Understanding Azure Virtual Networks | InfoWorld

In the old days, when virtualization was new, virtual networks were a simple connection between virtual servers and occasional network appliances. But now the situation is different. Creating and managing a virtual network is part of operating a virtual infrastructure and is similar to managing a physical network.

This is even more true if you create a hybrid environment that spans your on-premises systems and your cloud infrastructure. As a result, you have to manage a network that mixes your own physical and virtual systems with your cloud provider’s system, while increasing the complexity of direct VPN or MPLS (Multiprotocol Label Switching) connections to link your site to the cloud. .. .. It’s not easy, but a big cloud like Azure provides tools to help you.

Overview of Azure Virtual Network

At the heart of Azure infrastructure and Azure Virtual Network (VNet) PaaS models A managed VLAN that connects resources to Azure and provides a secure partition to maintain network traffic within the tenant without leaking network traffic to other users who can use the same physical server. Azure Virtual Networks does not need to connect to your on-premises network. You can use VLANs to create and manage cloud native infrastructure and resources. You can then use Azure’s private network to manage transits and links between different Azure regions without using the public internet.

As part of Azure Virtual Networks, you can deploy virtual appliance implementations of popular network hardware and treat VLANs as software-defined networks built on Azure’s own routing and switching services. At the same time, it is a gateway to the tools built into Azure Application Gateway and Azure Bastion, connecting your application network to the public Internet for direct access or geographic routing through network tools such as Web application firewalls and managed load balancers. To bring. Traffic to the nearest instance of the application and traffic to your own network. This protects the access of authorized users.

Each Azure virtual network has outbound access to the Internet, just like any other firewall router. Resources initially have private addresses, and external IP addresses are managed through a load balancer. Internally, virtual networks can host not only virtual machines, but also specific Azure resources such as Azure Kubernetes Service. Other resources are accessed through service endpoints that connect the resources to the network and prevent other users from accessing them, thereby locking out access to the virtual network. If you have multiple virtual network hosting infrastructures or resources to share, you can configure virtual network peering to allow cross-network operations (and cross-region operations where the virtual networks are in different Azure regions).

Build and deploy the first virtual network

How do I create and manage my network in Azure? Virtual networks are created as Azure resources and managed as part of a resource group. You can use any Azure management tool to build and deploy your network using familiar concepts and tools.

More fundamentally Building an Azure Virtual Network Very similar to working on a standard private network using RFC1918 addresses. You can choose your own subnets as needed and use them to segment your address space and manage individual VLANs and security groups within your virtual network. If you are using Azure VNet as an extension for your own on-premises network, you need to make sure that there are no duplicate address ranges. It’s probably a good idea to start with this assumption. Even if you don’t plan on creating a hybrid cloud instance first, changing the IP address during final creation can be a complex process.

Once you have configured your home network, you can add virtual machines and other resources. It is important to understand that this is a software-defined virtual network. There is no relationship between where the virtual machine is instantiated in the network and the behavior of the network. As far as you are concerned, the two machines are on the same network. The underlying network structure of Azure manages the actual network.

Adding Virtual Appliances and Services to Your Virtual Network

When creating a resource, all you need to do is select the virtual network and subnet you want to use. Then Azure will configure and manage the connection. If you are using virtual machines, it is easy to test that your network is up. On Windows, you can use PowerShell to connect and ping another host on the virtual network. The same is true for Linux, using bash.

Building your first network from the Azure portal is easy, but if you’re working at scale and your application uses software-defined infrastructure, use the Azure Resource Manager template to configure and deploy your network. It is recommended to do so. ARM has the tools you need to define network names, address spaces, subnets, and more. Models can be stored in application repositories and deployed through a continuous integration / continuous delivery (CI / CD) platform.

You can now use Microsoft’s New Bisp infrastructure definition language Create ARM Template. Other tools such as Terraform or Pulumi You also have the option of working directly with the API to build and manage your Azure network. You can choose the one that works best for you and your development team.

Azure software-defined networking tools

Once your network is established, you can take advantage of Azure’s software-defined networking capabilities to add filters that use Azure Network Security Groups to lock down access to specific servers. For example, you can define a rule that ensures that only SSL traffic is sent to the application web server. Likewise, you can create a custom route. It overrides Azure’s default routing, deploys the VM as a network appliance, and maintains the application’s own routing table. You need to create an Azure route that connects the subnet traffic to your virtual appliance. At this point, your own routing will take over.

A remote connection is required for hybrid operation. Here, you can use a point-to-point VPN to control access by restricting VPN access to specific internal computers. This approach manages access to live cloud native applications and provides access to engineers and support staff. Likewise, site-to-site VPNs open virtual networks to all internal resources and extend your data center to Azure. The reverse is also true. A physical connection through ExpressRoute works much like a site-to-site VPN, connecting local and cloud resources.

Azure virtual networks are free for internal traffic, but adding certain services to your network adds charges based on resources and usage. First, select the RFC1918 IPv4 address space and netmask for all networks. Then use a higher netmask to create the first subnet with a service similar to the following: Azure fortress To manage access to the Azure server and front door. It provides a secure set of external IP addresses, load balancers, and firewalls.

It is an essential basic Azure service for building, deploying, and managing cloud native applications. Azure Virtual Network is a way to link services to Azure, providing links to the internet on premises and at large. It also serves as an overview of essential concepts when building private and hybrid clouds using software-defined networks or Azure Stack HCI or Azure Arc.

Copyright © 2021 IDG Communications, Inc.