Overview Of Azure Virtual Networks

  • An Azure Virtual Network; i.e., VNet, is a representation of your own network in the cloud.
  • Basically, it is a logical isolation of the Azure cloud that is completely dedicated to your own subscription.
  • You have the total control over the IP address blocks, DNS settings, security policies and route tables within this network.
  • You also have the power to divide the VNet into further partitions called subnets and launch your Azure Virtual Machines along with your Cloud Services.
  • You can connect the VNet to your on-premises network using one of the connectivity options available in Azure.
  • In a nutshell, it can be said that you can expand your network to Azure with full control over the IP address blocks along with the benefits of enterprise scale that the Azure provides.
  • Suppose we have a database that we don’t want to expose to the public network but we want it to be used by our Azure apps. So, for that, we can expand our local network and make the machines a part of the VNet. So, the VNet would be just an extended version of our local network.

IP Addresses

There are two types of IP addresses assigned to the resources in Azure, namely public and private.
  • Public IP addresses allow Azure resources to communicate with the Internet and other Azure public facing services like Azure Redis Cache.
  • Private IP addresses allow communication between resources in the virtual network, along with those connected through a Virtual Private Network without using an Internet-routable IP address.

    There are some preferred IPs for intranets,

  • Small Network: 192.168.0.X for 28 systems. Here only the last byte would change so that IP address range would be
  • If there is one more small network, you can also use 192.168.1.X for the same number of systems and the IP address range would be the same as well since only the last byte is going to change.
  • For large networks, it is 172.168.X.X for 216 systems. Here the last bytes are changing and hence the IP address range would be
  • And if there is a case of a very large network, the IP address could be 10.X.X.X for 232 systems. Here the last three bytes would be changing so the range would be
  • Here, the IPs addresses taken are just for demonstration. It really depends on you which IP address you choose.
Classless Inter-Domain Routing (CIDR) notation

This is a compact representation of an IP address and it is associated with the routing prefix. It is constructed from an IP address, a slash, and a decimal number. The number here is the count of the leading 1 bits in the routing mask which is usually called the network mask. So, for example, is a CIDR notation.

A subnet is a range of IP addresses in the VNet where you can divide a VNet into multiple subnets mainly security and for better organization.
  • All the VMs and PaaS role instances that are deployed to subnets, whether same or different, within a VNet can easily communicate with each other without any extra configuration.
  • Additionally, you can configure route tables and Network Security Groups that handle the inbound and outbound traffic to a subnet.
  • A subnet mask is set based on the number of systems in a network. For example, is for 28 systems where the first three bytes will be the same.
  • And similarly, is for 216 systems and is for 224 systems.
Network Security Group (NSG)

Like I said earlier, Network Security Groups are used to control inbound and outbound traffic to Network Interfaces, VMs, and subnets. Each Network Security Group contains one or more rules that specify whether the traffic is approved or denied based on various parameters like the source of IP addresses, source port, destination IP address and the destination port.

Network Interface Card(NIC)

For the communication between VMs and for their communication with the other resources on the network, they use Virtual Network Interface card. By default, the Virtual NICs have a compulsory private IP but they have the option to have a public IP as well. VMs can have more than one NIC for different network configuration based on their requirements.

Azure Load Balancers

Virtual Machines and Cloud Services in a VNet can be exposed to the Internet using Azure Load Balancers.
  • External Load Balancer
    If you’re accessing the IaaS VMs and PaaS roles instances from a public internet, then you need to use an external load balancer.

  • Internal Load Balancer
    If you’re accessing the IaaS VMs and PaaS roles instances from other services within your VNet then you need to use an internal load balancer.
Azure DNS

Remembering a Virtual Machine by its IP address is tedious. So, the Domain Naming System for Azure enables clients to resolve user-friendly fully qualified domain names (FQDNs). Azure DNS allows you to host your own domains with your own Azure apps. Within your Azure subscription, you can manage your DNS records.

Simplified On-Premises Network

  • Through the Internet, when a request comes into the network, it must be first cleared by the router.
  • Then it will go to the firewall. If the firewall doesn’t allow it to pass, the request gets denied there only.
  • Then the request goes to the Internet Facing Load Balancer which will then pass the request to one of the web servers that are clustered with each other, because we would have hosted the same website on multiple web servers for availability and for the sake of security as well.
  • These web servers will then execute the request and they might need to access the database for the same.
  • It then again must go through a firewall to access the database. Now just in case there is a lot of traffic, we again have an internal load balancer for load balancing.
  • That internal load balancer will then divide the load into the multiple instances of the replicated database.
  • Within the network, we have a DNS server for name resolving and a Domain Controller (DC) for authentication.
  • Anything that has to be made public has to be put into DMZ (Demilitarized Zone). A DMZ is a physical or logical sub-network that separates an internal LAN from other untrusted networks, which is usually the internet.
  • However, the database instances must be kept internal and not be accessed openly. Only web servers with the help of firewalls can have access to the database.
  • Let’s see how the same on-premises network can be replicated in an Azure Virtual Network.
Same Network Hosted In Azure
  • Here, the role of router is going to be played by Azure Infrastructure. The dotted line in the image represents a Virtual Network. Within this VNet, we can have multiple subnets. Here we have a frontend subnet and a backend subnet that handles our database.
  • All the web server instances in the frontend subnet are Virtual Machines and all the database instances in the backend subnet are Virtual Machines.
  • Here the load balancers are public facing load balancer and internal load balancer.
  • In the place of firewalls, here we have Network Security Groups (NSG). The rules defined in NSG control the inbound and the outbound traffic of the VNet.
  • There is no extra cost for using Virtual Networks in Azure.
  • But the compute instances launched within the VNet will be charged as per the standard rates that are described in the pricing.
  • Also, the VPN gateways and public IP addresses used in the VNet are charged according to the standard rates.
Benefits of Virtual Network
  • Isolation
    All the VNets are completely isolated from one another whether they are in the same subscription or a different subscription. So, you can create separate VNets for development, testing, and production that use the same CIDR address blocks.

  • Access to the public internet
    All VMs, web roles and worker roles in a VNet can access the public internet by default. However, you can control the access by using NSG.

  • Access to VMs within the VNet
    The web roles, worker roles, and the VMs can be launched in the same VNet and the communication between them is done through private IP addresses.

  • Name resolution
    Azure provides internal name resolution for IaaS VMs and PaaS roles instances deployed in your VNet. You can have your own DNS servers and configure the VNet to use them.

  • Security
    As I explained, the inbound and outbound traffic is handled by NSGs. And the traffic can be controlled at three levels, that is, at the VNet level, at the subnet level and the VM level.

  • Connectivity
    VNets can be connected to each other and even to your on-premises datacentre by using a site-to-site VPN connection or ExpressRoute connection.

You cannot add a VM to your VNet once you’ve created your VNet successfully. That means you cannot add existing VMs to your newly created VNets. So planning while creating your VNet is very important.