Azure Virtual Network (VNet) is a fundamental component of Azure's cloud computing platform. It allows you to create a virtual network in the cloud, similar to a physical network in your own datacenter.
A VNet is a logical isolation of a network in Azure, which can be used to segregate your resources and improve security. VNets can be used to connect your on-premises networks to Azure, or to create a network within Azure for your cloud resources.
To create a VNet, you need to specify a unique name, a location, and an address space. The address space is the range of IP addresses that will be used by your virtual network.
Azure VNet Basics
An Azure Virtual Network (VNet) is a fundamental building block for creating your network within the Microsoft Azure cloud platform. It allows services and Virtual Machines to interact securely with one another.
A VNet is created to provide a secure environment to run virtual machines (VMs) and applications. You can optionally connect to on-premises datacenters for a hybrid infrastructure that you control.
The components of Azure Networking include Subnets, Routing, and Network Security Groups. Subnets are used to organize and manage your network resources, while Routing allows you to control the flow of traffic between subnets. Network Security Groups provide a way to filter network traffic and control access to your resources.
You can create a VM with multiple NICs, and add or remove NICs through the lifecycle of a VM. Multiple NICs allow a VM to connect to different subnets.
What Is?
An Azure Virtual Network (VNet) is a fundamental building block for creating your network within the Microsoft Azure cloud platform. It allows services and Virtual Machines to interact securely with each other.
A VNet provides a way to create a private network in the cloud, which can be used to run virtual machines and applications. You can also connect to on-premises datacenters for a hybrid infrastructure that you control.
The key scenarios that you can accomplish with a virtual network include communication of Azure resources with the internet, communication between Azure resources, communication with on-premises resources, filtering of network traffic, routing of network traffic, and integration with Azure services.
Some of the main components of Azure Virtual Network include Subnets, Routing, and Network Security Groups. These components provide a range of functionalities that can help companies build efficient cloud applications that meet their requirements.
Here are some of the benefits of using an Azure virtual network:
- Communication of Azure resources with the internet
- Communication between Azure resources
- Communication with on-premises resources
- Filtering of network traffic
- Routing of network traffic
- Integration with Azure services
IP Address
In Azure, there are two types of IP addresses: Public IP and Private IP. Private IP addresses allow communication between resources within the same Azure resource group, while Public IP addresses enable Azure resources to communicate with public-facing Azure services via the Internet.
Private IP addresses are used for resources like VM Network Interface, ILB (Internal Load Balancer), and Application Gateway. Public IP addresses, on the other hand, are used for resources like VM Network Interface, Public Facing ILB, Application Gateway, VPN Gateway, and Azure Firewall.
Azure offers two allocation methods for IP addresses: Dynamic IP and Static IP. Dynamic IP is the default method, which assigns an available IP address from the subnet's address range. This IP address can change over time. Static IP, on the other hand, assigns a fixed IP address from the subnet's address range.
Here's a comparison of Dynamic IP and Static IP:
A network interface (NIC) is the connection between a virtual machine and a virtual network. A virtual machine must have at least one NIC, and it can have more than one NIC depending on the VM size.
Permissions
To create a virtual network peering, you'll need to know about the required permissions. To learn about these permissions, see the section on Permissions.
In Azure, permissions are crucial for managing your virtual networks. This is because different actions require different levels of access.
To get started with virtual network peering, you'll need to have the necessary permissions in place. This ensures that you can create and manage your peering connections without any issues.
Creating and Managing VNet
Creating an Azure Virtual Network is a straightforward process, and with Azure Virtual Network Manager, you can centrally manage virtual networks across regions and subscriptions from a single pane of glass.
You can create and manage virtual networks to define management scope, create and manage hub-and-spoke and mesh networks, and enforce security requirements.
To create a virtual network, log into your Azure Portal by browsing to portal.azure.com, search for Virtual Network, and click on +Create.
Enter all the required details on the basic tab, and then click on Review + Create, followed by Create.
Once created, you can manage your virtual network resources, including network security rules, globally across subscriptions and regions.
You can also simplify deployment of configurations to test in specific regions.
