Azure Virtual Network

Azure Virtual Network (Azure VNet) plays an important role in building networks within the Azure infrastructure. It is a fundamental component of keeping your Azure resources in a private network where you can securely manage and connect to other external networks (public and on premises) over the internet.

Azure VNet goes beyond the usual on-premises and traditional networks. Aside from the benefits of isolation, high availability, and scalability, Azure VNet helps secure your Azure resources by allowing you to administrate, filter, or route network traffic based on your preference.

For example, Azure VMs are connected or attached to an Azure VNet through virtual network interface cards (VNICs), as shown in Figure 4-1, where an Azure VM is attached to three NICs: Default, NIC1, and NIC2.

Figure 4-1. ThreeTier-VNet an Azure VM with several NICs

Azure resources need to securely communicate with each other internally on the private network, over the internet, and also networks on on-premises infrastructure. Azure VNet makes this possible. Let’s take a closer look at these forms of communication.

Internet communication

Azure VNet by default is capable of communicating outbound to the internet. If you want to communicate to an Azure resource inbound, you may do that using an Azure public IP address or Azure Load Balancer that is set to public.

Communication and connection with Azure resources

Azure resources can securely communicate through the virtual network and VNet peering and by extending virtual network service endpoints. For example, it is possible to deploy some dedicated Azure resources like AKS, Azure Batch, Azure SQL Manage Instance, Microsoft Entra Domain Services, Azure Container Instance (ACI), Azure Functions, Azure App Service Environments, and Azure VM Scale Sets within the same virtual network.

Network traffic routing and filtering

The network traffic can be filtered between subnets in several ways. Network security groups (NSG) and application security groups can be used to control security rules (inbound and outbound) to control and filter network traffic. Another good option is to use a network VM where you can configure your firewall settings and network rules and optimize your WAN. On Azure Marketplace, you will find some networking appliance managers available for external services or within Microsoft.

Azure VNet Peering

Azure Virtual Network peering (VNet peering) allows you to connect several virtual networks in Azure. The connectivity and traffic between the VMs in the peered virtual networks uses Microsoft’s infrastructure on a secure private network. Virtual networks that are peered can directly share and connect with the resources located in either virtual network.

Currently, Azure supports both VNet peering and global VNet peering. The difference between these two is that global VNet peering connects virtual networks across Azure regions while VNet peering connects virtual networks within the same Azure region.

Figure 4-2 illustrates how VNet peering works between two virtual networks, VNet A and VNet B, that have several connections to other networking resources.

Figure 4-2. VNet peering in Azure

Both VNet peering and global VNet peering support gateway transit, a property in peering that allows a virtual network to use the peered virtual network’s VPN gateway for cross-premises connectivity or VNet-to-VNet connectivity. You can configure VPN gateway transit for VNet peering through Azure Portal, Powershell, ARM template, and Azure CLI.

On a final note, VNet peering uses IP addresses. There are two types of IP addresses that are used in Azure: public IP and private IP. The private IP addresses are used for the connectivity and Azure resource communication within the same resource group. On the other hand, public IP addresses are used to allow internet resources to communicate inbound to Azure resources. Using this type of IP address enables communication of Azure resources and public-facing Azure services over the internet.

Learn more in the Microsoft documentation about IP services and some recommended best practices for Azure Virtual Network.

Azure Virtual Wide Area Network

Azure Virtual WAN is a managed networking service and unified framework for networking, security, and routing features. The Azure global network enables Azure Virtual WAN to be available. It includes site-to-site, point-to-site VPN connectivity, ExpressRoute, etc.

Virtual WAN helps organizations or business units to connect to the internet and other Azure resources, for example, networking and remote user connectivity, which is effective and useful for those who prefer to work from home or other remote locations. It can also be used to move existing infrastructure or data center from on premises to Microsoft Azure with the help of utilizing Azure Virtual WAN.

