4. Azure Networking Fundamentals

-

Before beginning towards Azure Networking concepts, one should have basic understanding of networking terms that is going to be used as networking parameters.

This article covers some of the fundamental term of Networking that are most widely used in Azure. Below are the topics that we are going to cover:

  • Virtual Network (VNET)
  • Subnet
  • IP Addressing
  • Private IP
  • Public IP
  • Network Security Group (NSG)
  • Internet Gateway
  • Azure Peering
  • Virtual Private Network (VPN)
  • Network Address Translation (NAT)

1. Virtual Network (VNET)

An Azure Virtual Network (VNet) is a representation of your own network in the cloud. It is a logical isolation of the Azure cloud dedicated to your subscription. 
  • The traffic could not be ingested inside your Virtual network or cannot go outside your virtual network unless you enable gateway or peering to your virtual network.

  • Only the external traffic will be allowed when you create any gateway for your virtual network. Gateway could be used to enable access to other Azure resources or to the internet or to the external network (On-premises).


2. Subnet

A subnetwork or subnet is a logical subdivision of an IP network. The practice of dividing a network into two or more networks is called subnetting. Computers that belong to a subnet are addressed with an identical most-significant bit-group in their IP addresses.


  • There are two types of subnets in a VNet, a gateway subnet and a virtual machine-hosting subnet. Hosting subnet is further classified into private subnet and public subnet.
  • Gateway subnet is used while configuring VPN (Virtual Private Network) connection between two or more networks.
  • Private Subnet is the one which has only private IP addresses inside it and no external network is allowed inside this network or subnet.
  • Public Subnet is the one which has the public accessibility, which will consist a public IP or the gateway to allow external traffic to the resources inside the subnet.




3. IP Addressing

An Internet Protocol address (IP address) is a numerical label assigned to each device connected to a computer network that uses the Internet Protocol for communication. An IP address serves two principal functions: host or network interface identification and location addressing.

  • IPv4 and IPv6 are two different versions of IP addresses, IPv4 consist of four octets and IPv6 consist of 6 octets to define a particular IP address.
  • Generally, IPv4 is widely used for traditional workloads as IPv6 was introduced later, as if IPv4 usability will exhaust then IPv6 will be used.
  • IPv6 are used for IoT based projects and other, while IPv4 is much popular, we will require good understanding of IPv4 addressing to step into Azure.
  • IPv4 has four octets with which are separated by ‘.’ (dot) in between each octets.
  • Each octet has 8 binary bits which is represented in decimal format.
  • IP addresses are further divided into five classes – Class A, Class B, Class C, Class D & Class E.
  • Class A IP address are  more specifically used as Public IP addresses, where Class B and Class C are used as private IP addresses.
  • As suggested earlier in this article, subneting is further division of a classful IP address range to classless IP address range.
  • Below table specifies how subnetting is calculated and how it is denoted.


4. Private IP Address

A private IP address is a non-Internet facing IP address on an internal network. Private IP addresses are provided by network devices, such as routers, using network address translation (NAT).

  • The Internet Assigned Numbers Authority (IANA) reserves the following IP address blocks for use as private IP addresses:
    • 10.0.0.0     to 10.255.255.255
    • 172.16.0.0 to 172.31.255.255
    • 192.168.0.0 to 192.168.255.255
  • Why Private IP Addresses Are Used?
    • Instead of having devices inside a home or business network each use a public IP address, of which there's a limited supply, private IP addresses provide an entirely separate set of addresses that still allow access on a network but without taking up a public IP address space.
5. Public IP Address

A public IP address is an IP address that can be accessed over the Internet. Like postal address used to deliver a postal mail to your home, a public IP address is the globally unique IP address assigned to a computing device. Your public IP address can be found at ‘show my IP Address’ search on google.

  • Public IP addresses are globally unique IP address assigned particularly to our resource and is first dynamically assigned to us, if we want that IP to be reserved for us we can then change it to Static.
  • This IP are assigned with some cost if we don’t use it or if it is reserved and not assigned to any device.

