Vnet CIDR Subnet Subnet group Network Peering

 

Virtual Network (VNet) in Azure

In Azure, a Virtual Network (VNet) is a fundamental building block that enables you to securely connect Azure resources, such as virtual machines (VMs), to each other, to the internet, and to on-premises networks. VNets are logically isolated networks that can span multiple Azure regions, allowing you to deploy Azure resources like VMs, Azure App Services, and databases securely and privately.

Key Features of Azure Virtual Network:

1. Isolation and Segmentation: VNets provide network isolation at the subnet level, allowing you to segment your Azure resources based on application tiers, security requirements, or other organizational needs.

2. Custom IP Addressing: You can define IP address ranges (CIDR blocks) for VNets and subnets, giving you control over the IP address assignment and subnet sizes within your network.

3. Connectivity Options:

   • Internet Connectivity: Azure VNets can be configured to allow resources within them to communicate with the internet, either directly or via Azure services like Azure Firewall or Azure NAT Gateway.
   • Virtual Private Network (VPN): Establish site-to-site or point-to-site VPN connections to securely extend your on-premises network to Azure VNets.
   • ExpressRoute: Use Azure ExpressRoute to create private, high-throughput connections between Azure data centers and your on-premises infrastructure or colocation environment.

4. Security: VNets support network security groups (NSGs), which act as firewalls at the subnet or NIC level, allowing you to control inbound and outbound traffic to and from Azure resources.

5. Integration with Azure Services: Azure VNets can integrate with various Azure services like Azure Virtual Machines, Azure Kubernetes Service (AKS), Azure App Service Environment (ASE), and more, enabling secure communication and data transfer between these services.

How to Configure Azure Virtual Network with Open Internet Access

To configure an Azure Virtual Network (VNet) to allow resources within it to access the internet, follow these steps:

1. Create a Virtual Network:

   • Sign in to the Azure portal (portal.azure.com).
   • Navigate to "Create a resource" > "Networking" > "Virtual network."
   • Specify the VNet name, IP address range (CIDR block), and Azure region.

2. Create Subnets:

   • Within the VNet creation wizard or after creating the VNet, add one or more subnets with their respective CIDR blocks.
   • Subnets help organize resources within the VNet and can have different security and routing configurations.

3. Configure Network Security Groups (NSGs):

   • Optionally, create and associate NSGs with subnets or network interfaces (NICs) to control inbound and outbound traffic flow.
   • Define rules in NSGs to allow outbound internet traffic from the subnet (e.g., allow outbound HTTP/HTTPS traffic).

4. Internet Gateway or Azure NAT Gateway:

   • To provide internet access to resources within the VNet, you can use either an Azure Internet Gateway or Azure NAT Gateway:
     • Azure Internet Gateway: Enables outbound connectivity for Azure resources directly to the internet.
     • Azure NAT Gateway: Provides outbound internet connectivity for resources that do not have public IP addresses assigned directly to them.

5. Assign Public IP Addresses (Optional):

   • If resources within the VNet need to be accessible from the internet (e.g., web servers), assign public IP addresses to those resources.

6. Routing Configuration (Optional):

• Configure route tables (using Azure Route Tables) if custom routing is required within the VNet or to define specific routes for traffic.

Type of IP Address in Azure

In Azure, there are several types of IP addresses used for different purposes and scenarios. These IP addresses serve various functionalities and are essential for networking within the Azure environment. Here are the main types of IP addresses in Azure:

1. Public IP Address

• Purpose: Public IP addresses are used for communication with the internet. They allow Azure resources to have direct connectivity and be accessible from the internet.
• Usage: Typically assigned to resources like Azure Virtual Machines (VMs), Azure Load Balancers, Azure Application Gateways, and Azure Kubernetes Service (AKS) nodes.
• Configuration: Public IP addresses can be dynamically assigned (Azure-managed) or statically assigned (reserved). They can also be associated with Azure resources using Azure portal, Azure CLI, PowerShell, or ARM templates.

2. Private IP Address

• Purpose: Private IP addresses are used for communication within an Azure Virtual Network (VNet) or between VNets connected via VPN or ExpressRoute.
• Usage: Assigned to Azure resources such as VMs, Azure App Service Environment (ASE), and other PaaS services within a VNet.
• Configuration: Private IP addresses are assigned from the address space of the VNet and its subnets. They are not reachable directly from the internet unless network address translation (NAT) is configured.

3. Reserved IP Address

• Purpose: Reserved IP addresses are used for scenarios requiring static IP assignments that persist even if resources are deallocated or restarted.
• Usage: Useful for scenarios like Azure Cloud Services (classic) deployments where static IPs are needed to maintain communication endpoints.
• Configuration: Reserved IP addresses are allocated from a pool and can be associated with cloud services, VMs, or other resources requiring static IPs.

4. Internal Load Balancer IP Address

• Purpose: Used for load balancing traffic within an Azure VNet.
• Usage: Assigned to Azure Internal Load Balancers (ILBs) to distribute traffic to backend VMs or services within a VNet.
• Configuration: Assigned automatically when creating an ILB. They are private IP addresses and not directly accessible from the internet.

