Networking in Azure 101– Azure Virtual Network (VNet) is the most fundamental component of your Azure private network. Several kinds of Azure resources, such as Azure Virtual Machines (VM), can communicate securely with one another and also the internet, and on-premises networks, thanks to VNet. VNet is akin to a core network running in your own data center. Still, it comes with Azure’s infrastructure features like capacity, reliability, and segregation.
AZURE networking services overview
Azure networking services offer a wide range of networking features that can be combined or used independently.
- Connectivity services: Connect Azure and on-premise resources by employing any or all of the following networking services in Azure: Virtual Network (VNet), Virtual WAN, ExpressRoute, VPN Gateway, Virtual network NAT Gateway, Azure DNS, Peering service, and Azure Bastion.
- Application protection services: Use any or all of the following networking services in Azure to safeguard your applications: Load Balancer, Private Link, DDoS protection, Firewall, Network Security Groups, Web Application Firewall, and Virtual Network Endpoints.
- Application delivery services. Deliver applications on the Azure network by utilizing any or all of the following networking services in Azure: Content Delivery Network (CDN), Azure Front Door Service, Traffic Manager, Application Gateway, Internet Analyzer, and Load Balancer.
- Network monitoring: Monitor your network resources with any or all of the following Azure networking services: Network Watcher, ExpressRoute Monitor, Azure Monitor, or VNet Terminal Access Point (TAP).
Connectivity services
Virtual Network (VNet), ExpressRoute, VPN Gateway, Virtual WAN, Virtual network NAT Gateway, Azure DNS, Azure Peering service, and Azure Bastion are the services in this area that offer communication between Azure resources, connectivity from an on-premises network to Azure resources, and the branch to branch connectivity in Azure.
Virtual network
AZURE Virtual Network (VNet) is the fundamental building block for your private network in AZURE. You can use VNets to:
- Communicate between AZURE resources
- Communicate between each other
- Communicate to the internet
- And with on-premises networks
ExpressRoute
You can use ExpressRoute to expand your on-premises networks into the Microsoft cloud via a private connection supported by a connectivity provider. This is a secure connection. The internet does not carry traffic. You can connect to Microsoft cloud services such as Microsoft Azure, Microsoft 365, and Dynamics 365 via ExpressRoute.
VPN Gateway
VPN Gateway enables you to establish secure cross-premises connections to your virtual network from on-premises sites and secure relationships between VNets. The connections can be configured in various ways, including site-to-site, point-to-site, and VNet-to-VNet.
Virtual WAN
Azure Virtual WAN is a networking service that allows you to connect your branches to and from Azure in an optimal and automated way. Azure regions act as hubs to which you can connect your components. You may use the Azure backbone to link branches to VNets as well. Many Azure cloud connectivity services, like site-to-site VPN, ExpressRoute, and point-to-site user VPN, are combined into a single functional portal with Azure Virtual WAN.
AZURE DNS
Azure DNS is a DNS domain hosting service that uses Microsoft Azure resources to deliver name resolution. You can manage your DNS records that use the same credentials, APIs, tools, and pricing as your other Azure services if you host your domains in Azure.
AZURE Bastion
The Azure Bastion service is a centrally managed PaaS service that you may deploy within your virtualized environment. It allows you to connect to your virtual servers through RDP/SSH directly from the Azure site using TLS. Your virtual servers do not require a public IP address when connected using Azure Bastion.
Virtual network NAT Gateway
Virtual Network NAT (network address translation) simplifies outbound-only internet connectivity for virtual networks. All outbound connectivity uses your specified static public IP addresses when configured on a subnet. Without a load balancer or public IP addresses directly attached to virtual machines, outbound connectivity is possible.
AZURE Peering Service
AZURE Peering service administration upgrades client availability to Microsoft cloud administrations, for example, Microsoft 365, Dynamics 365, programming as a help (SaaS) administrations, AZURE, or any Microsoft administrations open through the public web.
