Skip to content

Latest commit

 

History

History
117 lines (92 loc) · 4.75 KB

2.5. Virtual Networks.md

File metadata and controls

117 lines (92 loc) · 4.75 KB
Raw

Virtual Networks

Networking in Azure

  • IaaS (Infrastructure as a Service)
  • Virtual networks are software defined logical isolation that mimics the hardware.
  • Virtual networks are defined with address space and at least 1 subnet.
    • 💡 Use an address space that is not already in use either on-premises or in other VNets.
    • If it overlaps => you will have to reconfigure or recreate the VNet.
    • How many to choose? Be carefull!
      • 💡 A best practice: "one octet further in"
      • E.g.: VNet (11.0.0.0/ 8 ) => Subnet (11.1.0.0.0/ 16 )
  • ❗ Limitations:
    • By default, you can create up to 50 virtual networks per subscription per region, you can contact support to increase it to 500.
    • A virtual network and its resources are scoped to a single region and single subscription.
      • However, different VNETs from different regions can communicate through global peering.
    • When you move VNet to another resource group, you must move all of its dependencies.
  • Name resolution in a VNet:
    1. Azure-provided (default)
    2. Custom DNS server
      • E.g.: Deploy a DNS server and type its address.

Filter network traffic

Security groups

  • Control inbound / outbound rules
  • Network Security Groups
  • Application security groups (on application level)

Network virtual appliance (NVA)

  • A network virtual appliance is a VM that performs a network function, such as a firewall, WAN optimization, or other network function.
  • They're often used in DMZ (perimeter network)
    • DMZ: Security zone protects internal network from an untrusted network.

Routing

Route tables

  • Associated to one or more subnets.
  • Defines routes = where next hop will go
    • If matching route can't be found, the packet is dropped.

System routes

  • Azure manages following situations with system routes:
    • VM <=> VM in same subnet
    • VM <=> VM in different subnet in same VNet
    • Internet <=> VM
    • VNet-to-VNet VPN communication between VMs
    • Site-to-Site and ExpressRoute communication through the VPN gateway.

Custom routes

User-defined routes (UDRs)

  • To a virtual appliance (router, firewall, WAN optimization)
  • Appliance between subnets tier (front-end back-end) or (subnet internet)
  • 💡 Deploy virtual appliance to different subnet. If it's in same subnet where it's routed it can result in routing loops where traffic never leaves the subnet.

Border gateway protocol (BGP)

  • Standard protocol commonly used.
  • Routes are automatically added to route table.
  • Obligatory with Express Route, optional with VPN Gateway
  • Support multiple tunnels.
  • Provides transit routing between on-prem <=> Azure VNet via VPN gateway.
    • Transit route: A->B & B->C => A->C
  • You can propagate your on-premises BGP routes to your virtual networks through Azure VPN Gateway or ExpressRoute connection.

How Azure selects a route

  • Routing algorithms:
    • If address matches multiple routes then Azure makes decision based on:
      1. Prefix match algorithm: Less range is selected.
      2. Route priorities (if prefixes are the same)
        • User-defined route > BGP route > System route
  • 0.0.0/0 address prefix => Routed to internet by default (can be overridden).

Azure Gateways

  • They're used to exit & come back in to private network.
  • Requires gateway subnet to exist to the VNet
  • ❗ Do not associate NSG on gateway subnet.

Azure Application Gateway

  • Layer 7 load balancers / reverse proxies
  • ❗ Works with different availability zones but only across same region.
  • Supports:
    • SSL termination: Traffic flows unencrypted to the back-end servers.
    • Connection draining: Remove back-ends using REST or they're removed automatically if their health status is not ok.
    • Custom error pages, Web application firewall, URL-based routing, multiple-site hosting, redirection, session affinity, websocket, rewrite HTTP headers

Azure Virtual Network Gateway

  • It's assigned to a VNet in a gateway subnet.
    • A VNet can have 1 gateway subnet and only 1 gateway in it.
  • Used for Azure <=> Azure or Azure <=> On-prem
  • Traffic goes through public internet
    • Requires public IP.
  • Two types: VPN, ExpressRoute
    • Azure VPN Gateway
      • Encrypts & routes the traffic via IPSec/IKE (better than SSL)
      • Between two or more virtual machines in gateway subnets.
  • 📝 Types:
    • PolicyBased
      • Also called static routing
      • IPSec policies decides where/whether to send.
    • Route based
      • Route table decides where/whether to send.
      • Also called dynamic routing
      • Required for Multi-Site VPN, VNet to VNet, and Point-to-Site.
  • SKU
    • Limits the number of tunnels you can have and the aggregate throughput benchmark.
    • ❗ Basic has no public IP.