2.2.8 Describe Azure Virtual Networking

Description of Azure VNets.

Azure virtual networks provide:

• Isolation and segmentation

• Internet communications

• Communicate between Azure resources

• Communicate with on-prem resources

• Route network traffic

• Filter network traffic

• Connect virtual networks

Azure virtual networking supports public and private endpoints to enable communication between external or internal resources with other internal resources.

• Public endpoints have a public IP address and can be accessed from anywhere in the world

• Private endpoints exist within a virtual network and have a private IP address from within the address space of that virtual network

Isolation and Segmentation

When a virtual network is setup, a private IP address space is defined using public or private IP address ranges. The IP range only exists within the virtual network and isn't internet routable. That can be divided into subnets and part of the defined address space can be allocated to each named subnet. Azure has built-in name resolution, or an internal/external DNS server can be used.

Internet Communications

A public IP address can be assigned to an Azure resource, or the resource can be put behind a public load balancer.

Communicate Between Azure Resources

• Virtual networks can connect VMs or other Azure resources, like the App Service Environment for Power Apps, Azure Kubernetes Service, and Azure VM scale sets.

• Service endpoints can connect to other Azure resource types like Azure SQL databases and storage accounts.

Communicate with On-Prem Resources

A network can be created spanning local and cloud environments. This can be achieved three ways:

• Point-to-Site VPN: connections are made from a PC outside your network back into your network. The client uses an encrypted VPN connection to the Azure virtual network.

• Site-to-Site VPN: private networks linking your on-prem device to the Azure VPN gateway in a virtual network. The devices in Azure appear as being on the local network and the connection is encrypted.

• Azure ExpressRoute: dedicated private connectivity to Azure without travelling over the internet. Useful for environments with greater bandwidth and higher levels of security.

Route Network Traffic

• Route tables allow you to define rules about traffic direction, custom route tables can be created to control how packets travel between subnets.

• Border Gateway Protocol (BGP) works with Azure VPN gateways, Azure Route Server, or Azure ExpressRoute to propagate on-prem BGP routes to Azure virtual networks.

Filter Network Traffic

• Network security groups contain multiple inbound/outbound security rules. These can be defined to allow or block traffic based on source/destination IP, port and protocol.

• Network virtual appliances are specialized VMs which can be compared to a hardened network appliance. A network virtual appliance carries out a particular function, like running a firewall or performing WAN optimization.

Connect VMs

VMs can be linked together with virtual network peering. Network traffic between peered networks is private and never enters the public internet. Peering enables resources in each network to communicate. The virtual networks can be in separate regions, allowing you to create a global interconnected network. UDR (User-Defined Routes) allow you to control routing tables between subnets within or between virtual networks.