Infrastructure Notes: Azure Network Design Overview
Start here: Azure Networking
Primary networking technology, like the VPC in AWS.
Internet access is on by default.
Cloud services can go in to the VNET as well.
Can connect VNET’s to each other, or connect them to on premise.
Can bring own DNS, or use Azure DNS.
Subnets can communicate with each other by default. When i create subnet-a and subnet-b, then stick a vm in each, they will be able to freely communicate by default.
Basics with Powershell:
#Resource Group $rg = "Test-NET-RG" #Location $location = "WestUS" #VNET Name $VNETName = "SL-VNET-PShell" #Address Space $VNETAddressSpace = "10.0.0.0/22" #Subnets $webSN = New-AzVirtualNetworkSubnetConfig -Name "Duff-Web" -AddressPrefix "10.0.0.0/24" $appSN = New-AzVirtualNetworkSubnetConfig -Name "Duff-App" -AddressPrefix "10.0.1.0/24" $dbSN = New-AzVirtualNetworkSubnetConfig -Name "Duff-Data" -AddressPrefix "10.0.2.0/24" #Create Resource Group New-AzResourceGroup -Name $rg -Location $location #Go ahead and create the VNET & Subnets $virtualNetwork = New-AzVirtualNetwork -Name $VNETName -ResourceGroupName $rg ` -Location $location -AddressPrefix $VNETAddressSpace -Subnet $webSN,$appSN #------------- #Add one more subnet separately $subnetConfig = Add-AzVirtualNetworkSubnetConfig ` -Name "ExtraSubnet" ` -AddressPrefix "10.0.3.0/24" ` -VirtualNetwork $virtualNetwork #Write changes $virtualNetwork | Set-AzVirtualNetwork
Routes in VNet
Local VNET - Route for local addresses. On-Prem - Route to connect to on-prem resources where VNet Gateway will be next hop. Internet - Route for all traffic to Internet. Internet Gateway is the next hop.
Then, we add user defined routes on top.
NSGs: Network Security Groups
Can be associated with a subnet or a network interface card (but not the virtual machine itself; just the vNIC)
The direction of the flow dictates the ordering when traversing multiple NSG’s. For example, if there is a NSG on the subnet and a NSG on the vNIC, the vNIC rules will apply first outbound - if we block 80 on the vNIC it would never hit the NSG on the subnet.
In each NSG though, lower rule numbers have priority (10 is a high priority rule, 400 is lower).
A flow record is created for existing connections. Communication is allowed or denied based on the connection state of the flow record. The flow record allows a network security group to be stateful
Existing connections might not be interrupted when you remove a security rule that enabled the flow. Traffic flows are interrupted when connections are stopped and no traffic is flowing in either direction, for at least a few minutes.
There’s a diagram function that makes your configuration easy to understand, and changes easier to follow. I deployed two subnets inside a /23 and a machine in each. The diagram below the output azure gives me and helps to figure out how all the pieces fit together - from vNIC to external IP and the NSG’s.