Microsoft Azure VNet Features
Azure VNets serve as the backbone of networking within Azure, providing the infrastructure necessary for secure communication among Azure resources, the internet, and on-premises networks. This foundational service supports a broad spectrum of networking scenarios, from simple inter-resource communication to sophisticated, hybrid cloud infrastructures, offering benefits like scalability, availability, and isolation inherent to Azure’s infrastructure.
Configuring VNets: Azure VNet Tools & Interfaces
Azure offers a variety of tools for deploying and configuring VNets, catering to different user preferences and requirements:
- Azure Portal: A user-friendly, graphical interface accessible via a web browser, ideal for those who prefer a visual management experience.
- Azure PowerShell and CLI: Command-line tools for Windows, Linux, MacOS, or Windows users, providing a powerful way to automate and script network configurations.
- Azure Resource Manager Templates: JSON-formatted files that define the infrastructure and configuration, enabling consistent and repeatable deployments across the solution lifecycle, with deployment possible through the Azure portal, CLI, or PowerShell interface.
Connectivity between Azure resources
Different types of Azure resources, for instance, virtual machines, cloud services, virtual machine scaling sets, and Azure App Service environments can communicate privately over an Azure virtual network.
This is a logical isolation of the Azure cloud dedicated to your subscription. Each Azure subscription and region allows you to implement numerous virtual networks (quota limits apply).
For general connectivity setup in each VNet, you can:
- Define a custom private IP address space using public and private addresses (RFC 1918). Azure appoints resources connected to the virtual network a private IP address from the address space you designate.
- Segment the virtual network into one or more subnets and allocate a portion of the virtual network address space to each subnet.
- You are allowed to use the name resolution that is given by Azure or create your own DNS service for use by resources linked to a virtual network.
VNets are isolated from each other by default. You can connect virtual networks, allowing resources connected to a virtual network to communicate with them over virtual networks. You can choose one of both options below to connect virtual networks:
- Pairing: Allows resources connected to different Azure virtual networks in the same Azure region to communicate with each other. The bandwidth and latency between the virtual networks are the same as if the resources were connected to the same virtual network. Global pairing allows connection across different regions.
- VPN gateway: Enables resources connected to different Azure virtual networks in different Azure regions to communicate with each other. Traffic between virtual networks passes through an Azure VPN gateway. The bandwidth between the virtual networks is limited to the bandwidth of the gateway.
Internet connectivity
All Azure resources connected to a virtual network have outbound connectivity to the Internet by default. The private IP address of the resource is translated via SNAT (source network address translated) into a public IP address by the Azure infrastructure.
To have inbound communication with Azure resources from the Internet, a resource must be assigned to a public IP address.
Local connectivity
Resources are securely accessible in your virtual network thru a VPN connection or a direct private connection. Creating a virtual network gateway can send network traffic between your Azure virtual network and your local network. You configure the gateway settings to create the type of connection you want, VPN or ExpressRoute.
You can connect your local network to a virtual network using any combination of the following options:
Point to site (VPN on SSTP)
The following illustration shows separate point-to-site connections between multiple computers and a virtual network:
This connection is established between a single computer and a virtual network. Azure users who are beginners and developers who are not familiar with Azure find this type of connection useful because it requires little or zero modifications to your existing network.
Another reason it is helpful is when you are connecting from a remote location, for instance, a conference or at home. Point-to-site connections are often associated with a site-to-site connection through the same virtual network gateway. The connection uses the SSTP protocol to provide encrypted communication over the Internet between the computer and the virtual network.
Site-to-site (IPsec / IKE VPN tunnel)
This connection is established between your local VPN device and an Azure VPN gateway. This type of connection allows any local resource of your choice to access the virtual network. The connection is made over an IPSec / IKE VPN that provides encrypted communication over the Internet between your local device and the Azure VPN Gateway. You can connect multiple local sites to the same VPN gateway. The local VPN device on each site must have an external public IP address that is not behind a NAT. The latency of a site-to-site connection is unpredictable because traffic travels over the Internet.
ExpressRoute (dedicated private connection)
This type of connection is private and is established between your network and Azure via an ExpressRoute partner. The latency of an ExpressRoute connection is predictable because traffic does not transit over the Internet. You can associate ExpressRoute with a site-to-site connection.
Routing
Azure creates routing tables that allow resources connected to a subnet of a virtual network to communicate with each other by default. You can implement one or both of the following types to override the default routes created by Azure:
- User Defined: You can create custom routing tables with routes that control where traffic is routed for each subnet.
- Border Gateway Protocol (BGP): If you connect your virtual network to your local network through an ExpressRoute connection or the Azure VPN Gateway, you can propagate BGP routes to your virtual networks. BGP is the standard routing protocol commonly used on the Internet to exchange routing and accessibility information between multiple networks. In the context of Azure Virtual Networks, the BGP protocol allows Azure VPN gateways and your local VPN devices (called neighbors or BGP peers) to exchange “routes” that inform both gateways of network availability and accessibility.
Troubleshooting and visibility tools
Azure provides the following tools to monitor and manage networking:
- Activity Logs: Logs that keep a record of information about the operations that are taking place, operation status report and the person in charge of the operation.
- Diagnostic Logs: Diagnostic logs provide information about the integrity of a resource. Diagnostic logs are provided for load balancing (on the Internet), network security groups, routes, and Application Gateway.
- Metrics: Metrics are measures and performance counters collected over a given period. They can be used to trigger alerts based on thresholds. Metrics are currently available for Application Gateway.
- Troubleshooting: Troubleshooting information is available directly in the Azure portal. The information helps you diagnose common problems with ExpressRoute, VPN gateway, Application Gateway, network security logs, routes, DNS, load balancing, and Traffic Manager.
- Packet Capture: The Azure Network Watcher service provides the ability to perform packet capture on a virtual machine through an extension in the virtual machine. This feature is available for Linux and Windows virtual machines.
- Check IP Streams: Network Watcher allows you to check IP flows between an Azure VM and a remote resource to determine whether or not packets are allowed. This feature gives administrators the ability to quickly diagnose connectivity issues.
- Show Network Topology: Displays a graphical representation of network resources in a virtual network with Network Watcher.
Become the cloud networking hero of your business.
See how Aviatrix can increase security and resiliency while minimizing cost, skills gap, and deployment time.