Features of Azure Virtual WAN include:

• Branch connectivity (via connectivity automation from Virtual WAN partner devices such as SD-WAN or VPN CPE)

• Site-to-site VPN connectivity

• Point-to-site VPN connectivity for remote users

• Private connectivity using ExpressRoute

• Intracloud connectivity for virtual networks

• Interconnectivity using VPN ExpressRoute

• Routing, Azure Firewall, and encryption for private connectivity

Azure Virtual WAN also has benefits like integrated connectivity solutions in the hub and spoke, automated spoke configuration, and troubleshooting and monitoring tools. When configuring it, you need Virtual WAN resources such as Virtual Hub, Hub VNet Connection, hub-to-hub connection, a hub route table, and site resources.

Figure 4-3 shows an example of Azure Virtual WAN being used and implemented for remote connectivity.

Figure 4-3. Azure Virtual WAN (adapted from an image by Microsoft documentation)

Azure Virtual WAN is a broad and complex topic. For a deeper diver, see Microsoft’s Virtual WAN documentation.

Azure ExpressRoute

Azure ExpressRoute allows you to expand networks that are on premises into Microsoft’s cloud infrastructure using a connectivity provider over a private connection. Basically, this networking service enables connecting your on-premises networks with Azure. This connection between an on-premises network and Azure can be initiated using an any-to-any (IPVPN) network with Layer 3 connectivity, which enables you to interconnect with Azure to your own on-premises WAN or data center.

The connection in Azure ExpressRoute is private, and the traffic with this connection does not go over the internet. This means that the connections made using ExpressRoute promise speed, reliability, availability, and better security compared to connections over public networks.

A secure network connection can be established with other cloud resources in Microsoft like Microsoft 365, Dynamic 365, and Microsoft Azure, as shown in Figure 4-4.

Figure 4-4. Azure ExpressRoute connections between public and on-premises networks (adapted from an image by Microsoft documentation)

ExpressRoute has several useful features such as support for different connectivity models between your on-premises network and Azure. As shown in Figure 4-5, these connectivity models can be implemented using service providers or directly. Service providers currently use three types of models: cloud exchange co-location, point-to-point Ethernet connection, and any-to-any (IPVPN) connection. ExpressRoute Direct can also be used for direct connection to Microsoft Azure.

ExpressRoute Direct is a good Azure service if you want to directly connect your network into Microsoft’s network globally at peering locations at up to 10 GBps or 100 GBps connectivity. You can create an ExpressRoute Direct connection through the Azure Portal, Azure CLI, and Azure PowerShell. Learn more about ExpressRoute Direct circuits, workflows, VLAN tagging, SLA, and pricing in the Microsoft documentation. Azure Storage can be integrated with ExpressRoute Direct if you have a use case that requires ingestion of data.

Figure 4-5. Different connectivity models of Azure ExpressRoute

Azure ExpressRoute has the option to implement private peering for Azure resources like VMs and Azure Virtual Desktop RDP Shortpath within the virtual networks.

Azure VPN gateway

A VPN gateway is a specific type of virtual network gateway used to send encrypted traffic between an Azure virtual network and an on-premises location over the public internet. You can also use a VPN gateway to send encrypted traffic between Azure virtual networks over the Microsoft network. Each virtual network can have only one VPN gateway. However, you can create multiple connections to the same VPN gateway. When you create multiple connections to the same VPN gateway, all VPN tunnels share the available gateway bandwidth.

Different types of VPN gateway connections

To create a VPN gateway connection, we need to know the different configurations. These different types of connections will give you a clear overview and understanding on what is ideal based on what suits your business requirements.

Site-to-site VPN (S2S)

The site-to-site (S2S) connection runs over the IPsec/IKE ((IKEv1 or IKEv2) VPN tunnel. IPsec VPN is one of the common VPN protocols used for establishing a VPN connection. The S2S VPN gateway connections can be hybrid or cross-premises use cases. This type of gateway also requires a VPN device that must be located on premises. This VPN device should have a public IP address designated to it.

Point-to-site VPN

The point-to-site (P2S) type of VPN connection is applicable if you want to connect a client computer to a virtual network like Azure VNet. This type of VPN connection needs to be initiated from the client computer, which is useful for remote work.

