Please enable JavaScript.
Coggle requires JavaScript to display documents.
Azure Networking Solutions - Coggle Diagram
Azure Networking Solutions
Azure Virtual Network
Azure virtual networks enable Azure resources, such as VMs, web apps, and databases, to communicate with each other, with users on the internet, and with your on-premises client computers.
Capabilities
Communication with the internet
Communication between Azure resources
Communication between on-premises resources
Filtering and routing network traffic
Design considerations
Address space and subnets
VNet
Recommended IP Range
10.0.0.0 - 10.255.255.255 (10/8 prefix)
172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
192.168.0.0 - 192.168.255.255 (192.168/16 prefix)
Ensure non-overlapping address spaces. Make sure your VNet address space (CIDR block) does not overlap with your organization's other network ranges.
Restricted IP Range
224.0.0.0/4 (Multicast)
255.255.255.255/32 (Broadcast)
127.0.0.0/8 (Loopback)
169.254.0.0/16 (Link-local)
168.63.129.16/32 (Internal DNS)
IP Address Reservation
Azure reserves 5 IP addresses within each subnet
x.x.x.0: Network address
x.x.x.1: Reserved by Azure for the default gateway
x.x.x.2, x.x.x.3: Reserved by Azure to map the Azure DNS IPs to the VNet space
x.x.x.255: Network broadcast address
Subnet
The smallest supported IPv4 subnet is /29, and the largest is /2
Each subnet must have a unique address range, specified in Classless Inter-Domain Routing (CIDR) format.
Network Security Groups (NSGs)
Network Security Group contains rules, which allow or deny traffic to and from sources and destinations.
We can associate zero or one NSG to each subnet in a virtual network
We can associate the same, or a different, network security group to each subnet
Determine a naming convention
Recommended Naming Convention
<Resource Name>-<Application/Workload>-<environment>-<Region>-<Instance No>
eg.
pip-sharepoint-prod-westus-001
is the name for public ip for sharepoint production environment in West US region
Azure resource types have a scope that defines the level that resource names must be unique
Scopes : Management Group , Subscription , Resource Group , Resource.
Regions and Subscriptions
A resource can only be created in a virtual network that exists in the same region and subscription as the resource.
Design DNS for VNet
Types
Public DNS
The name of the zone must be unique within the resource group, and the zone must not exist already.
The same zone name can be reused in a different resource group or a different Azure subscription.
Where multiple zones share the same name, each instance is assigned different name server addresses.
Root/Parent domain is registered at the registrar and pointed to Azure NS
Child domains are registered in AzureDNS directly.
Private DNS
Azure DNS Private Zones
Private DNS zones are highly resilient, being replicated to regions all throughout the world
Configure a specific DNS name for a zone
Create records manually when necessary
Resolve names and IP addresses across different zones and different vnet.
100 Vnet can be Registered to single Private DNS
1000 VNET can use Single Private DNS for resolution.
Default DNS Provide by Azure for Vnet
Created when the VNet is created
Supports automatic registration, requires no manual record creation
Namespace .internal.cloudapp.net
Custom Own DNS
Design VNET Peering
Global Peering
When creating a global peering, the peered virtual networks can exist in any Azure public cloud region or China cloud regions, but not in Government cloud regions.
Regional Peering
Regional VNet peering connects Azure virtual networks in the same region
Route Tables
System Routes
Azure automatically creates system routes and assigns the routes to each subnet in a virtual network.
System Routes cannot be created, removed or update.
They can be overridden by Custom Routes
Types
Default Routes
Added to all subnets Created
Routes
Virtual Network CIDR
Internet 0.0.0.0/0
Block routes 10.0.0.0/8 192.168.0.0/16 Reserved for private use in RFC 1918.
Block 100.64.0.0/10 Reserved in RFC 6598
Optional Routes
Azure adds default system routes for any Azure capabilities that you enable to either specific subnets within the virtual network, or to all subnets within a virtual network.
VPC Peering
and
Virtual Network Gateway
are enabled in all subnets
VirtualNetworkServiceEndpoint
are added for Subnets for which Service endpoints are enabled
Custom Routes
Create custom, or user-defined(static), routes in Azure to override Azure's default system routes, or to add additional routes to a subnet's route table
Additional Routes type like
Virtual appliance
: can be added to route to virtual application running in VM like firewall.
Hop Types
Virtual Network
Internet
None
VPC Peering
Virtual Network gateway
VirtualNetworkServiceEndpoint
Virtual appliance
Azure Virtual NAT
Network Address Translation (NAT) is a internal resources on a private network to share routable IPv4 addresses to gain access to external resources on a public network
NAT supports up to 16 public IP addresses, and for each of those, uses port network address translation (PNAT or PAT) to provide up to 64,000 concurrent traffic flows.