Application protection services
This section explains how Azure networking services can help you protect your network resources. – Use any or all of Azure’s networking services to safeguard your applications, including DDoS protection, Private Link, Firewall, Web Application Firewall, Network Security Groups, and Virtual Network Service Endpoints.
DDoS Protection
Azure DDoS Protection protects against even the most advanced DDoS attacks. The solution provides better DDoS mitigation capabilities for your business and assets hosted in your virtual networks. Customers that use Azure DDoS Protection also have access to DDoS Rapid Response assistance, which allows them to contact DDoS professionals during an active attack.
AZURE Private Link
Azure Private Link allows you to use a private endpoint in your virtual network to access Azure PaaS Services (Azure Storage and SQL Database) and Azure-hosted customer-owned/partner services. The Microsoft backbone network transports traffic between your virtual network and the service. As a result, it is no longer essential to expose your service to the public internet. Instead, you can create your private link service in your virtual network and offer it to your customers.
AZURE Firewall
AZURE Firewall is a well-managed, cloud-based network security administration that safeguards your AZURE Virtual Network assets. Utilizing AZURE Firewall, you can halfway make, implement, and log application and organization availability approaches across memberships and virtual organizations. Sky blue Firewall operates a static public IP address for your virtual organization assets permitting outside firewalls to recognize traffic beginning from your virtual organization.
Web Application Firewall
Your web applications are protected by the Azure Web Application Firewall (WAF) from common internet attacks and weaknesses like SQL injection and cross-site scripting. In addition, managed rules give out-of-the-box protection from the OWASP top 10 liabilities in Azure WAF. Customers can also set up custom rules, which are customer-managed rules that provide extra security depending on source IP ranges and request elements, including headers, cookies, form data fields, and query string parameters.
Customers can use Azure WAF with Application Gateway to protect organizations in public and private address spaces on a regional level. They could also use Azure WAF with Front Door, covering public endpoints at the network edge.
Network security groups
A network security group can monitor network activity to or from Azure resources in an Azure virtual network.
Service endpoints
Virtual Network (VNet) service administration endpoints broaden your virtual organization’s private location space and the character of your VNet to the AZURE administrations over an immediate association. Endpoints permit you to tie down your essential AZURE assistance assets to just your virtual organizations. Traffic from your VNet to the AZURE assistance generally stays on the Microsoft AZURE spine organization.
Application delivery services
This segment depicts organizing administrations in AZURE that assist with conveying applications – Content Delivery Network, AZURE Front Door Service, Traffic Manager, Load Balancer, and Application Gateway.
Content Delivery Network
Content Delivery Network (CDN) offers engineers a worldwide answer for quickly conveying high-data transfer capacity content to clients by reserving their substance at decisively positioned hubs worldwide.
AZURE Front Door Service
AZURE Front Door Service empowers you to characterize, make due, and screen the worldwide steering for your web traffic by enhancing best execution and moment worldwide failover for high accessibility. With Front Door, you can change your worldwide (multi-district) consumer and enterprise applications into robust, elite execution customized current applications, APIs, and content that contact a worldwide crowd with AZURE.
Traffic Manager
AZURE Traffic Manager is a DNS-based traffic load balancer that enables you to convey traffic ideally to administrations worldwide AZURE locales while giving high accessibility and responsiveness. Traffic Manager provides a scope with traffic-directing techniques to circulate such as priority, weighted, performance, geographic, multi-value, or subnet.
Load Balancer
The AZURE Load Balancergives elite execution, low-idleness Layer 4 burden adjusting for all UDP and TCP conventions. It oversees inbound and outbound associations. You can arrange public and interior burden-adjusted endpoints. You can characterize rules to plan inbound associations with back-end pool objections by utilizing TCP and HTTP wellbeing and examining choices to oversee administration accessibility.
Network monitoring services
This segment portrays organizing administrations in AZURE that assist with checking your organization assets – Network Watcher, AZURE Monitor Network Insights, AZURE Monitor, ExpressRoute Monitor, and Virtual Network TAP.
