls, or critical services like domain controllers.

• Dynamic: Assigned by Azure; can change when a resource is deallocated.

Public IP Address SKUs

Private IP Addresses

• Allocated from the subnet’s IP range.

• Can be dynamic (assigned automatically) or static (manually chosen).

Network Security Groups (NSGs)

NSGs filter traffic in/out of VNets, subnets, and NICs using security rules.

Associations

• Subnet-level: Protects all resources in the subnet.

• NIC-level: Protects a specific VM or resource.

• Effective rules: Traffic must be allowed by both subnet NSG and NIC NSG.

Rules

• Inbound: Control incoming traffic (default allows VNet + Azure load balancers).

• Outbound: Control outgoing traffic (default allows Internet + VNet).

• Custom rules: Define protocol, port range, source/destination, priority, and action.

Application Security Groups (ASGs)

ASGs group VMs or NICs with similar security requirements (e.g., web servers, database servers).

• Simplify NSG management by using ASG references instead of IPs.

• Constraints:

  • All NICs in an ASG must be in the same VNet.

  • Rules can reference one ASG as source and destination.

Example: An NSG can allow HTTP from AsgWeb to the Internet, while denying DB access from outside AsgLogic.

Creating VNets and NSGs

Portal Example

• VNet: myVNet1, Address: 10.1.0.0/16, Subnet: mySubnet1, Address: 10.1.0.0/24.

PowerShell Example

Key Takeaways

1. VNets replicate on-premises networking in Azure, with isolation and control.

2. Subnets, IP addressing, and NSGs provide fine-grained traffic control.

3. ASGs simplify security management at scale.

4. Plan address spaces carefully to avoid overlaps with existing networks.