Azure Virtual Private Network & Best Practice

Azure Virtual Private Network & Best Practice

Posted on Aug 26, 2022 (0)

Azure Virtual Network

Azure Virtual Network (Vnet) is an isolated, similar to our own data Center Network in Azure Cloud, which helps in provisioning Azure Resources in Azure Cloud and provide secure communication with each other, the Internet and on-Premises network. Virtual Network and subnets span across all Availability Zones in a region.

Azure Vnet also helps in Filtering Network traffic, Routing of Network Traffic, and Integration with Azure Services.  

All Resources in Vnet can communicate to Internet via Outbound by default. But of Inbound traffic, you must have or assign public IP address or use Public Load Balancer. Public IP or Public Load Balancer can also be used for outbound traffic.

In Vnet Azure resources securely communicate with each other in following ways:

  • Via Virtual Network: When VM or any other Azure resources (Azure APP Service Environment, Azure Kubernetes Service, Azure Virtual Machine scale sets) are deployed in Vnet, they securely communicate to each other.
  • Via Virtual Network Service End Points: With this service you can extend the Virtual network Private address space to Azure Service Resources, such as Azure Storage Account, Azure SQL Databases over direct connection.
  • Via Vnet Peering: With the help of Vnet Peering, you can connect the different Virtual Network to each other. Due to with Azure resources in each VNets can be able to communicate to each other via Vnet Peering connection. With the help of Vnet Peering, Virtual network within same region or different region can be connected.

It is also possible to connect the On-premises network to Azure Vnet using following combination:

  • Point to Site Virtual private Network: Connection between a Single Computer and Azure Virtual network. Communication is done by encrypted tunnel over internet.
  • Site to Site VPN: Connection between your On-premises VPN device and Azure VPN gateway deployed in Azure Virtual network. Communication is done by encrypted tunnel over internet.
  • Azure Express Routes: Communication established between your network and Azure via Express Route Partner. This is private connection and traffic do not traverse to Internet.

Filtering of Network Traffic

Network traffic can be filtered between subnets by following ways:

Network Security Groups: Network Security groups or Application Security groups have multiple inbound or outbound rules, which helps to filter traffic by using Source IP, Destination IP, Source Port, Destination port and Protocols.

Network Virtual Appliances:  It is a VM that performs network Virtual Function like Firewall, WAN Optimizer etc.

Routing of Network Traffic

Azure Routes traffic between Subnets, Peered Virtual Networks, On-Premises Networks, Internet by default. But this default feature can be overridden by using below options.

Route Tables: A custom Route tables can be created, with routes that control where to route the traffic for each subnet.

BGP Routes: If your On-Premises network is connected to Vnet using Azure VON gateway or Express Routes connection, you can propagate your on-premises BGP routes to your Vnet and achieve the communication.

Azure Services Integration with Virtual Network

When we Integrate the Azure Services with Virtual network, it provides private access to those services from virtual machine or compute resources with in Virtual network. We can integrate Azure Services in your Virtual Network with following options:

  • By Deploying dedicated instance of that service into Virtual Network. These Services can be accessed privately with in Virtual Network and from On-Premises Network.
  • Instance of Service can be accessed privately by using Private Link from Virtual Network and from On-Premises Network.
  • Service can be accessed using public Endpoint by extending virtual network to Service through Service Endpoints.

VNet Concepts

Below are some concepts used while configuring VNets in Azure.

Address Space: When we create a Vnet, we must have to specify the CIDR private IP Address Space using RFC 1918 Address. Azure assigns Private IP to resources in a Virtual network from address Space (CIDR) that you have assigned while creation of Vnet.

Subnets: Subnets are used to segments Virtual Network into one or more sub-networks and allocate a portion of CIDR to each subnet.

There are Public IP address and Private IP address used for communication in any VNets.

Public IP Address: Allow Azure resources to communicate with Internet and other public facing Azure Services.

Private IP Address: Allow communication between resources in Virtual network along with those connected via VPN without using internet routable IP address.

Regions: A Vnet has scope in a single region or location. However Multiple Virtual Network from different regions can be connected to each other via Vnet Peering.

Subscription: A Vnet is scoped to a subscription. A Multiple VNets can be implemented with in each Azure subscription and Azure Region.

Best Practice for Designing Azure Virtual Network

Below are following best Practice that must be exercised while designing the Virtual network

  • Non-Overlapping CIDR must be used in order to design multiple VNets with in your Organization.
  • Subnet designed must not cover entire CIDR address Space of the VNets.
  • Make sure to have Fewer large VNets instead of having multiple Small VNets.
  • You must secure your VNets by assigning NSG to subnets.  


    You are will be the first.


Please login here to comment.