Network Watcher
Network Watcher, Azure Monitor Network Insights, Azure Monitor, ExpressRoute Monitor, and Virtual Network TAP are all networking services in Azure that let you monitor your network resources.
AZURE Monitor Network Insights
Azure Monitor for Networks offers a thorough picture of health and statistics for all installed network resources without requiring any configuration. It also gives you access to network monitoring tools like Connection Monitor, network security group tracking, and traffic analytics.
AZURE Monitor
AZURE Monitor expands the accessibility and execution of your applications by conveying a complete answer for gathering, dissecting, and following up on telemetry from your cloud and on-premises conditions. In addition, it assists you in understanding how your apps function and effectively identifies errors that may harm them or the resources they rely on.
Elements of AZURE Virtual Networks
AZUREVNets offer various types of assistance and functionalities for associating AZURE assets. Microsoft has designed these administrations to give organizations all of the tools they require to satisfy their cloud arrangement needs. The accompanying areas portray some of the critical ideas for conveying AZURE Virtual Networks.
Address Space
You must provide a bespoke private IP address space utilizing public and personal (RFC 1918) addresses when constructing a VNet. Azure assigns a private IP address to virtual network resources from the address space you choose. So, if you deploy a VM in a VNet with an address space of 10.0.0.0/16, for example, the VM will be given a private IP address of 10.0.0.4.
Subnets
Subnets are more modest divisions of the virtual organization. Subnetting permits you to dispense a more modest part of the VNet’s location space to explicit assets. Subnets further develop IP address allotment by characterizing fewer IP addresses in the virtual organization’s usable space.
Network Security Groups
Network Security Groups (NSG) safeguard each subnet within a virtual organization. You use NSGs to channel traffic all through a virtual organization. You characterize the source and objective, port, and convention for each standard to recognize the traffic.
How to Create AZURE Virtual Networks
Microsoft provides multiple ways to create AZURE Virtual Networks. Here we are about to cover three such ways:
- Using the AZURE Portal
- Using AZURE PowerShell
- And the AZURE CLI
AZURE Portal
To create an AZURE Virtual Network using the AZURE Portal:
- First, navigate and sign in to the AZURE portal.
- Then, select Create a resource on the AZURE Portal homepage.
- On the Create a resource page, search the marketplace for virtual network and select it from the results.
- On the Virtual Network page, select Create.
- At Create virtual network page, configure the information in the Basics tab.
- Subscription: Select the subscription to bill the resource against
- Resource group: create a new resource group or choose an existing one
- Name: enter vnet-westus-001
- Region: select the West US region
- Select Next: IP Addresses button at the bottom of the page.
- In the IPv4 address space section, AZURE has pre-populated the address space 10.1.0.0/16. Select this existing address space and change it to 10.100.0.0/16.
- If you want to add subnets now, select + Add subnet, then enter the subnet name snet-subnet1 and an address range of 10.50.25.0/24.
- Review the address space and subnets, select Review + create and create after the portal validates the configuration.
AZURE PowerShell
To create a virtual network and subnets using AZURE PowerShell:
- Create a virtual network using the New-AzVirtualNetwork command, specifying:
- The virtual network name (vnet-eastus-001)
- Resource group (virtualNetworks-rg)
- Location (eastus)
- Address prefix (172.16.0.0/16).
Save the new virtual network to a variable named $vnet.
- $vnet = New-AzVirtualNetwork `
- ?
- -Name ‘vnet-eastus-001’ `
- ?
- -AddressPrefix 172.16.0.0/16 `
- ?
- -Location eastus `
- ?
- -ResourceGroupName ‘virtualNetworks-rg’
- Create a subnet for the new virtual network using the Add-AzVirtualNetworkSubnetConfig. You will need to specify:
- Subnet name (subnet1)
- Subnet address prefix (172.16.20.0/24)
- The virtual network using the $vnet variable
Save the new subnet to a variable named $subnet1.