VNet-to-VNet (IPsec/IKE VPN tunnel)

Unlike the P2S VPN connection, the VNet-to-VNet connection is for connecting between VNets, even virtual networks on premises. This type of VPN gateway uses a secure connection through IPsec/IKE. Configuring for multiple site connections is also possible using this type of VNet-to-VNet connection.

Site-to-site and ExpressRoute

The network traffic for the S2S VPN gateway is securely encrypted through the public internet. ExpressRoute also creates a private and direct connection from a WAN to Azure and other Microsoft services. This means that configuring ExpressRoute together with S2S VPN has advantages, especially if it is set for the same virtual network.

One of the important steps when configuring the VPN gateway is choosing the appropriate type. A virtual network can have only one VNet gateway. For example, if you are configuring VNet gateway for VPN, then you would need to use -GatewayType Vpn and for ExpressRoute you would similarly use its keyword value. Check the guide for configuring VPN gateway settings and some requirements you need to know.

Azure NAT gateway for virtual networks

Azure Virtual Network NAT helps in simplifying the outbound internet connectivity for virtual networks (one or several subnets). Once a subnet is associated with a NAT gateway, the NAT gives the benefit of providing a source network address translation (SNAT). For example, you can utilize Azure NAT Gateway to securely connect to your VMs using dedicated public IP while having control over the ports you share. When a VNet NAT is configured on a subnet level, the outbound connectivity will use the specified static public IP addresses. Figure 4-6 illustrates how Azure VNet NAT gateway works with a VM with public IP. The Azure VMs in Subnet A have instance-level Public IP addresses but the VMs on Subnet B do not. The network traffic inbound are directed to Subnet A virtual machines that are still directed to an instance-level IP. However, all the outbound traffic from both Subnets A and B is routed through Azure NAT Gateway.

Figure 4-6. Instance-level Public IP with a VM and NAT

The following are some of the benefits of using Azure VNet NAT:

Security and privacy

Azure VNet NAT gateway doesn’t need public IP addresses; therefore, the connection between virtual networks is fully private and secured. Resources can still connect to external resources outside the VNet even without public IP addresses.

Scalability

All compute resources belong to a subnet. All subnets can communicate and use the same resource in the same virtual network. Automatic scaling is possible with the use of a public IP prefix, which assists in identifying and scaling how many outbound IP addresses are required.

Resiliency

NAT does not have any individual dependency on other compute instances, which is the result of it being a distributed and fully managed service. This feature makes it very resilient as a software-defined networking service.

Performance

The performance of a NAT gateway is satisfactory because it is a software defined networking service; when it is running it will not have a negative effect on network bandwidth.

Azure VNet NAT gateway provides the ability to control who has access to your organization’s resources and what locations they can be accessed from. For these reasons, NAT gateway can be useful for whitelisting a group of people working as contractors for a company.

NAT is not applicable or supported to work with basic public IP addresses and load balancers. If you need to use NAT gateway in your implementation, you would need to use standard versions virtual networks (one or several subnets). Once a subnet is associated with a NAT gateway, the NAT gives the instead or upgrade Azure Public Load Balancers to higher versions.

If you want to try designing a virtual network using NAT gateway, see the Microsoft documentation and a video about it from Azure Friday.

Azure Domain Name System

Azure Domain Name System (DNS) is a hosting service for DNS domains that provides name resolution using the Microsoft Azure infrastructure. By hosting your domains in Azure, you can manage your DNS records using the same credentials, APIs, tools, and billing as your other Azure services. You can’t use Azure DNS to buy a domain name. For an annual fee, you can buy a domain name by using App Service domains or a third-party domain name registrar. Your domains then can be hosted in Azure DNS for records management.

The following are some of the key features of Azure DNS:

Reliability and performance

DNS domains in Azure DNS are hosted on Azure’s global network of DNS name servers. Azure DNS uses anycast networking. Each DNS query is answered by the closest available DNS server to provide fast performance and high availability for your domain.

