Azure VNet & Networking Fundamentals

Azure’s networking capabilities offer a comprehensive and flexible suite of options for building and managing a cloud network. Understanding the roles and configurations of VNets, subnets, and gateways is key to leveraging Azure’s full potential for your networking needs.

What is a VNet?

A Virtual Network (VNet) in Azure is the primary building block for private networks within the cloud, analogous to AWS’s Virtual Private Cloud (VPC). VNets provide essential networking functions such as DNS, routing, DHCP customization, access control, and connectivity between various resources like virtual machines and VPNs​​​​​​.

Key VNET Characteristics & Functions

VNets represent a network in the cloud, offering logical isolation within Azure. This isolation allows for creating private networks, yet they remain capable of connecting with other VNets or on-premises infrastructure, facilitating hybrid systems. VNets follow standard IP routing principles and need to be associated with one or more address spaces (CIDR), further divided into subnets.

VNets can be used to:

  • Private Cloud-Only VNets: For services and VMs to communicate securely within the cloud.
  • Data Center Extension: Building site-to-site VPNs for secure capacity scaling.
  • Hybrid Clouds: Connecting cloud-based applications with on-premises systems.

Key components of Azure VNets, include:

  • Subnets: Segment VNets for specific use cases or apply specific routing tables and Network Security Groups (NSG).
  • IP Addresses: Assign public or private IPs, with dynamic or static options.
  • Network Security Groups (NSG): Control traffic flow using rules.
  • Firewall: Azure provides a managed firewall for L3-7 connectivity policies.
  • Load Balancing: Options include Azure Traffic Manager, Azure Load Balancer, and Azure Application Gateway.
  • Routing Tables: Customize traffic routing using User Defined Routes (UDR) for inter-VNet connectivity.

Azure VNet Overview

Integration and Connectivity

Azure VNets facilitate secure and efficient communication among various Azure resources. These networks can be divided into multiple subnets, enabling secure connections within the VNet, to the internet, and local networks. VNets, confined to a single region, can be interconnected through virtual network peering. The scope of a virtual network is a single region; however, several virtual networks of different regions can be connected by virtual network peering as shown below:

Isolation and segmentation

You can deploy multiple virtual networks within each subscription and Azure region. Each virtual network is isolated from the other virtual networks by default.

  • Multiple Virtual Networks: Deploy multiple VNets within a subscription and region, each isolated from others.
  • Address Space Specification: Use public and private addresses for defining a private IP address space.
  • Subnets: Create multiple subnets within a VNet, each with a portion of the VNet’s address space.
  • DNS: Opt for Azure’s name resolution or specify a custom DNS server.

Security and Traffic Control Policy

You can filter network traffic between subnets using one or both of the following options:

  • Network Security Groups (NSG): Apply rule sets for traffic control.
  • Application Security Group (ASG): Define traffic rules based on labels rather than IP/network addresses.
  • Azure Managed Firewall: Controls VNet-internet traffic.
  • Virtual Network Appliance: Integrate third-party solutions like firewalls or WAN optimization.

VPN with VNET

For connecting cloud resources to on-premises or other clouds, VPNs are essential. Azure supports various VPN modes (Site-Site, Point-Site, Policy-based, Route-based), allowing flexibility in tunnel configuration. Such connectivity can be built between different VNets, or from a VNet to On-premises as shown in the picture below.

Source: Microsoft

These VPN modes gives the cloud user flexibility to choose the best option for their tunnel according to their use cases and endpoint devices. There are a couple of key components involved in the setup:

  • Virtual Network Gateway: Configures VPN connectivity, residing at the VNet’s boundary.
  • Local Network Gateway: Represents the customer’s gateway for tunnel configuration.
  • Border Gateway Protocol (BGP): Facilitates dynamic route communication for efficient hybrid cloud setups.

Become the cloud networking hero of your business.

See how Aviatrix can increase security and resiliency while minimizing cost, skills gap, and deployment time.