it’s a digital duplicate of the physical network in your office.
Azure Virtual Networking
Communications between Azure resources including virtual machines (VMs), web applications (APIs), and databases (DBs), as well as with users on the internet, are made possible by the usage of virtual networks and virtual subnets in Azure.
Azure allows secure communication between resources, the internet, and on-premises networks.
Communication between Azure resources
By design, a virtual network’s resources can all communicate directly with the outside world. In addition, you can control your outgoing connections with a public IP address or a public load balancer.
You can’t make outbound connections with just an internal Standard Load Balancer, though; you need to set up either a public IP address for your instances or a public Load Balancer, too.
There are a few ways in which resources can talk to one another:
- Virtual Network: Communicate with service resources both privately and publicly
- Virtual Network Service Endpoint: optimal route to Azure services across Azure’s backbone network
- VNet Peering: Communicate with service resources same or different Azure regions -is private
Communicate with on-premises resources
There are a number of options to connect your physical network and PCs to a virtual network or Azure services.
- Point-to-site virtual private network (VPN): Single computer communication transmitted across the internet via an encrypted tunnel.
- Site-to-site VPN: An on-premises VPN device and an Azure VPN gateway are used to communicate and send data through an encrypted tunnel across the internet.
- Azure ExpressRoute: ExpressRoute connects your network to Azure. Private. No internet traffic so communication is not encrypted because its a private connection
Network Traffic Management ( Route or Filter )
Routing
route tables
Propagating BGP routes from on-premises to Azure virtual networks is possible with the use of Azure VPN gateways, Azure Route Server, or Azure ExpressRoute.
Filtering
network security groups
Network Security Groups
Microsoft’s Azure Network Security Groups assist improve Azure VNet traffic.
Multiple incoming and outbound security rules can be stored in network security groups, which are Azure resources. You can set up rules to permit or deny connections depending on information like the protocol used, the ports used, and the IP addresses of the sending and receiving devices.
5-Tuple hash: source IP address, source port, destination IP address, destination port, transport protocol – OSI layers 3 and 4
Application security groups make network security a natural extension of an application’s structure, allowing you to organize virtual machines and set network security policies based on those groups.
Azure DNS ( Hosting Services )
Domain Name System (DNS) hosting service that utilizes Microsoft’s Azure platform for name resolving ( a service name to an IP address ).
Azure DNS Private Zones :
When deploying to Azure, you can use your own domain name instead of the Azure-issued names by creating a private DNS zone.
Azure DNS Private Resolver
Resolve and conditionally redirect DNS queries from a virtual network to on-premises DNS servers and other destination DNS servers without having to design and operate a custom DNS solution.
Azure Load Balancer
The term “load balancing” is used to describe a method of distributing the task of handling a significant amount of incoming network traffic across several servers or other back-end resources ( pool instances).
Azure Load Balancer works at OSI’s Transport layer.
distributes inbound flows to backend pool instances
- Public Load Balancers: utilized for Internet traffic distribution and converting private IPs to public ones
- An internal (or private) load balancer: utilized to distribute the load within a virtual network; the front end can be accessed from an on-premises network in a hybrid setup.
Front Door optimises top-tier end-user performance and reliability with fast global failover.
Application Gateway is something you should look into if you want to know how to load balance across your servers in a region at the application layer.
Azure Application Gateway
Azure Application Gateway balances online traffic to your web apps. URI path or host headers can determine routing. It guards against SQL injection and cross-site scripting threats, among others.
Azure Application Gateway works at OSI’s Application layer.
Azure Content Delivery Network
A CDN is a network of servers that delivers web content to users. CDNs cache material on edge servers near end users to reduce latency.
A content delivery network, often known as a CDN, is a collection of servers that are spread out across multiple locations and work together to expedite the delivery of web content by positioning themselves physically closer to the locations of end users.
Azure Firewall
Azure Firewall is a cloud-native and intelligent network firewall security service that provides the most advanced threat protection for your cloud workloads that are running in Azure.
Azure Firewall was built from the ground up to work in the cloud. It is an entirely stateful firewall as a service that has built-in high availability and unlimited cloud scalability.
Azure Firewall lets you build and enforce app and network rulesets. Azure Monitor offers log collecting and analysis from Azure Firewall
Provides Advanced features : Traffic inspection, filtering, and monitoring for your Azure Networks
Network layer 3 , Transport layer 4- Application Layer 7 filtering and threat intelligence directly from Microsoft Cyber Security
Availability, Scalability, Threat Intelligence, Network Address Translation (NAT), Forced Tunneling, Tagging and Categorization
Azure Firewall Manager
Use Azure Firewall Manager to manage Azure Firewalls across various subscriptions. Firewall Manager uses a firewall policy to apply a consistent set of network/application rules to firewalls in your tenant.
Firewall Manager supports firewalls in both VNet and Virtual WANs (Secure Virtual Hub) environments
