Learning Series on Azure Cloud Basics
Azure Virtual Network (VNet)
- Software-defined network backed up by a big physical network infrastructure.
- VNet is scoped to a subscription
- Is contained within a resource group and is hosted within a region can span across Availability Zones.
- The smallest supported IPv4 subnet is /29, and the largest is /8 (using CIDR subnet definitions). IPv6 subnets must be exactly /64 in size.
- Virtual networks also facilitate connectivity to on-premises DCs, which are technically called hybrid clouds.
- Multicast and broadcast are not supported.
- There are multiple types of VPN technologies that you can use to extend your on-premises datacenters to the cloud, such as site-to-site VPN and point-to-site VPN.
- VNet by default uses Azure DNS
- Subnets provide isolation within a virtual network.
- Azure Network Watcher
- Network performance can be monitored through Log Analytics.
- NSG filter network traffic to and from Azure resources in an Azure virtual network.
- User-defined routing (UDR) and IP forwarding
- To make a resource communicate across regions, we need dedicated gateways at both ends to facilitate conversation.
- Azure virtual networks can connect to on-premises DCs using VPN technology and ExpressRoute.
- Azure Firewall is a fully managed Firewall as a Service offering from Azure.
- threat intelligence feature of Azure Firewall can be used to alert and deny traffic from or to malicious domains or IP addresses.
- Azure Firewall is Payment Card Industry (PCI), Service Organization Controls (SOC), International Organization for Standardization (ISO), and ICSA Labs compliant.
Network security groups
NSGs are the primary means of enabling security for virtual networks. They can be attached to virtual network subnets, and every inbound and outbound flow is constrained, filtered, and allowed by them.
Virtual network service (Azure Services)tags
- Design rules with pre-build tags, you don’t have to worry about Public IP ranges for Azure Services
Application security groups
- Application security groups enable you to configure network security as a natural extension of an application’s structure, allowing you to group virtual machines and define network security policies based on those groups.
Virtual network service endpoints
A service endpoint allows VNet resources to use private IP addresses to connect to an Azure service’s public endpoint, in this case traffic flows to the service resource over the Azure backbone network not on the public network.
- VNet peering uses the Microsoft backbone network, which eliminates the need for the public internet.
- If you would like to initiate a private connection between two networks in different regions, you can use Global VNet peering.
With Global VNet peering, the communication is done via Microsoft’s backbone network, which means no public internet, gateway, or encryption is required during the communication.
Virtual network peering, which is similar to Global VNet peering; the only difference is that the source and destination virtual networks are deployed in the same region.
Gateways are used in scenarios where encryption is needed and bandwidth is not a concern.
- P2S uses the public internet.
- Established between a virtual network and a single computer in your network.
- Each computer that wants to establish connectivity with a virtual network must configure its connection.
Site-to-Site VPN (S2S)
- S2S uses the public internet.
- Established between your on-premises VPN device and an Azure VPN Gateway
- VPNs use IPSEC to provide a secure connection between your corporate VPN gateway and Azure.
- VPN does not use the public internet.
- Dedicated private connection[Connectivity Provider]