Microsoft Azure Virtual Network (VNet) enables you to extend your on-premises networks into the cloud, providing access to the services and applications you run in Azure. With VNet, you can create isolated, private subnets on one or more Azure virtual networks and connect these subnets back to your premises over an IPsec VPN connection or ExpressRoute connection.
The topics covered in this blog are:
- What Is Azure Virtual Network?
- Azure VNet Key Concept
- Why use an Azure Virtual Network?
- Azure Virtual Network Components
- How Does it Work?
- Azure VNet Best Practices
- Azure Virtual Network Advantages
- Pricing of Azure VNet
What Is Azure Virtual Network?
Azure Virtual Network (VNet) is the foundation for constructing a secure network of Virtual Machines (VM) in Azure. VNet has many similarities to a traditional network that you would construct in your own data center, but it brings with it benefits of Azure’s infrastructure that isn’t necessarily possible to achieve when doing this on-premises, such as scalability and availability.
This creates an ideal environment for you to build cloud solutions on.
Azure VNet Key Concept
VNet uses the following fundamental concepts that include networks, subnets, regions, and subscription-based services.
1. Address Spaces: With VNet, you are using public and private (RFC 1918) address space to identify your custom IP address range. Azure allocates an IP address within this range to resources in your virtual network.
2. Subnets: By creating ‘subnets’, or smaller networks within a larger network, you can allocate different Azure resources to each subnet. For example, you could host the actual web servers in one subnet (for security concerns) but have the backend database servers in another subnet for performance reasons.
3. VNet operates as a single location with no physical locations spread out around the world, but you can connect your VNets from multiple locales using Virtual Network Peering.
4. Subscriptions: When you rent a virtual network (VNet), you can deploy multiple networks in different Azure regions. These networks exist within the same subscription, which is associated with your billing. This means that costs will grow every time you create new sites or add more users, HDInsight clusters, etc.
Check Out: Microsoft Azure Certification path in 2022
Why use an Azure Virtual Network?
Virtual Network is a very useful and powerful tool. You will enjoy its functionality that allows you to communicate with the Internet, Azure resources, and on-premises network by using Virtual networks, Subnets, Point-to-Site VPN tunnels.
1. Communicate with the Internet: All resources in a VNet can communicate with the outside world, by default. To secure them, you assign a public IP address or a public Load Balancer. If you assign a public IP address or public Load Balancer, you secure the VNet. You can also use public IP to secure your communications inside the VNet and manage outbound connections.
2. Communicate between Azure Resources: Azure resources communicate soundly with each other in these ways-
- Through a Virtual Network- You can deploy virtual machines and other Microsoft Azure services that you’ve created, including Azure App Service Environments, the Azure Kubernetes Service (AKS), and Virtual Machine Scale Sets, to a virtual network.
- Through a Virtual Network Service Endpoint– Enhance your virtual network by extending it to directly connect with your cloud service resources like Azure storage accounts, Azure SQL databases, and so on. Service endpoints allow you to secure these cloud service resources specifically for a virtual network to avoid being accessible by assets outside the virtual network.
- Through VNet Peering– You can connect virtual networks so that resources in either virtual network can communicate with one another. These connected virtual networks will have the same, or different, customers. They also can be implemented into the same, or different, Azure regions.
3. Communicate with On-Premises Resources: You can network your computers using any combination of the following options:
- Point-to-site Virtual Private Network: Established between a virtual network and a single computer within your company. Any computer, such as one belonging to an employee working for your company, can connect to the virtual network provided it has been configured for communication with the virtual network. Communication between the computer which is already connected and the company’s virtual network is sent through an encrypted tunnel over the internet.
- Site-to-site VPN: Established between your on-premises VPN device and an Azure virtual network. This connection type enables any on-premises resource that you authorize to access Azure. The communication between your on-premises VPN device and an Azure Networking Device is sent through a secure tunnel over the internet so that only authorized resources from your on-premises network can access the virtual network.
- Azure Express Route: You can add remote Azure regions with an ExpressRoute connection. This method is especially useful for data residency and sensitive workloads.
4. Filter Network Traffic: You can filter network traffic between subnets using either or both of the following options:
- Network Security Groups: There are other ways to improve network security that don’t necessarily involve a dedicated firewall. Application security groups and network security groups provide rules for inbound and outbound traffic for defining what is transmitted over a Vlan or trust boundary.
