Azure Networking Overview

Networking is a key aspect of any Azure solution, as it allows you to connect your resources to the internet and to other resources within your Azure solution. There are several networking options available in Azure, and we are going to discuss them in this article which might make this article lengthy but hopefully you can pull some value out of it. I feel it necessary also to point out that I have not included images in the below article as I have had a chance to create some and don’t want to steal anything from someone else. But a future edit might update this.

I am going to break them into a classification system that I find helpful but am not sure that Azure officially classifies them this way. To me there is 4 categories that networking on Azure can be broken into…

  • Connectivity Services
  • Delivery Services
  • Protection Services
  • Monitoring Services

CONNECTIVITY SERVICES

Virtual Networks (VNets) 

Virtual Networks are the way to simulate what you might think of as a work environment/domain/network “in the cloud”. Virtual networks (VNets) allow you to create a virtual network in Azure, and then connect your resources to that network. VNets provide a way for your resources to communicate with each other and with the internet.  

Here are some key elements of VNets… 

  • VNets are Isolated: VNets are isolated from other VNets and from the public internet, which helps to secure your resources and protect them from external threats. 
  • VNets can be connected to on-premises networks: You can use VPNs to connect your on-premises network to your Azure VNet, which allows you to extend your on-premises network into the cloud. 
  • VNets can be used to create a hybrid cloud environment: By connecting your on-premises network to your Azure VNet, you can create a hybrid cloud environment that allows you to use the best of both worlds. 
  • VNets can be customized: You can customize your VNet to meet the specific needs of your Azure solution. You can choose the address range, subnet sizes, and other network settings to create a VNet that meets your needs. 
  • VNets can be used to connect resources in different regions: You can use VNets to connect resources in different Azure regions, which allows you to create a global Azure solution. 

Subnets deserve a mention here but to me are just a subset (see what I did there) of a specific VNet. They are used to segment a single VNet into many distinct groups with variations of addressing. These subnets can then be operated on individually or as a complete VNet depending on what you are doing. Subnets can also be made to communicate or not depending on what you are trying to accomplish. _________________________

Network Peering

If you need to span a network across regions or even globally. (Aka you want Resource AAA in the EU Region to be able to see Resource BBB in the US Central Region) Then you could use Network Peering to connect the VNets in the two regions and allow them to communicate. It is important to note as well though that a VPN might be a better choice depending on the situation.

With Network Peering you have the choice of one way or two-way traffic between the two chained VNets. However when you setup a two-way “peering” then you can find an entry for the peering in both VNets resource page. If you were to delete an entry from one VNet then the “peering” becomes one way.

Although you can cross regions with peering’s, that can become really expensive aue to added cost. A Cross Region peering is called Global Peering.

_________________________

Virtual Private Network (VPN) 

Connecting two networks as if they were on the same network via an encrypted private tunnel.  

This can be setup as your on-premises network having a VPN tunnel to your Azure Network. Or it could be setup instead between the users at home and the Azure Environment (this can be done with the Azure VPN Gateway Service). Azure VPNs use a component called a Network Gateway that is managed and controlled by the Company’s IT Team typically.  

Azure VPN Gateway is another option to network peering, but it is different in how it functions. So, consideration needs to be made when choosing based on the desired outcome. There are 4 different types of VPN setups you typically will encounter.

  • Site-to-site: Establishes a VPN tunnel between two sites, (on-prem and Azure) 
  • Multi-site: VPN tunnels between Azure and multiple On-prem sites 
  • Point-to-site: Establishes a VPN tunnel from a single device to a site. 
  • VNet-to-VNet: Link between two Azure Sites. 

_________________________

ExpressRoute 

ExpressRoute is a highspeed private connection to Azure. This connectivity option is more secure than a VPN, and more stable with low latency. However, this comes with a jump in cost. 

There are two main flavors, Azure ExpressRoute and ExpressRoute Direct. Both offerings, work on the same principal, but they differ in terms of the underlying infrastructure. 

Azure ExpressRoute, is a service that allows for private connections between an organization’s on-premises infrastructure and Microsoft Azure data centers. ExpressRoute connections can be established through a variety of partners, such as telecommunications companies or network service providers, and these partners typically manage the connection on behalf of you.

Azure ExpressRoute Direct, on the other hand, is a service that allows for private connections to be established directly between an organization’s on-premises infrastructure and Microsoft Azure data centers, bypassing the need for a partner. ExpressRoute Direct utilizes Microsoft’s global network, which is built on top of the Azure backbone, to provide more control, reliability, and predictability for customers. 

DELIVERY SERVICES

Content Delivery Network (CDN) 

Stores common static files “on the edge” closer to the users for improved performance. So this is specifically used for fast response and load times.

So, what is happening on the backend? Well in your network you typically would have a central storage location (say in the US). However, if a group of your company’s users in Germany need quick access to the data, then you can replicate that data to a “Point of Presence” (PoP) near Germany for those users. 