6. Network Security Group (NSG)

A network security group (NSG) is a networking filter (firewall) containing a list of security rules allowing or denying network traffic to resources connected to Azure VNets. These rules can manage both inbound and outbound traffic.
  • NSG Rules are the mechanism defining traffic the administrator is looking to control.  All NSGs have a set of default rules. These default rules cannot be deleted, but since they have the lowest possible priority, they can be overridden by the rules that you create. The lower the number, the sooner it will take precedence.
  • Understanding the effective rules of NSGs is critical. Security rules are applied to the traffic by priority in each NSG in the following order:
  • Inbound Traffic:
    • NSG applied to subnet: If a subnet NSG has a matching rule to deny traffic, the packet is dropped.
    • NSG applied to NIC: If VM\NIC NSG has a matching rule that denies traffic, packets are dropped at the VM\NIC, even if a subnet NSG has a matching rule that allows traffic.
  • Outbound Traffic:
    • NSG applied to NIC: If a VM\NIC NSG has a matching rule that denies traffic, packets are dropped.
    • NSG applied to subnet: If a subnet NSG has a matching rule that denies traffic, packets are dropped, even if a VM\NIC NSG has a matching rule that allows traffic.
  • Below is the example image, which shows the parameters for enabling inbound NSG rules:



7. Internet Gateway

An Internet gateway is a network "node" that connects two different networks that use different protocols (rules) for communicating. In the most basic terms, an Internet gateway is where data stops on its way to or from other networks. Thanks to gateways, we can communicate and send data back and forth with each other.

If your Internet gateway is a computer server, which is more likely in an office or business situation, it acts as a firewall and a proxy server. A firewall, as discussed earlier, keeps unwanted traffic and outside computers out of a private network. A proxy server makes sure that the actual server can handle your online data requests.

Below is the icon which represents internet gateway in Azure:



8. Azure VNET Peering

VNet peering is a mechanism that connects two virtual networks (VNets) in the same region through the Azure backbone network.

Virtual network peering enables you to seamlessly connect Azure virtual networks. Once peered, the virtual networks appear as one, for connectivity purposes. The traffic between virtual machines in the peered virtual networks is routed through the Microsoft backbone infrastructure, much like traffic is routed between virtual machines in the same virtual network, through private IP addresses only.


  • Azure supports:
    • VNet peering - connecting VNets within the same Azure region
    • Global VNet peering - connecting VNets across Azure regions
    • The benefits of using virtual network peering, whether local or global, include:
    • Network traffic between peered virtual networks is private. Traffic between the virtual networks is kept on the Microsoft backbone network. No public Internet, gateways, or encryption is required in the communication between the virtual networks.
    • A low-latency, high-bandwidth connection between resources in different virtual networks.
    • The ability for resources in one virtual network to communicate with resources in a different virtual network, once the virtual networks are peered.
    • The ability to transfer data across Azure subscriptions, deployment models, and across Azure regions.
    • The ability to peer virtual networks created through the Azure Resource Manager or to peer one virtual network created through Resource Manager to a virtual network created through the classic deployment model. To learn more about Azure deployment models, see Understand Azure deployment models.
    • No downtime to resources in either virtual network when creating the peering, or after the peering is created.

9. Virtual Private Network (VPN)

A virtual private network (VPN) is programming that creates a safe and encrypted connection over a less secure network, such as the public internet. A VPN works by using the shared public infrastructure while maintaining privacy through security procedures and tunneling protocols
Azure Virtual Network (VNet) is the fundamental building block for your private network in Azure. VNet enables many types of Azure resources, such as Azure Virtual Machines (VM), to securely communicate with each other, the internet, and on-premises networks. VNet is similar to a traditional network that you'd operate in your own data center, but brings with it additional benefits of Azure's infrastructure such as scale, availability, and isolation.