- $subnet1 = Add-AzVirtualNetworkSubnetConfig `
- ?
- -Name ‘subnet1’ `
- ?
- -AddressPrefix 172.16.20.0/24 `
- ?
- -virtual network $vnet
- Associate the new subnet to the virtual network by piping the $subnet1 variable to the Set-AzVirtualNetwork command. PowerShell will output the updated network object with the subnet information.
- $subnet1 | Set-AzVirtualNetwork
If you want to create a virtual network and subnets simultaneously, you must create the subnet object first. When you create the virtual network, you specify the subnet objects.
- Create a new subnet configuration using the New-AzVirtualNetworkSubnetConfig specifying:
- The subnet name (subnet1)
- The address prefix (172.16.20.0/24)
- $subnet1 = New-AzVirtualNetworkSubnetConfig `
- ?
- -Name ‘subnet1’ `
- ?
- -AddressPrefix 172.16.20.0/24
- Repeat step 1 with a new variable name, subnet name, and address prefix for each subnet to add to the virtual network.
- Use the New-AzVirtualNetwork command to create a virtual network. Use the -Subnet parameter to specify each saved subnet variable separate by commas. This example uses three subnets.
- $vnet = New-AzVirtualNetwork `
- ?
- -Name ‘vnet-eastus-001’ `
- ??
- -ResourceGroupName ‘virtualNetworks-rg’ `
- ?
- -Location ‘eastus’ `
- ?
- -AddressPrefix 172.16.0.0/16 `
- ?
- -Subnet $subnet1,$subnet2,$subnet3
AZURE CLI
To create a virtual network and subnets using the AZURE CLI:
- Use the az network vnet create command and specify the virtual network properties, including one subnet:
- Name (vnet-centralus-001)
- Resource group (virtualNetworks-rg)
- Location (centralus)
- Address prefix (192.168.0.0/16)
- Subnet name (subnet1)
- Subnet address prefix (192.168.10.0/24)
- az network vnet create \
- ?
- –name ‘vnet-centralus-001’ \
- ?
- –resource-group ‘virtualNetworks-rg’ \
- ?
- –location ‘centralus’ \
- ?
- –address-prefixes 192.168.0.0/16 \
- ?
- –subnet-name ‘subnet1’ \
- ?
- –subnet-prefixes 192.168.10.0/24
- To add more subnets to the virtual network, use the az network vnet subnet create command, specifying:
- Address prefix (192.168.20.0/24)
- Subnet name (subnet2)
- Resource group (virtualNetworks-rg)
- VNet name (vnet-centralus-001)
- az network vnet subnet create \
- ?
- –address-prefixes 192.168.20.0/24 \
- ?
- –name ‘subnet2’ \
- ?
- –resource-group ‘virtualNetworks-rg’ \
- ?
- –vnet-name ‘vnet-centralus-001’
More AZURE Virtual Network Information
Since you have made your first AZURE Virtual Networks, here is an extra AZURE systems administration data to consider. Azure Virtual Networks give further developed abilities outside the center systems administration.
Pricing
In contrast to a virtual machine or other AZURE assets, making virtual organizations is for nothing. Creating a virtual organization doesn’t cause costs for the acquisition. You can make up to 50 virtual organizations for every membership. If you make a looking association between changed virtual organizations, AZURE charges for the inbound and outbound information moves.
Protecting Resources
AZURE additionally gives a few abilities to safeguard your organization’s assets. One is AZURE Firewall, which is a cloud-based network security administration. Azure Firewall protects assets by implementing application and organization availability arrangements. In addition, Azure Firewall has inherent high accessibility and unhindered cloud versatility.
Azure likewise incorporates essential circulated refusal of administration (DDoS) assault security at no extra expense. In addition, the virtual assistance gave traffic checking and programmed assault alleviation. Similarly, you can increase standard security, including quick reaction support, alleviation strategies, and measurements and cautions.
0 Comments