Security

Azure DNS is secured because it is linked to Azure Resource Manager, which is associated with user identity control services like Azure RBAC and Azure Resource Lock. Resource locking is used to prevent other users in your organization from accidentally deleting or modifying critical resources.

Alias records

Azure DNS supports alias record sets. You can use an alias record set to refer to an Azure resource, such as an Azure public IP address, an Azure Traffic Manager profile, or an Azure Content Delivery Network (CDN) endpoint. If the IP address of the underlying resource changes, the alias record set seamlessly updates itself during DNS resolution. The alias record set points to the service instance, and the service instance is associated with an IP address. Also, you can now point your apex or naked domain to a Traffic Manager profile or CDN endpoint using an alias record.

By using Azure DNS, you host your own domain websites in Azure, manage your DNS records and integrate them with the resources hosted in Azure. If you have an existing domain, there are a number of ways to host it in Azure DNS. Microsoft has different guides for setting up your own custom domain on a function app, web app, blob storage, or other Azure resource.

Azure Bastion

The Azure Bastion service is a new, fully platform-managed PaaS service that enables secure VM connections without exposing the confidential ports of your network to the public Internet. It provides secure and seamless RDP/SSH connectivity to your VMs directly in the Azure Portal over TLS. When you connect via Azure Bastion, your VMs do not need a public IP address.

You can connect securely via RDP and SSH to all of the VMs in the virtual network where Azure Bastion is provisioned. By doing this, you are securely connecting to your VMs and are not exposing RDP/SSH ports to the public internet.

Key benefits and uses of Azure Bastion include:

RDP and SSH directly in a web browser

Since Azure Basion uses an HTML5-based web client, you can access your VMs on any device. This means you don’t need to download a supported RDP or SSH client to connect to a VM. You can connect to your VMs securely using RDP and SSH sessions directly on any web browsers through the Azure Portal.

Public IP not required on the Azure VM

Azure Bastion opens the RDP/SSH connection to your Azure VM using a private IP on your VM. You don’t need a public IP on your VM.

Save time managing network security groups (NSGs)

Azure Bastion is hardened internally to provide you secure RDP/SSH connectivity. You don’t need to apply any NSGs to the Azure Bastion subnet. Because Azure Bastion connects to your VMs over a private IP, you can configure your NSGs to allow RDP/SSH from Azure Bastion only. This removes the hassle of managing NSGs each time you need to securely connect to your VMs.

Protection against port scanning

VMs are secured and protected against port scanning by rogue and malicious users located outside your virtual network.

Protect against zero-day exploits

Azure Bastion protects against zero-day exploits. A zero-day exploit is a cybersecurity attack that takes advantage of a security vulnerability. The term is also known as “0-day,” which means that the developer had 0 days to work on an update to fix the issue. Using anti-virus, firewall, and data protection tools can help avoid these security threats. You’ll learn more about zero-day exploits and cloud security on Azure’s cloud resources in Chapter 9.

Azure Bastion is a flexible and secure way to connect VMs on the go. To learn more, check out this video guide from Azure Friday.

Azure Firewall

Azure Firewall is a cloud-native intelligent network firewall security service that provides threat protection for your cloud workloads running in Azure. It’s a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability.

Following are the different types of Azure Firewall to help you identify which is right for your needs:

Azure Firewall Standard

Azure Firewall Standard provides Layer 3 to Layer 7 firewall filtering and threat intelligence feeds from Microsoft Cyber Security. These threat feeds can be used to notify about any important alert and can even deny network traffic from/to any malicious domains and IP addresses to protect Azure resources against possible hacking or attacks.

Azure Firewall Premium

Azure Firewall Premium provides advanced capabilities such as signature-based IDPS that enable detection of attacks by analyzing and detecting specific patterns, such as byte sequences in network traffic or any known malicious instruction sequences used by malware. This tier also supports third-party offerings available from WatchGuard, Sophos, Palo Alto, Check Point, and the like.