When that file is pushed to the PoP it is given a “Time to Live” (TTL). When that TTL expires the PoP pulls a new copy from the central storage location to ensure it has a up to date copy. The TTL is automatically refreshed however, if a user accesses that file because it repulls from central storage at that point.

A CDN is especially useful for large files like videos and photos so that you are not having to wait for long downloads when accessing your files.

_________________________

Load Balancer 

Load Balancer’s main task is to distribute traffic evenly. This can be between many backend server VMs or other types of cloud services. Clients can then only see a single network address for all of those servers behind the load balancer. Using a load balancer can also bring redundancy if one VM were to fail, or if you need to add more servers and want them all grouped. 

It is also important to note that you can “chain” these different load balancer types together to create a flushed out system.

There are 4 types of load balancers that Azure offers… 

Azure Load Balancer 

Azure Load Balancer operates at the Transport layer (see my article on OSI model here to understand this) works with non HTTPS traffic, and is zone redundant to give availability across Availability Zones, (article on those coming soon).

A good use case for this type of load balancer would be best for routing traffic among multiple database Virtual Machines (VMs).

~~~~~~~~~

Azure Application Gateway 

This is an application layer load balancing service (see my article on OSI model here to understand this) that gives you an Application Delivery Controller (ADC). 

Application Gateway can be configured to be internet facing, internal only, or a combo of both as your needs require.

Traffic can be filtered/routed based on…. 

  • URLs
  • URI Paths
  • Host Headers 

In addition, Azure Application Gateway doesn’t have a built-in firewall, but it does have a WAF (Web Application Firewall) feature that can be enabled to provide protection for web applications against common web vulnerabilities. 

A example use case for this balancing type is if you were to have web servers that are specifically setup to handle video requests to minimize the latency. Using Application Gateway, you could route traffic to those servers based on if the URL has /videos in it.

~~~~~~~~~

Azure Traffic Manager 

This option is a DNS based load balancer. It can balance traffic across global Azure Regions and operates at the domain level. 

This means that a good use case for this might be to organize your incoming traffic based on where it is coming from to ensure that it is direct to the closest resource to the origin point. So that John Doe in Australia doesn’t have a huge latency connecting to your resources.

~~~~~~~~~

Azure Front Door Service 

Azure Front Door Service has a load balancer, CDN, and firewall all in one. This might make it seem as the automatic go to but again it depends on your use case.

Azure Front Door provides a single entry point for web traffic and routes it to the most optimal backend based on performance, availability, and the geographic location of the user. This can be a variety of Azure Services as the destination point, such as Azure Web Apps, Azure Functions, and Azure Virtual Machines.  

SSL offloading is also a feature of Front Door. This is a benefit in that it makes it so that the servers do not have to handle encryption functions and can have better performance as a result. Front Door also has a Web Application Firewall (WAF) feature, and also custom routing and caching.

For a use case, Front Door has a lot of crossover with Application Gateway. However, where Application gateway is most useful for regional traffic, Front Door is better at handling Global traffic then Application Gateway is.

Important to note however, that a combo of the two might be ideal depending on the circumstances.

– PROTECTION SERVICES

This section just by way of its name will have a lot of crossover with any article on Azure security. I am not going into detail but am going to mention some key-points and topics. Despite it being security centric, security is a natural part of networking and deserves a place in this article.

Azure Firewall

First, what is a firewall? A firewall inspects all network traffic that goes in and out of a network/environment. It then will take actions on that traffic based on predefined rules. Firewalls can block specific ports, analyze for viruses, worms and other network threats.

Azure Firewall is a stateful firewall. Stateful means it inspects and acts on sessions of traffic, and based on the context and state of that traffic, the firewall will act on it. On the flip side stateless means that each packet is inspected but there is not any analysis based on the traffic from a source IP as a whole. But again Azure Firewall is a stateful firewall.

Also Azure allows filtering of traffic based on the following methods…

  • Port number 
  • Protocol type 
  • Network address 
  • FQDN 

As previously mentioned you can set rules to dictate how the firewall will act with certain traffic. Some of the Rule Collections you can setup are the following…

  • NAT Rules (Network Address Translation)
    • NAT Rules enable traffic to be forwarded between segments, such as from the Internet to Azure Resources.
  • Network Rules
    • These Allow or Deny traffic based on protocol type, inbound or outbound address, and inbound or outbound port. 
  • Application Rules
    • Allow specific applications to communicate across firewall and control traffic by FQDN. (Example: block traffic to specific website) 

Azure Firewall is a fundamental security component in almost every environment and is your basic security that should be setup any time filtering based on source or destination IP or port is needed. However you also can filter based around Protocol if you need to block off everything but SSH for example.

_________________________

Network Security Groups (NSGs) 

NSGs are very much like firewalls but instead of protecting you whole environment from the internet (WAN to LAN). You can use them to protect subnets or even individual resources like a specific VM from both the internet and other parts of your VNet. This is also a good use case example as well, filtering the network traffic between resources in Azure. 

You can create a single NSG and apply it to multiple VMs and an NSG has the capability to filter based on these following criteria…

  •  Protocol
  •  Source IP or Port
  •  Destination IP or Port

Like many Azure Services, NSGs can be used in tandem with other firewall services.

Application Security Groups (ASGs) are a reference object in an NSG. An ASG group type allows you to clump resources together based on the application that is running on them. This makes security an extension to the application that you are running on them. It then also allows security policies to be defined based on the groups and reuse them without having to manual adjust IP addresses.

So in practice what this looks like is that you put the VMs or resources that you want to control network security for into the ASG, and then you point the ASG to the NSG that you have setup the rules for. Now all those resources have an NSG applied to them. This is faster than setting the NSG to each one by hand. 