Best practices:

  • As you build your network in Azure, it is important to keep in mind the following universal design principles.
  • Ensure non-overlapping address spaces. Make sure your VNet address space (CIDR block) does not overlap with your organization's other network ranges.
  • Your subnets should not cover the entire address space of the VNet. Plan ahead and reserve some address space for the future.
  • It is recommended you have fewer large VNets than multiple small VNets. This will prevent management overhead.
  • Secure your VNet using Network Security Groups (NSGs).
  • Communication with on-premise resources (Types of VPN):
  • Point-to-site virtual private network (VPN): Established between a virtual network and a single computer in your network. Each computer that wants to establish connectivity with a virtual network must configure its connection. This connection type is great if you're just getting started with Azure, or for developers, because it requires little or no changes to your existing network. The communication between your computer and a virtual network is sent through an encrypted tunnel over the internet. To learn more, see Point-to-site VPN.
  • Site-to-site VPN: Established between your on-premises VPN device and an Azure VPN Gateway that is deployed in a virtual network. This connection type enables any on-premises resource that you authorize to access a virtual network. The communication between your on-premises VPN device and an Azure VPN gateway is sent through an encrypted tunnel over the internet. To learn more, see Site-to-site VPN.
  • Azure ExpressRoute: Established between your network and Azure, through an ExpressRoute partner. This connection is private. Traffic does not go over the internet. To learn more, see ExpressRoute.

10. Network address translation

Network address translation (NAT) is a method of remapping one IP address space into another by modifying network address information in the IP header of packets while they are in transit across a traffic routing device. The technique was originally used as a shortcut to avoid the need to readdress every host when a network was moved. It has become a popular and essential tool in conserving global address space in the face of IPv4 address exhaustion. One Internet-routable IP address of a NAT gateway can be used for an entire private network.

Comments

Post a Comment

Popular posts from this blog

1. Microsoft Azure: Introduction

-
Image
ž Manage Azure subscriptions and resources ¡ Manage Azure subscriptions ¡ Analyze resource utilization and consumption ¡ Manage resource groups ž Implement and manage storage ¡ Create and configure storage accounts ¡ Import and export data to Azure ¡ Configure Azure files ¡ Implement Azure backup ž Deploy and manage virtual machines (VMs) ¡ Create and configure a VM for Windows and Linux ¡ Automate deployment of VMs ¡ Manage Azure VM ¡ Manage VM backups ž Configure and manage virtual networks ¡ Create connectivity between virtual networks ¡ Implement and manage virtual networking ¡ Configure name resolution ¡ Create and configure a Network Security Group (NSG) ž Manage identities ¡ Manage Azure Active Directory (AD) ¡ Manage Azure AD objects (users, groups, and devices) ¡ Implement and manage hybrid identities ž Evaluate and perform server migration to Azure ¡ Evaluate migration scenarios by using Azure Migrate ¡ Migra...
View this Blog »

2. Microsoft Azure: What is Cloud ?

-
Image
2. Microsoft Azure: What is Cloud and its need ? - JustDoIT.Career Cloud Computing v The practice of using a network of remote servers hosted on the Internet to store, manage, and process data, rather than a local server or a personal computer. v The best example of cloud computing is by making use of internet to access our hardware and software service instead of keeping regular physical hardware and software in the office space. You don't have to worry about power, network access and maintenance of the servers in the  cloud . Type of cloud computing platforms ·          IaaS (Infrastructure as a Service)      Infrastructure as a service (IaaS) is an instant computing infrastructure, provisioned and managed over the Internet. ·          PaaS (Platform as a Services)      PaaS or Application Platf...
View this Blog »

AzCopy | It's uses | Data Migration | AzCopy Practical Demo - ETL for Microsoft Azure

-
Image
Below are the commands and scripts useful for you to do the practical at your own: Copy local file or folder to blob storage: ./azcopy cp '(local-directory-path)' ' https://(storage-account-name).(blob or dfs).core.windows.net/(container-name)' --recursive Copy using wildcard character for the file name: ./azcopy cp '(local-directory-path)' ' https://(storage-account-name).(blob or dfs).core.windows.net/(container-name)' --include-pattern 'myFile*.txt;*.pdf*' Copy local file or folder to blob storage - access to storage account using SAS token: ./azcopy cp '(local-directory-path)' ' https://(storage-account-name).(blob or dfs).core.windows.net/(container-name)?(SAS_Token)' --recursive ---------------------------------------------------------------------------------------------------- Copy data from S3 bucket (AWS) to Azure (Blob Storage): Step1: set the environmental variable for AWS environment Windows: set AWS_AC...
View this Blog »