Here's a step-by-step guide to creating an Azure Virtual Network:
- Log into your Azure Portal
- Search for Virtual Network
- Click on +Create
- Enter required details on the basic tab
- Click on Review + Create
- Click on Create
- Go to resource to see your created Virtual Network
You can also connect your on-premises datacenter to the cloud using an IPsec VPN or Azure ExpressRoute, allowing you to securely connect to a virtual network and authenticate customers for secure access to an on-premises Microsoft Entra ID service.
To launch an instance using Azure VNet, create a virtual network, create subnets, assign each subnet with the respective instance/Virtual Machine, connect the instance/VM to a relevant Network Security Group, and configure properties within the network security and set policies if required.
VNet Configuration and Settings
A Virtual Network (VNet) in Azure is a virtualized network that allows you to create a secure and isolated environment for your resources.
To create a VNet, you need to specify a unique name, a resource group, and a location. You can also choose from various IP address spaces, such as IPv4 and IPv6.
Azure VNets support multiple subnets, which you can use to organize your resources and improve network security. Each subnet has its own IP address range and can be isolated from other subnets.
IP Allocation
IP Allocation is an essential aspect of VNet configuration, allowing you to manage how IP addresses are assigned to your resources. There are two allocation methods available: Dynamic IP and Static IP.
Dynamic IP is the default allocation method, which enables Azure to automatically assign an available and unreserved IP address from the subnet's address range. This means the IP address can change over time.
Static IP, on the other hand, allows you to custom allocate an available and unreserved IP address from the subnet's address range. This IP address remains fixed and does not change over time.
Here's a summary of the two allocation methods:
By understanding the differences between Dynamic IP and Static IP, you can make informed decisions about how to configure your VNet for optimal performance and manageability.
Subnet
A subnet is a part of a network that covers a range of IP addresses. In Azure, a VNet can be divided into smaller subnets for organizations.
You can divide a virtual network into multiple subnets for organization and security. Each NIC in a VM is connected to one subnet in one virtual network.
Subnets are ranges of IP addresses within a virtual network. The IP address range will be a subpart from a big block of IP Address used in Virtual Network (VNet).
Here are the methods to create a virtual network and subnets:
Subnets have address ranges that are private and can't be accessed from the Internet. Azure treats any address range as part of the private virtual network IP address space.
You can use Network Security Groups (NSGs) to control the traffic flow to and from subnets and to and from VMs if your deployment requires security boundaries.
The IP addresses in a subnet are not fixed and can change with time if you use a Dynamic IP allocation method.
Interface
In Azure, a Network Interface (NIC) is a virtual ethernet card that helps communicate Virtual Machines in a network. It's automatically created when a Virtual Machine is created with default settings.
A virtual machine must have at least one NIC, and it can have more than one NIC depending on the size of the VM. To learn about the number of NICs each virtual machine size supports, see VM sizes.
Each NIC attached to a VM must exist in the same location and subscription as the VM. This means you can't create a NIC in one location and attach it to a VM in another location.
You can create a VM with multiple NICs, and add or remove NICs through the lifecycle of a VM. This allows a VM to connect to different subnets. Each NIC attached to a VM is assigned a MAC address that doesn't change until the VM is deleted.
Here are the methods you can use to create a network interface:
Nat Gateway
A NAT Gateway is a resource that simplifies outbound internet connectivity for virtual networks, while keeping VMs and compute resources private.
It automatically scales IP addresses needed for outbound connectivity, minimizing the impact to network bandwidth of compute resources using software-defined networking.
You can configure a NAT Gateway on a subnet to use your specified static public IP addresses for all outbound connectivity.
This means you don't need a load balancer or public IP addresses directly attached to virtual machines.
A NAT Gateway is fully managed and highly resilient, making it a reliable choice for your virtual network.
You can define outbound connectivity for each subnet with a NAT Gateway, and multiple subnets within the same virtual network can have different NATs.
To configure a NAT Gateway, you can specify which NAT gateway resource to use for a subnet.
Here are the methods you can use to create a NAT gateway resource:
A NAT Gateway automatically processes all outbound traffic without any customer configuration, making it easy to set up and use.
VNet Connectivity and Peering
VNet connectivity and peering are crucial for securely connecting virtual networks and resources in Azure. Virtual Network peering enables you to connect two or more virtual networks in Azure, allowing for seamless data transfer between deployment models, subscriptions, Active Directory tenants, and regions without downtime or failure.
