Please enable JavaScript.
Coggle requires JavaScript to display documents.
Explore Azure networking services (4)--Review!!!! - Coggle Diagram
Explore Azure networking services
(4)--Review!!!!
Azure virtual networks enable Azure resources, such as VMs, web apps, and databases, to communicate with each other, with users on the internet, and with your on-premises client computers.
Azure virtual networks provide the following key networking capabilities:
Isolation and segmentation
Internet communications
Communicate between Azure resources
Communicate with on-premises resources
Route network traffic
Filter network traffic
Connect virtual networks
Isolation and segmentation
When you set up a virtual network, you define a private IP address space by using either public or private IP address ranges. You can divide that IP address space into subnets and allocate part of the defined address space to each named subnet.
Internet comunications
A VM in Azure can connect to the internet by default. You can enable incoming connections from the internet by defining a
public IP address or a public load balancer.
For VM management, you can conne
Communicate between Azure resources
Virtual networks
Virtual networks can connect not only VMs but other Azure resources, such as the App Service Environment for Power Apps, Azure Kubernetes Service, and Azure virtual machine scale sets.
Service endpoints
You can use service endpoints to connect to other Azure resource types, such as Azure SQL databases and storage accounts. This approach enables you to link multiple Azure resources to virtual networks to improve security and provide optimal routing between resources.
Communicate with on-premises resources
Point-to-site virtual private networks
Site-to-site virtual private networks
Azure ExpressRoute
Route network traffic
Route tables
A route table allows you to define rules about how traffic should be directed. You can create custom route tables that control how packets are routed between subnets.
Border Gateway Protocol
Border Gateway Protocol (BGP) works with Azure VPN gateways or ExpressRoute to propagate on-premises BGP routes to Azure virtual networks.
Filter network traffic
Azure virtual networks enable you to filter traffic between subnets by using the following approaches:
Network security groups
A network security group is an Azure resource that can contain multiple inbound and outbound security rules. You can define these rules to allow or block traffic, based on factors such as source and destination IP address, port, and protocol.
Network virtual appliances
A network virtual appliance is a specialized VM that can be compared to a hardened network appliance. A network virtual appliance carries out a particular network function, such as running a firewall or performing wide area network (WAN) optimization.
Connect virtual networks
You can link virtual networks together by using virtual network peering.
Peering enables resources in each virtual network to communicate with each other.
Create a virtual network
Network name
The network name must be unique in your subscription
Address space
This address space needs to be unique within your subscription and any other networks that you connect to.
there's no address overlap.
Subscription
This option only applies if you have multiple subscriptions to choose from.
Resource group
Like any other Azure resource, a virtual network needs to exist in a resource group. You can either select an existing resource group or create a new one.
Location
Select the location where you want the virtual network to exist.
Subnet
Within each virtual network address range, you can create one or more subnets that partition the virtual network's address space.
DDoS protection
You can select either Basic or Standard DDoS protection. Standard DDoS protection is a premium service.
Service endpoints
Here, you enable service endpoints. Then you select from the list which Azure service endpoints you want to enable. Options include Azure Cosmos DB, Azure Service Bus, Azure Key Vault, and so on.
Define additional settings
Network security group
Network security groups have security rules that enable you to filter the type of network traffic that can flow in and out of virtual network subnets and network interfaces
Route table
Azure automatically creates a route table for each subnet within an Azure virtual network and adds system default routes to the table
You can then review and change settings in further subpanes. These settings include:
Address spaces: You can add additional address spaces to the initial definition.
Connected devices: Use the virtual network to connect machines.
Subnets: You can add additional subnets.
Peerings: Link virtual networks in peering arrangements.
Azure VPN Gateway fundamentals
VPN
A virtual private network (VPN) is a type of private interconnected network. VPNs use an encrypted tunnel within another network. They're typically deployed to connect two or more trusted private networks to one another over an untrusted network (typically the public internet). Traffic is encrypted while traveling over the untrusted network to prevent eavesdropping or other attacks.
VPN gateways
Azure VPN Gateway instances are deployed in Azure Virtual Network instances and enable the following connectivity:
Connect on-premises datacenters to virtual networks through a site-to-site connection.
Connect individual devices to virtual networks through a point-to-site connection.
Connect virtual networks to other virtual networks through a network-to-network connection.
All transferred data is encrypted in a private tunnel as it crosses the internet. You can deploy only one VPN gateway in each virtual network, but you can use one gateway to connect to multiple locations, which includes other virtual networks or on-premises datacenters.
When you deploy a VPN gateway, you specify the VPN type: either policy-based or route-based. The main difference between these two types of VPNs is how traffic to be encrypted is specified. In Azure, both types of VPN gateways use a pre-shared key as the only method of authentication. Both types also rely on Internet Key Exchange (IKE) in either version 1 or version 2 and Internet Protocol Security (IPSec). IKE is used to set up a security association (an agreement of the encryption) between two endpoints. This association is then passed to the IPSec suite, which encrypts and decrypts data packets encapsulated in the VPN tunnel.
Policy-based VPNs
Policy-based VPN gateways specify statically the IP address of packets that should be encrypted through each tunnel. This type of device evaluates every data packet against those sets of IP addresses to choose the tunnel where that packet is going to be sent through.
Route-based VPNs
Connections between virtual networks
Point-to-site connections
Multisite connections
Coexistence with an Azure ExpressRoute gateway
Deploy VPN gateways
Required Azure resources
Virtual network
Deploy a virtual network with enough address space for the additional subnet that you'll need for the VPN gateway.
Virtual network gateway
Local network gateway.
Connection
Public IP address.
GatewaySubnet.
Required on-premises resources
A VPN device that supports policy-based or route-based VPN gateways
A public-facing (internet-routable) IPv4 address
Active/standby
. When planned maintenance or unplanned disruption affects the active instance, the standby instance automatically assumes responsibility for connections without any user intervention
Active/active
In this configuration, you assign a unique public IP address to each instance. You then create separate tunnels from the on-premises device to each IP address.
ExpressRoute failover
Another high-availability option is to configure a VPN gateway as a secure failover path for ExpressRoute connections.
Zone-redundant gateways
In regions that support availability zones, VPN gateways and ExpressRoute gateways can be deployed in a zone-redundant configuration. This configuration brings resiliency, scalability, and higher availability to virtual network gateways.
Azure ExpressRoute fundamentals
Azure ExpressRoute lets you seamlessly extend your on-premises networks into the Microsoft cloud.
This connection between your organization and Azure is dedicated and private.
Open Systems Interconnection (OSI) model:
Layer 2 (L2): This layer is the Data Link Layer, which provides node-to-node communication between two nodes on the same network.
Layer 3 (L3): This layer is the Network Layer, which provides addressing and routing between nodes on a multi-node network.
Features and benefits of ExpressRoute
Built-in redundancy
Each connectivity provider uses redundant devices to ensure that connections established with Microsoft are highly available. You can configure multiple circuits to complement this feature. All redundant connections are configured with Layer 3 connectivity to meet service-level agreements.
Layer 3 connectivity
ExpressRoute provides Layer 3 (address-level) connectivity between your on-premises network and the Microsoft cloud through connectivity partners. These connections can be from a point-to-point or any-to-any network. They can also be virtual cross-connections through an exchange.
Connectivity to Microsoft cloud services
Across on-premises connectivity with ExpressRoute Global Reach
You can connect several expressorute circuits around the world
Connectivity models
CloudExchange colocation
Point-to-point Ethernet connection
Any-to-any connection
Security considerations
With ExpressRoute,
your data doesn't travel over the public internet
, so it's not exposed to the potential risks associated with internet communications.