Aside from the different Azure Firewall categories and tiers, you can centrally manage Azure Firewalls across multiple Azure subscriptions using Azure Firewall Manager. It supports setting up centralized security and route management. This firewall policy can be utilized by applying a common set of firewall rules in your network or application in your Azure tenant. Azure Firewall Manager supports firewalls in environments like VNets and Virtual WANs (Secured Virtual Hub).

Azure Firewall is an excellent choice to secure your Azure resources. The team behind Azure Firewall will continue to add features to both the standard and premium tiers.

Azure DDoS Protection

Azure DDoS Protection provides countermeasures against the most sophisticated DDoS (distributed denial of service) threats that can cause severe and highly impactful loss. It provides advanced DDoS mitigation features for your applications and resources.

Customers using Azure DDoS Protection also have access to support and communicate with DDoS experts using Azure DDoS Rapid Response during an active attack. An Azure DDoS Protection standard plan is a prerequisite to this support.

Figure 4-7 illustrates how Azure DDoS Protection works in securing an application gateway in a virtual network.

Figure 4-7. Azure DDoS Protection for a web application in a virtual network

Engineers with a role involving securing resources in Azure should learn the basic concepts of Azure security and protecting Azure resources from attacks. Check out Microsoft’s learning path for for an introduction to Azure DDoS Protection.

Azure Private Link

Azure Private Link enables you to access Azure PaaS Services (for example, Azure Storage and SQL Database) and Azure-hosted customer-owned/partner services over a private endpoint in your virtual network. Traffic between your virtual network and the service travels through the Microsoft backbone network. Exposing your service to the public internet is no longer necessary. You can create your own private link service in your virtual network and deliver it to your customers.

Azure Front Door

Azure Front Door is a global, scalable entry point that uses the Microsoft global edge network to create fast, secure, and widely scalable web applications. With Front Door, you can transform your global consumer and enterprise applications into robust, high-performing personalized modern applications with content that reaches a global audience through Azure.

With the Azure Front Door service, the content on your applications will be delivered quickly to your application users wherever they are located. This service uses Microsoft’s global edge network that interconnects to many points of presence (POPs) distributed around the world.

With Front Door you can develop, operate, and scale your dynamic web applications and even static content. It also allows you to configure, manage, and monitor the global routing for your web traffic by optimizing for top-tier end-user performance and reliability through quick global failover.

Following are additional key benefits and uses of Azure Front Door:

• Cookie-based session affinity, which is useful for keeping a user’s session active on the same device or server

• SSL offloading and certificate management

• Custom domains if you want to configure your own domains

• Integration with Web Application Firewall (WAP) for security

• HTTP/HTTPS redirection helps ensure that the connection between your web client and server are secured and encrypted

• URL rewrites and custom redirection

• Smart monitoring for resources in the backend that will help track and debug issues

• Multiple website hosting and support for wildcard domains

• End-to-end IPv6 connectivity and HTTP/2 protocol support

There are different tiers to choose from: Azure Front Door Standard and Azure Front Door Premium. For more details about the different tiers, see Microsoft’s guide for Azure Front Door tiers.

Azure Application Gateway

Azure Application Gateway is a load balancer for web traffic. It enables you to manage and control the traffic to your web applications. It is an application delivery controller (ADC) as a service that supports several Layer 7 load-balancing capabilities for your applications.

Microsoft’s Azure Application Gateway is ranked #3 in application delivery controller solutions based on a Peerspot.com ranking survey.

Features of Application Gateway include:

• Support for autoscaling (scale up and scale down) based on the ongoing traffic load of your application

• SSL/TLS termination at the gateway to secure unencrypted traffic to servers

• Zone redundancy and support for multiple availability zones to ensure high availability and fault tolerance

• URL-based routing, multiple site hosting and redirection

• Protection and security using Web Application Firewall (WAF)

• Use as an ingress controller for an Azure Kubernetes Service (AKS) cluster

• Integration with Azure Monitor for monitoring, logging, and insights

Azure has several fully managed load-balancing solutions that suit different use cases or needs. Azure Load Balancer is an alternative if you want to do load balancing at the network layer level. There’s also Azure Front Door for optimizing global routing of web traffic and Azure Application Gateway if you need server load balancing at the application layer.