~~~~~~~~~

Some possible configurations that you might have could be using Azure Firewall as a frontline defense and then employing NSGs and Application Security Groups to have a more rounded protection on your environment.

On the other hand if you are just deploying an application you might set yourself up to only use Application Groups and NSGs and not even use Azure Firewall.

_________________________

Azure DDoS Protection

DDoS Attacks are when a service is flooded with so many network requests that the resource or server being targeted stops servicing legitimate requests altogether.

Azure’s answer to this potential vulnerability is Azure DDoS Protection, which can protect from the following types of attacks… 

  • Volumetric Attacks
    • This is when an attack attempts to overwhelm a resource by sheer amount of traffic to attempt to eat up all the services bandwidth. 
  • Protocol Attacks
    • Targeting specific server resources through a weakness in the protocol stack. (Ping of Death)  
  • Resource Layer Attacks
    • These Attacks target the application layer of the protocol stack to affect web application traffic between hosts. 

There are two levels of DDoS Protection from Azure. One is a basic free option but if you upgrade to the standard you will end up paying more. The two options and there offerings are listed below…

  • Protection Basic
    • Traffic Monitoring 
    • Automatic Attack Migration 
  • Protection Standard
    • Both of the above and… 
    • Availability guarantee 
    • Mitigation policies 
    • Metrics and Alerts 
    • Reporting 
    • And more… 

_________________________

User Defined Routes (UDRs)

When there are multiple subnets in a VNet there are some default routes that are setup by Azure for how those subnets will communicate with each other. This will work fine in most cases but sometimes a specific pathway of how you want traffic to travel is desired and this is when you can use a User Defined Route (UDR). So by that explanation a UDR is a custom route for traffic that overrides the default one.

A potential point that might make you want to use a UDR would be if you have a specific Virtual Machine that you want to keep secure. Instead of traffic from other subnets going straight to it you want all traffic for it to go through a specific firewall that can filter it to maintain security. Creating a UDR and applying it at the correct spots can achieve this result.

_________________________

Azure Private Link

Azure Private Link is a service that allows you to access Azure’s Platform as a Service (PaaS) through a private endpoint in your VNet. Some PaaS that you might access are some of Azure’s Storage or an SQL database. Basically you can keep traffic from your VNet inside your VNet since the service you are sending traffic to is given a private IP address making it appear inside the same VNet. This traffic also only travels across the Microsoft network backbone so it never touches the “internet” technically.

– MONITORING SERVICES

Although there is a lot more monitoring and management options in Azure then the ones I am going to mention next I wanted to cover some of the ones most important to Networking specifically. A more complete list is something that I can cover in future article.

Azure Monitor

Azure Monitor provides the capability to collect and analyze data from the cloud environment or your on-premise environment thus allowing you to take appropriate actions.

Azure Monitor uses two data types to assist in monitor the environment. The first is Metrics, this can be conceived as the amount of data used by Storage Account X. The second is Logs, which is simply a record of an event that happened.

Technically Azure Monitor is not one service but has several that comprise it…

  • Application Insights
    • Allows developers to integrate monitoring into their applications that then sends monitoring data to Azure for easy visibility and management.
  • Monitor for VMs
    • Monitor Windows and Linux in the Cloud and On-Premise
  • Monitor for Containers
    • Monitor Container Workloads, Containers can be in the cloud or on-premise.  
  • Log Analytics
    • Can write log queries and analyze logs 
  • Smart Alerts
    • This groups alerts together and combines them into a single issue when applicable allowing easy readability and decreasing response time.
  • Automated Actions
    • If a certain alert happens then do XYZ. This helps cut down on potential human necessary response.
  • Dashboards
    • Create and share dashboard to visualize log query results.
  • Workbooks
    • Create reports to give more insight.

_________________________

Azure Network Watcher

Network Watcher gives the user a way to view metrics and logs, and monitor and diagnose an Azure VNet. It mainly focuses on the Infrastructure as a Service (IaaS) products like VMs, VNets, Load Balancers and Application Gateways. you can then reapir your network health quickly instead of search for all the data.

Another cool feature that I love in this is that you can also generate a Topology map of your resources and how they are connected from this service.

Leave a Comment

Your email address will not be published. Required fields are marked *