- Network Virtual Appliances: A network virtual appliance is a virtual machine that provides functionality to the network. This can be a WAN optimization tool, firewall, or some other network utility. Click the Launch Network Virtual Appliance data center icon along the top toolbar to view any virtual appliances on sale as well as in-house cloud tools you can use for free.
5. Route Network Traffic: Azure routes traffic between subnets, connected virtual networks, on-premises networks, and the Internet. However, you can avoid having Azure automatically route traffic within your network by implementing either or both of the following options to override the default routes Azure creates:
- Route Tables: You can create custom route tables that help you handle traffic and network control by monitoring the flow of information. Deploy virtual machines within an infrastructure service. This will give users a private entry point into the network and allow them to access their applications from either on-premises or from cloud networks.
- Border Gateway Protocol (BGP) Routes: If you connect your virtual network to your on-premises network using an Azure VPN gateway or ExpressRoute connection, you can propagate your on-premises BGP routes to your virtual networks. Also, BGP is a protocol for exchanging routing and reachability information among autonomous systems (AS), which is commonly referred to as “border routers.”
6. Virtual Network Integration for Azure Services: Integrating Azure services to an Azure virtual network enables private access to the service from virtual machines or compute resources in the virtual network.
You can make your own decisions about how you want to implement Azure services in your virtual network, with complete transparency available on what it is that you’re going to be getting yourself into. There are different options when it comes down to integrating Azure services and these include:
- Deploying dedicated services onto a private network where they can be accessed privately on the network and elsewhere externally. These dedicated instances are commonly accessed by business networks and customers, who can both benefit from privacy.
- Using Private Link to access a VM that is hosted in another datacenter (either yours or your customers’ datacenter) over an encrypted connection.
- You can access this service either by extending the virtual network to it or service endpoints that enable the resources within that certain service to be secured to your virtual network.
Also Read: Our Blog post on Azure Blueprints
Azure Virtual Network Components
Key components of Azure VNets, include:
1. Subnets: Subnets allow you to divide a virtual network into one or more subnet networks and assign each one a piece of the virtual network’s address space. Azure resources are deployed to a specified subnet that is partitioned using VNet address space. A subnet can further be divided into:
- Private Subnet: A network in which there is no internet access.
- Public Subnet: A network in which there is internet access.
2. Network Security Groups (NSG): Use to admit or reject traffic (inbound or outbound), through rules, to a subnet or network interface. Any Azure virtual network can be assigned to a security group, which can be configured with distinct incoming and outgoing rules to allow or restrict certain kinds of traffic. For each rule, you can define source and destination, port, and protocol.
How Does it Work?
- First, you create a virtual network.
- Then, in this virtual network, you build subnets.
- You correlate each subnet with the relevant Virtual Machines or Cloud Instances.
- Attach the required Network Security Group to each subnet.
- Set the properties in the NSGs and you’re done!
Azure VNet Best Practices
As you develop your network in Azure, it is crucial to bear in mind the following universal design principles:
- Ensure that no address spaces overlap. Make sure your VNet address space (CIDR block) does not intersect or overlap with any other network ranges in your organization.
- Your subnets should not encompass the whole address space of the VNet. Plan ahead and save some address space for the future.
- It is advised you have fewer big VNets rather than several tiny VNets. This will avoid management overhead.
- Secure your VNets by assigning NSGs to the subnet’s underneath them.
Azure Virtual Network Advantages
Some of the primary advantages of using Microsoft Azure VNet are as follows:
- It creates a secure environment for your apps.
- We can simply route traffic from resources
- It is a very secure network
- It has strong network connectivity.
- It creates complex network topologies in a straightforward way.
Also Read: Our blog post on Azure Resource Group
Pricing of Azure VNet
There is no price for utilizing Azure VNet, it is free of cost.
- Standard costs are applied for resources, such as VMs and other products.
- You are charged for both the public and reserved IP addresses inside your VNet.
- VNet Peering charges for both incoming and outgoing data.
Check Out: Microsoft Official Pricing DOC
A virtual network is a collection of IP addresses joined together in a range. It is a crucial factor of consideration when creating solutions on the cloud. In order to protect each layer of application architecture within a highly secured network, it is advised to build various subnets for different tiers of an application and associate each subnet with a network security group with restricted incoming and outgoing security rules.