5. Azure Load Balancer Frontend IP Configuration

• Purpose: Frontend IP addresses are used to receive incoming traffic that Azure Load Balancers distribute to backend pool resources.
• Usage: Configured as part of Azure Load Balancer settings for handling inbound traffic to public-facing services or applications.
• Configuration: Frontend IP addresses can be public (for internet-facing scenarios) or private (for internal load balancing within a VNet).

6. Gateway IP Address

• Purpose: Used for VPN gateways and ExpressRoute gateways to establish secure connections between Azure VNets and on-premises networks.
• Usage: Configured as part of VPN or ExpressRoute gateway configurations for hybrid connectivity scenarios.
• Configuration: Assigned automatically when setting up VPN or ExpressRoute gateways. Gateway IPs are crucial for secure and reliable connectivity between Azure and on-premises environments.

Network Security Group (NSG) in Azure

A Network Security Group (NSG) in Azure is a fundamental component of network security that acts as a virtual firewall for controlling inbound and outbound traffic to Azure resources within a virtual network (VNet). NSGs allow you to filter network traffic based on source and destination IP addresses, port, and protocol. They provide an additional layer of security to help secure your Azure environment.

Important Features of Network Security Groups (NSGs):

1. Filtering Rules: NSGs use inbound and outbound security rules to allow or deny traffic based on source and destination IP addresses, ports, and protocols (TCP, UDP, ICMP).

2. Stateful Filtering: NSGs maintain state information about active connections, allowing responses to outbound connections initiated from within the VNet without additional rules.

3. Priority and Order: Rules in NSGs have priority numbers that determine their order of evaluation. Lower priority numbers are evaluated before higher ones.

4. Default Rules: NSGs have default rules that allow outbound traffic from resources within the VNet to the internet, as well as inbound traffic from the internet to Azure resources if explicitly allowed.

5. Application Security Groups (ASGs): ASGs are used in conjunction with NSGs to group VMs and apply NSG rules based on application tiers rather than individual VMs, simplifying rule management.

6. Logging and Monitoring: NSGs can log traffic information to Azure Storage accounts or Azure Monitor, providing visibility into network traffic patterns and aiding in troubleshooting and auditing.

How to Configure Network Security Groups (NSGs):

Configuring NSGs involves several steps, including creating NSGs, defining rules, associating NSGs with subnets or network interfaces, and monitoring their effectiveness. Here’s a basic guide to configuring NSGs:

1. Create a Network Security Group:

• Sign in to the Azure portal (portal.azure.com).
• Navigate to "Create a resource" > "Networking" > "Network security group."
• Provide a name, subscription, resource group, and location for the NSG.

2. Define Security Rules:

• In the NSG's "Settings" blade, navigate to "Inbound security rules" or "Outbound security rules."
• Click on "+ Add" to create new rules.
• Define the rule properties:
  • Name: A descriptive name for the rule.
  • Priority: The rule's priority number (lower numbers indicate higher priority).
  • Source/Destination: IP addresses, service tags, or application security groups.
  • Port/Protocol: Specify TCP, UDP, or ICMP protocols and port ranges.
  • Action: Allow or deny traffic matching the rule criteria.

3. Associate NSG with Resources:

• Attach the NSG to Azure resources such as subnets or individual network interfaces (NICs) within a VNet.
• Navigate to the resource (e.g., VNet or subnet) > "Settings" > "Network security group" > "Associate."
• Select the NSG from the list and save the changes.

4. Monitor NSG Traffic:

• Monitor NSG traffic and rule effectiveness by viewing flow logs or using Azure Monitor.
• Enable diagnostics settings for NSGs to stream logs to Azure Monitor or Azure Storage for analysis and auditing purposes.

1. Virtual Network Peering

Virtual Network Peering allows VNets to connect within the same Azure region. It enables resources in peered VNets to communicate directly with each other, as if they were on the same network.

Steps to Configure Virtual Network Peering:

1. Navigate to the Azure Portal:

   • Sign in to the Azure portal (portal.azure.com).

2. Select Virtual Networks:

   • Go to "Virtual networks" and select the VNet you want to peer with another VNet.

3. Add Peering Connection:

   • In the VNet's "Settings," navigate to "Peerings" and click on "+ Add."

4. Configure Peering:

   • Provide a name for the peering connection.
   • Choose the VNet you want to peer with from the list of available VNets in the same region.
   • Specify if you want to allow forwarded traffic from the peered VNet.
   • Review and create the peering connection.

5. Confirm and Validate:

   • Once created, validate connectivity by deploying resources (like VMs) in both VNets and testing communication between them.

2. Global VNet Peering

Global VNet Peering connects VNets across Azure regions globally, allowing resources in one VNet to communicate securely with resources in another VNet located in a different Azure region.

Steps to Configure Global VNet Peering:

1. Navigate to the Azure Portal:

   • Sign in to the Azure portal (portal.azure.com).

2. Select Virtual Networks:

   • Go to "Virtual networks" and select the VNet you want to peer globally.

