Azure Virtual Private Network & Best Practice
Azure Virtual Network
Azure Virtual Network (Vnet) is an isolated, similar to our own data Center Network in Azure Cloud, which helps in provisioning Azure Resources in Azure Cloud and provide secure communication with each other, the Internet and on-Premises network. Virtual Network and subnets span across all Availability Zones in a region.
Azure Vnet also helps in Filtering Network traffic, Routing of Network Traffic, and Integration with Azure Services.
All Resources in Vnet can communicate to Internet via Outbound by default. But for Inbound traffic, you must have or assign public IP address or use Public Load Balancer. Public IP or Public Load Balancer can also be used for outbound traffic.
In Vnet Azure resources securely communicate with each other in following ways:
- Via Virtual Network: When VM or any other Azure resources (Azure APP Service Environment, Azure Kubernetes Service, Azure Virtual Machine scale sets) are deployed in Vnet, they securely communicate to each other.
- Via Virtual Network Service End Points: With this service you can extend the Virtual network Private address space to Azure Service Resources, such as Azure Storage Account, Azure SQL Databases over direct connection.
- Via Vnet Peering: With the help of Vnet Peering, you can connect the different Virtual Network to each other. Due to with Azure resources in each VNets can be able to communicate to each other via Vnet Peering connection. With the help of Vnet Peering, Virtual network within same region or different region can be connected.
It is also possible to connect the On-premises network to Azure Vnet using following combination:
- Point to Site Virtual private Network: Connection between a Single Computer and Azure Virtual network. Communication is done by encrypted tunnel over internet.
- Site to Site VPN: Connection between your On-premises VPN device and Azure VPN gateway deployed in Azure Virtual network. Communication is done by encrypted tunnel over internet.
- Azure Express Routes: Communication established between your network and Azure via Express Route Partner. This is private connection and traffic do not traverse to Internet.
Filtering of Network Traffic
Network traffic can be filtered between subnets by following ways:
Network Security Groups: Network Security groups or Application Security groups have multiple inbound or outbound rules, which helps to filter traffic by using Source IP, Destination IP, Source Port, Destination port and Protocols.
Network Virtual Appliances: It is a VM that performs network Virtual Function like Firewall, WAN Optimizer etc.
Routing of Network Traffic
Azure Routes traffic between Subnets, Peered Virtual Networks, On-Premises Networks, Internet by default. But this default feature can be overridden by using below options.
Route Tables: A custom Route tables can be created with routes , that control where to route the traffic for each subnet.
BGP Routes: If your On-Premises network is connected to Vnet using Azure VPN gateway or Express Routes connection, you can propagate your on-premises BGP routes to your Vnet and achieve the communication.