AWS : Virtual Private Cloud (VPC)
Azure VPN Gateway
VPN Gateway is an Azure service that provides the bridge between on perm network and Azure
Each virtual network can have only one VPN gateway.
All connections to that VPN gateway share the available network bandwidth.
VPN gateways can also be used for connections between virtual networks in Azure
VPN Gateway contains two or more VM deployed in subnet called Gateway Subnet
Connection Types
Point to site
A Point-to-Site (P2S) VPN gateway connection lets you create a secure connection to your virtual network from an individual client computer.
Protocols
OpenVPN
Secure Socket Tunneling Protocol
IKEv2 VPN
Authentication Methods
Native Azure certificate authentication
Native Azure Active Directory authentication
Site to site
over the internet
A site-to-site (S2S) VPN gateway connection lets you create a secure connection to your virtual network from another virtual network or a physical network.
Sub Types
Over Internet
Over a dedicated network such as Azure ExpressRoute
Types
Policy Based
Policy-based VPNs encrypt and direct packets through IPsec tunnels based on the IPsec policies configured with the combinations of address prefixes between your on-premises network and the Azure VNet
We can have only 1 tunnel when using a PolicyBased VPN
Can be used only for the
Site to Site connection types
Route Based
RouteBased VPNs use "routes" in the IP forwarding or routing table to direct packets into their corresponding tunnel interfaces
Local Network Gateway
The local network gateway typically refers to the on-premises location.
Steps to establish VPN Connectivity
Create VPN Gateway
Create a Local Gateway
Configure On-prem VPN Device
Create VPN Connection
High Availability Options
VPN Gateway redundancy (Active-standby)
Multiple on-premises VPN devices
Active-active Azure VPN gateway
Combination of both
Azure ExpressRoute
ExpressRoute lets you extend your on-premises networks into the Microsoft cloud over a private connection with the help of a connectivity provider.
Use cases
Faster and Reliable connection to Azure services
Storage, backup, and Recovery
Extends Data center capabilities
Extends Data center capabilities
Connection Models
CloudExchange Co-location
Point-to-point Ethernet Connection
Any-to-any (IPVPN) Connection
ExpressRoute Direct
Load Balancers
Azure Load Balancer
Azure Load Balancer operates at layer 4 of the Open Systems Interconnection (OSI) model.
Azure Load Balancer distributes inbound flows that arrive at the load balancer's front end to backend pool instances.
Types
Public Load Balancer
Private/Internal Load Balancer
Traffic Manager
Azure Traffic Manager is a DNS-based traffic load balancer
AWS : Route 53
Routing Options
Priority
Weighted
Performance
Geographic
MultiValue
Subnet
Endpoint Types
Azure Endpont
External Endpoint
Nested Endpoint
Application Gateway
Routing Method
Path based
Multiple site
Azure Front Door
Front Door works at Layer 7 (HTTP/HTTPS layer) using anycast protocol with split TCP and Microsoft's global network to improve global connectivity
Network security
Azure Security Benchmark
The Azure Security Benchmark (ASB) provides prescriptive best practices and recommendations to help improve the security of workloads, data, and services on Azure
Security controls:
These recommendations are generally applicable across your Azure tenant and Azure services.
Service baselines
These apply the controls to individual Azure services to provide recommendations on that service’s security configuration
Microsoft Defender
Microsoft Defender for Cloud helps streamline the process for meeting regulatory compliance requirements, using the regulatory compliance dashboard
Compliance Controls
Network Security
NS-1: Implement security for internal traffic
Identity Management
Azure Blueprints
Azure Policy
Azure DDoS
A denial of service attack (DoS) is an attack that has the goal of preventing access to services or systems. If the attack originates from one location, it is called a DoS. If the attack originates from multiple networks and systems, it is called distributed denial of service (DDoS)
Service Tiers
Basic
Automatically enabled as part of the Azure platform.. Protection is provided for IPv4 and IPv6 Azure public IP addresses.
Standard
DDoS Protection Standard protects resources in a virtual network including public IP addresses associated with virtual machines, load balancers, and application gateways
Real-time telemetry is available through Azure Monitor
Types of DDoS attacks
Volumetric attacks
Protocol attacks
Resource (application) layer attacks
Network Security Group (NSG)
A Network Security Group (NSG) in Azure allows you to filter network traffic to and from Azure resources in an Azure virtual network.
Default Routes
Inbound
Allow traffic within Virtual Network
Allow traffic from Azure Load balancer
Deny all incoming traffic
OutBound
Allow traffic within Virtual Network
Allow Traffic to Internet
Deny all outgoing traffic
Azure Firewall
Azure Firewall is a managed, cloud-based network security service that protects your Azure Virtual Network resources.
Private Access
Virtual Network Service Endpoints