The Azure Networking handbook for beginners 

Welcome to the interconnected world of networking in Azure. To understand this complex subject easier let’s create a metaphor where we will compare Azure to a dynamic country with several cities (virtual networks) divided into one or multiple districts (subnets). These cities are interconnected via different kinds of roads, building a complex topology. 

In this metaphorical Azure country, the cities can communicate with the external world including the Internet and On-Premises Network. However, communication is highly controlled and secure, to avoid any malicious intent and protect the population (data).  

Every neighborhood within these cities has its own houses, where each house represents a device or a resource with a unique number to its private IP address.  

Azure Network City

Scenario 1: Connection Site2Site 

Referring to the connection between On Premise Network and Vnet1 on the figure. 

To enable communication between an on-premises network and a Virtual Network (VNet) in Microsoft Azure there are two options: 

  • VPN (Virtual Private Network) tunnel   

Referring to the tunnel on the schema 

VPN tunnels use the public internet to connect your on-premises network to the Azure VNet. 2 Gateways are needed, one local network gateway located in the on-premises network and one virtual network gateway. The traffic is encrypted. 

  • Express route  

Referring to the highway on the schema 

ExpressRoute establishes a private connection to Azure through a dedicated connection provided by a connectivity provider. A virtual network gateway must be configured. 

Note: the gateways need a dedicated subnet in the virtual network. 

Scenario 2: Connection Vnet2Vnet

Referring to the connection between Vnet1 – Vnet2 and Vnet1 – Vnet3. 

By default each subnet within the same Vnet can communicate. 

There is 2 ways to link two Vnets : 

  • Peering connection (illustrated by hand clamp between Vnet1 and Vnet2) interconnects Vnets using the Microsoft backbone infrastructure.  
  • VPN connection (case for Vnet1 and Vnet3) implies setting up two VPN gateways in both Vnets. 

Scenario 3: Resources Protection

Referring to the shield on device 17 in Vnet3. 

Network Security Group (NSG) allows control on inbound and outbound network traffic to and from Azure resources, such as virtual machines (VMs), subnets, and network interfaces. 

Referring to the shield surrounding hotels, device with the same functionality, in the Subnet3-2 

Application Security Groups (ASG) in Azure group VMs with similar roles for traffic filtering based on applications. Within a NSG, traffic can be allowed or denied according to the ASG, with the option to associate an ASG either to a NIC or a subnet. 

Scenario 4: Vnets Protection

Referring to the wall surrounded Vnet1. 

Azure Firewall and NVA (Network Virtual Appliance)  play both a role in protecting virtual networks 

Azure Firewall protects virtual network against threats and resides inside a specific subnet.  

However, Network Virtual Appliances (NVAs), virtualized instances provide advanced features responding to specific security requirements by offering a more customizable solution. 

Scenario 5: Use of custom route  

Referring to road from internet to Subnet1-2 in Vnet1. 

In Azure, it is possible to direct the traffic in specific places by creating customs route. One use case could be to direct the traffic through a firewall or NVA for inspection and enforcement. 

Scenario 6: Outbound Communication (Vnet to Internet) 

Referring to the connection with the mask from Subnet1-2 in Vnet1 to internet. 

Azure NAT Gateway (stands for Network Address Translation) allows resources within a VNet to initiate outbound connections to the internet, while masking their private IP addresses behind a public IP address assigned to the NAT gateway.  

A NAT Gateway has its own subnet. It is not represented on the figure since Firewall already include a NAT. 

Scenario 7: Inbound Communication (Internet to VNet):

Referring to the traffic light between internet and device 12 in the Vnet”.  

Azure Load Balancing services distribute incoming internet traffic to specific resources within the VNet using uses health probes to monitor the availability of backend instances and automatically adjusts traffic distribution based on the health status of those instances.  

There are four components behind the Azure Load Balancing services: 

Azure Load Balancer: Distributes traffic across healthy resources within a region 

Azure Application Gateway: Routes traffic based on predefined rules 

Azure Front Door: Optimizes global internet traffic flow across regions to offer the best performance 

Azure Traffic Manager: Routes DNS traffic to the closest healthy backend service for global users, enhancing availability. 

Scenario 8: Connectivity to Azure services 

Two methods allow connectivity between Azure Resources and Azure Services. 

  • Azure Public Endpoints 

Referring to the link between resources linked to the Azure Services having a pin yellow: the door is opened. 

A pin represents a resource from a specific service in Azure services.  

A public endpoint is an access point, owning a public address, that is exposed to the public internet requiring an access key or authentication.

  • Azure Private Endpoints 

Referring to the link between the green pin in Azure services and the Vnet2: the door is closed. 

Azure Private Endpoints allow clients to access data securely from Vnet one resource from a specific service (one storage account for example) over a Private Link. Private Endpoint is assigned a private IP address from the virtual network. The communication is done via a NIC (Network Interface Card) represented by a window on the figure. With this service traffic doesn’t leave the Vnet. 

  • Azure services endpoints 

Referring to the link between resources with red pins in Azure services and Vnet2. 

A service endpoint allows resources having a private IP address, like virtual machines, to be able to communicate directly with Azure Services (like storage accounts). It is a connection between a Vnet and all the resources from a specific service. The connection will use the public IP of the specific resources from the service and will allow only traffic coming from Vnet.  

Closing

In the world of Azure networking the big idea is to make sure things connect smoothly and safely.  

Meet with our experts 

If you need personalized help to start or improve your Azure Network Topology, feel free to contact our experts. Together, we can transform your digital landscape, optimize Azure connectivity, and unlock new possibilities for your organization. 

Gaelle Jakubowski

Consultant @ Lytix