3. Add Global Peering Connection:

   • In the VNet's "Settings," navigate to "Peerings" and click on "+ Add."

4. Configure Global Peering:

   • Provide a name for the peering connection.
   • Choose the subscription and Azure Active Directory tenant (if applicable).
   • Select the remote VNet and specify the target region.

5. Confirm and Create Peering:

   • Review the peering settings and create the global peering connection.

6. Validate Connectivity:

• Once created, validate connectivity by deploying resources (like VMs) in both VNets across different Azure regions and testing communication.

Point-to-Site (P2S) VPN

Point-to-Site VPN is a connectivity option in Azure that enables you to connect individual client devices (like laptops or desktops) to an Azure VNet securely over the internet. It is useful for remote workers who need secure access to resources within an Azure VNet.

Configuration Steps for Point-to-Site VPN:

1. Create a Virtual Network Gateway:

   • Navigate to the Azure portal (portal.azure.com).
   • Go to "Create a resource" > "Networking" > "Virtual network gateway."
   • Configure the gateway type as "VPN" and select the VPN type (IKEv2 or SSTP).
   • Specify other settings like SKU (Basic or VpnGw), subnet, and IP configuration.

2. Configure Point-to-Site Configuration:

   • Under the Virtual Network Gateway settings, configure the "Point-to-Site Configuration."
   • Specify the tunnel type (IKEv2 or SSTP), address pool (IP addresses assigned to VPN clients), and authentication type (Azure AD or certificate-based).

3. Generate and Download VPN Client Configuration:

   • After configuration, generate and download the VPN client configuration (a VPN client package).
   • Install the VPN client on user devices and configure it using the downloaded package.

4. Connect VPN Clients to Azure VNet:

• Users launch the VPN client on their devices and connect to the Azure VNet using their Azure AD credentials or a client certificate.
• Once connected, clients can access resources (like VMs, Azure services) within the Azure VNet securely.

Site-to-Site (S2S) peering

In Azure networking, "Site-to-Site (S2S) peering" refers to establishing a secure and private connection between an Azure Virtual Network (VNet) and an on-premises network or another Azure VNet in a different region. This allows resources in the connected networks to communicate with each other as if they are on the same network.

Benefits of Site-to-Site Peering:

• Hybrid Connectivity: Connect on-premises networks securely to Azure VNets, enabling seamless integration of cloud and on-premises resources.

• Regional Connectivity: Establish secure communication between Azure VNets located in different regions, facilitating cross-region application deployments and data exchange.

• Scalability: Scale connectivity as needed by adding more VNets or on-premises networks to the peering configuration.

Configuration Steps for Site-to-Site (S2S) Peering:

To set up Site-to-Site peering between Azure VNets or between Azure VNet and on-premises network, follow these general steps:

1. Prepare Azure Virtual Network Gateway:

• Create a Virtual Network Gateway:
  • Navigate to the Azure portal (portal.azure.com).
  • Go to "Create a resource" > "Networking" > "Virtual network gateway."
  • Choose the gateway type (VPN or ExpressRoute) depending on your connectivity requirements.
  • Configure settings like VPN type (IKEv2, SSTP), SKU (Basic or VpnGw), subnet, and IP configuration.

2. Configure VPN Connections:

• Define Local Network Gateway (for S2S with On-Premises Network):

  • Create a Local Network Gateway object in Azure, defining the on-premises network's public IP address (or VPN device's IP) and address space.
  • Specify shared key or certificate authentication for secure communication.

• Configure VPN Connection (for S2S with On-Premises Network):

  • Under the Virtual Network Gateway settings, configure the "Connections" or "VPN connections."
  • Add a new VPN connection and specify the connection type (Site-to-Site).
  • Link the VPN connection to the Local Network Gateway created earlier.

3. Create VNet Peering:

• Create or Select Virtual Networks:

  • Navigate to "Virtual networks" and select the VNets you want to peer (if peering Azure VNets).
  • If peering with an on-premises network, configure the Virtual Network Gateway and Local Network Gateway as described.

• Add Peering Connection:

  • In the VNet's "Settings," navigate to "Peerings" and click on "+ Add."
  • Specify the VNet to peer with, set the peering type (local or global), and configure other settings like forwarding and gateway transit.

4. Validate and Test Connectivity:

• Validate Configuration:
  • Once peering is configured, verify connectivity by deploying resources (like VMs) in both VNets or testing communication between on-premises resources and Azure resources.
• Monitor and Troubleshoot:
  • Use Azure Monitor to track VPN connection status and logs for troubleshooting connectivity issues.
  • Adjust NSGs (Network Security Groups) or route tables if necessary to allow required traffic between peered networks.

Considerations for Site-to-Site Peering:

• Bandwidth and Performance: Consider Azure Gateway SKU (Standard or High-Performance) based on bandwidth requirements for VPN connections.

• Security: Implement appropriate encryption protocols (IKEv2, SSTP) and authentication methods (pre-shared key, certificate) for secure data transmission over VPN connections.

• Cost: Evaluate data egress charges and Azure Gateway pricing based on data transfer volumes and VPN gateway SKUs used.