Introduction
In this article we will understand the basic of Azure VNet. What is the purpose and why do we need it.
Scenario
Before diving into the core concept first lets try to understand what are the different connectivity we use during work, also how differently our application/resources connect to each other for secure communication.
1. Working from Home to connect Office Network.
2. Connecting to Azure Resources
3. Azure Resources communication to each Other.
4. Connecting on-premise private Network to Cloud Network
5. Connecting to On Premise Network and then Azure Network
6. Azure Service Communication to the Internet
Azure VNet
Azure VNet provides option to create private network which further helps to establish secure communication from any Azure Resource to Internet, on premise Network and between different Azure Resource.
Communication Types
1. Communication with Internet
By default all the resource under the VNet can Outbound to the Internet but no inbound access to the Azure Resource. Outbound meaning the Azure Resource can send the Request to the Internet and get the response.
You can inbound to the Azure Resource after assigning the Public IP or Configuring the Load Balancer. Inbound access meaning the Azure resource can accept the request and send the Response from Internet.
Further with the help of VNet we can control all the request coming or outgoing with Azure Resources.
Options to enable the Azure Resource communication to Internet
Load Balancer
Public IP Address
2. Azure Resources Communication to each other
If you are working with Azure Resources then it might be required that azure resources will be communicating to each other. Now lets discuss what are the different option we have to achieve the communication between azure resources.
2.1 Communicate through Virtual network
If we want azure resources to communication to each other. We can deploy and create Azure resources under the single Virtual Network which enable the communication within the azure resources.
We have list of Azure services can be deployed under the Virtual Network. AzureResourcesList
2.2 Through a Virtual Network Service Endpoint
Assume we have Azure Services like Azure Database, Azure Storage Account and we do not want to expose them over the Internet. In this case how we can secure communication.
Service Endpoint allow the communication to the Azure service resources privately through Virtual Network.
Service Endpoints enables private IP addresses in the VNet to reach the endpoint of an Azure service without needing a public IP address on the VNet.
2.3 VNet Peering
Assume if you have Azure resources created under the different VNet and you want to enable the communication between azure resources which exist in the different VNet. In this case with the help of VNet peering we can enable the communication.
3. How to Communicate with on-premises resources
This is common for every working professional where at some point you might need to connect to your On Premise Network. Sometime we need to connect to Azure Network from our system/on premise Network.
Now Lets discuss the different option available to achieve this.
3.1 Point to Site Virtual Private Network (VPN)
This is very common for every working professional. When we try to access on premise Virtual Machine/ Application, in that case either computer should be in office network or connect to VPN.
Point to Site Virtual Private Network helps to establish connection between Virtual Network and single computer. The communication between your computer and a virtual network is sent through an encrypted tunnel over the internet.
3.2 Site-to-site VPN
Assume if you want to enable the communication with on premise network to Virtual Network then we use Site-to-Site VPN. This communication established through the on-premises VPN device and an Azure VPN Gateway that is deployed in a virtual network.
The communication between your on-premises VPN device and an Azure VPN gateway is sent through an encrypted tunnel over the internet.
3.3 Azure ExpressRoute
Since the other options are available where communication happening over the internet. Assume you want to make the private communication from on premise network to Azure. In this case we have ExpressRoute Option.
ExpressRoute helps to create private connection which further Establish communication between your network and Azure.
Filter network traffic
This option helps to filter the network traffic between subnets. To achieve this we have two option.
Network security groups:
NSG helps to apply traffic filter for all the incoming and outgoing traffic using the Inbound and Outbound security rule, with the help of source and destination IP address, port, and protocol.
Network Virtual Appliance:
Network Virtual Appliance is VM that perform a network function such as Firewall, inbound outbound rule.
Route network traffic
By Default Azure can route the traffic to subnets, connected network, on premise and on internet.
Now lets discuss how we can override the default and create custom Route which further can help to route the traffic.
We have below to options to route the traffic.
1. Route tables:
Azure provide option to write custom route table for incoming traffic and through which traffic will be routed to for each subnet. More Info: route tables.