Azure Traffic Manager

The Azure Traffic Manager is a DNS-based traffic load balancer. This networking service allows you to effectively distribute traffic to your public-facing applications across the global Azure regions. Traffic Manager also provides your public endpoints with high availability and quick responsiveness.

Key benefits of Azure Traffic Manager include:

Integrate and associate hybrid applications

Traffic Manager supports external, non-Azure endpointss enabling it to be used with hybrid cloud and on-premises deployments, including “burst-to-cloud,” “migrate-to-cloud,” and “failover-to-cloud” scenarios.

Improve availability, maintainability, and performance

Azure Traffic Manager promises to deliver high availability for critical applications by monitoring endpoints and automatic failover if an endpoint goes down. You can have planned maintenance done on your applications without downtime. Traffic Manager can direct traffic to alternative endpoints while the maintenance is in progress. It also can help improve your application’s performance by directing web traffic to the endpoint with the lowest latency.

Manage complex traffic distribution and advanced deployments

By using Nested Traffic Manager profiles, you can use multiple traffic-routing methods to create flexible rules to scale to the demands of more complex and larger deployments.

Figure 4-12 shows how Azure Traffic Manager can be used to direct a web application’s client request to a specific endpoint based on the traffic-routing method being configured.

Figure 4-12. An example of Azure Traffic Manager being used for a web application to scale and load-balance traffic in a hybrid cloud environment

If you have several instances in different Azure regions and one of these instances fails during the health check, the traffic for your application is directed to the Azure region that is healthy. However, a performance problem can occur in the latency of the traffic to a region located far away.

Therefore, there are some performance considerations when using and managing Azure Traffic Manager. There are several tools you can use to measure your DNS latency and performance. Discussing the technical details of these traffic monitoring tools is beyond the scope of this book, but if you want to learn more, see Microsoft’s recommendations for measuring traffic manager performance.

Azure Network Watcher

Azure Network Watcher is a composed of different tools used for monitoring, diagnosing, logging, and metrics management for an Azure Virtual Network. This networking service is commonly used to track and monitor network health statuses of IaaS services such as VMs, application gateways, load balancers, virtual networks, etc.

Following are some of the benefits of using Azure Network Watcher:

• Monitor communication between VMs and network endpoints at regular intervals with alerts and notifications

• Vizualize the overview and relationships of Azure resources in a virtual network

• Detect and troubleshoot any network traffic filtering problems between your VMs

• Diagnose problems of network routing and outbound connections for VMs

• VMs packet capturing that helps detect possible network anomalies

Azure Network Watcher is useful when you are troubleshooting issues related to detecting network traffic anomalies in Azure IaaS resources. For example, if you want to troubleshoot a problem with a VPN connection between two VMs, you can use Azure Network Watcher to monitor the traffic between them.

One limitation of using Azure Network Watcher is worth knowing. It will not work with web analytics and monitoring PaaS services because Network Watcher was not designed to be used with these two services.

Azure Monitor Network Insights

Azure Monitor Network Insights provides an overall view of health and metrics for all the network resources that you have deployed and hosted in Azure. This Network Insights service is part of Azure Monitor and allows you to track networking metrics easily without advanced configuration.

It is structured around these key components of monitoring:

• Network health and metrics for the visualization of all your networking resources with the option to search, filter, and set up alerts and dependency views

• Connectivity helps you visualize all the configured tests done via Connection Monitor

• Traffic gives you a view of all flow logs for network security groups (NSGs) and also the traffic analytics for the selected set of subscriptions, grouped by location

• Diagnostic Toolkit can be used in troubleshooting network issues such as IP flow verification, packet capture, etc.

If you are using Azure Monitor for monitoring and gathering metrics for your Azure resources, then Network Insights is good tool to use, especially when you house multiple networking resources in Azure.