This type of peering uses Microsoft's backbone infrastructure and routes traffic through a private network, eliminating the need for gateways, encryption, or the public internet. There are two types of Virtual Network Peering: Regional VNet Peering and Global VNet Peering.
Regional VNet Peering is used when the two networks are in the same region, while Global VNet Peering is used when the networks are in different regions.
Resources in peered virtual networks can directly connect with each other, and network latency between virtual machines in the same region is the same as within a single virtual network. Network throughput is based on the bandwidth allowed for the virtual machine, proportionate to its size.
Here are the key benefits of Virtual Network Peering:
- Enforce privacy for global resources on virtual networks.
- Include on-premises networks using Azure high-speed networking.
- Direct connectivity between virtual machines in peered virtual networks.
- No extra restriction on bandwidth within peering.
You can apply network security groups in either virtual network to block access to other virtual networks or subnets, and full connectivity is the default option.
VNet Security and Firewall
Azure VNet security is a top priority for any organization, and for good reason - after all, who wants their sensitive data compromised? Encryption is a must, and Azure Virtual Network encryption is a great place to start. This adds an extra layer of protection for your data in transit.
Network Security Groups (NSGs) are like firewalls that protect your virtual machines by limiting network traffic. They restrict inbound and outbound traffic depending on the destination IP addresses, port, and protocol. This is especially useful for controlling access to your virtual network.
Here's a quick rundown of the key properties of an NSG rule:
By understanding how NSGs work, you can create a robust security posture for your Azure VNet.
Enhance Security
To enhance security, you can run virtual machines and applications in an isolated and highly secure manner while using private IP addresses. This is a great way to protect your resources.
Azure provides various protection methods for securing a service in a network, including Network Security Groups. These groups can be thought of as firewalls that protect virtual machines by limiting network traffic.
A Network Security Group (NSG) acts like a firewall at the network level, filtering traffic passing through Azure Resources in a virtual network. NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to subnets, NICs, or both.
NSGs contain two sets of rules: inbound and outbound. Each rule has properties such as protocol, source and destination port ranges, address prefixes, direction of traffic, priority, and access type. These rules enable you to filter traffic to and from resources by source and destination IP address, port, and protocol.
You can associate an NSG to a NIC or a subnet, and the network access rules in the NSG are applied only to that NIC or subnet. If an NSG is applied to a single NIC on a multi-NIC VM, it doesn't affect traffic to the other NICs.
Here are the methods you can use to create a network security group:
By using these methods and understanding how NSGs work, you can create a robust security posture for your Azure resources.
Bastion
Azure Bastion is a secure way to manage virtual machines in a virtual network, allowing you to RDP and SSH directly from the Azure portal.
Azure Bastion enables connections without exposing a public IP on the VM, making it a secure option for managing your virtual machines.
You can create an Azure Bastion deployment using the Azure portal, Azure PowerShell, Azure CLI, or a template.
Here are the methods you can use to create an Azure Bastion deployment:
Hourly pricing for Azure Bastion starts from the moment it's deployed, regardless of outbound data usage.
Frequently Asked Questions
What is the difference between a subnet and a virtual network?
A subnet is a subset of IP addresses within a virtual network, while a virtual network is the larger, overarching network that contains multiple subnets. Think of it like a city with multiple neighborhoods, where each neighborhood is a subnet and the city is the virtual network.
What is the difference between virtual WAN and virtual network in Azure?
Virtual WAN and virtual network in Azure differ in scalability, with Virtual WAN supporting up to 1,000 branch connections and 20 Gbps per hub, compared to the 100 tunnel limit of a virtual network gateway VPN
Is VNet a VPN?
VNet is not a traditional VPN, but it uses a VPN gateway to create a secure connection with IPsec/IKE. This secure connection allows VNet to communicate with other virtual networks and on-premises locations.
Sources
- https://azure.microsoft.com/en-us/products/virtual-network
- https://k21academy.com/microsoft-azure/azure-networking/
- https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-overview
- https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview
- https://learn.microsoft.com/en-us/azure/virtual-network/network-overview
Featured Images: pexels.com