The document provides an overview of Azure networking concepts including:
- Virtual networks and subnets that logically separate Azure resources
- Public and private IP addresses and how they are used
- Common networking devices like load balancers, application gateways, and firewalls
- Connectivity options between on-premises and Azure networks like ExpressRoute, VPN Gateway, and VNet peering
- Network security features like network security groups, application security groups and Azure Firewall
The document outlines the key networking services and configurations available in Azure, focusing on logical isolation of resources, secure connectivity, traffic management and security controls. It summarizes the main components involved in architecting and securing network infrastructure on Azure.
3. Agenda
3/8/2023 3
1) Virtual Networks (Vnets) & Subnet
2) Public IP Vs Private IP
3) Static IP vs Dynamic IP
4) Route Table & Rules of Route
5) Network Security Group (NSG)
6) Ingress & Egress Security Rules
7) Service Endpoint
8) Application Security Group (ASG)
9) Azure Firewall
10) Azure Firewall Manager
11) NAT Gateway
12) Azure DNS
13) Azure Load Balancer
14) Application Gateway
15)Bastion Host
16) Azure Traffic manager
17) Express Route
18)VPN Gateway
19) Local Network Gateway
20) Vnet Peering
4. • IP stands for Internet Protocol
• IP works something like the postal system.
• It allows you to address a packet and drop it in the system, but there's no direct
link between you and the recipient.
• TCP/IP, on the other hand, establishes a connection between two hosts so that
they can send data to the destination and reply back to the source.
What is IP……?
5. • 32 Binary bit number
• Represented in Decimal number system
• 32 bits are divided into four equal parts
• Each part contains 8 binary bit and known as octet. Octets are
separated by dot (.)
• Known as logical address
• Example:
Properties of IP Address
Decimal 192.168.0.1
Binary 11000000.10101000.00000000.00000001
7. The values of the first octet ranging from 0 to 255 are divided into
five groups and known as Class.
Class in IP address
Class Binary Decimal
Minimum Maximum Minimum Maximum
A 00000000 01111111 0 (1) 127*
B 10000000 10111111 128 191
C 11000000 11011111 192 223
D 11100000 11101111 224 239
E 11110000 11111111 240 255
* IP addresses starting with 127 are known as loopback address
9. 32 bits of an IP address are divided into two parts and known as
network bit and host bit. The left side bits of an IP address are
known as network bit and the right side bits are known as host
bit.
Network bit and host bit
Class Network bit Host bit Format
A 8 24 N.H.H.H
B 16 16 N.N.H.H
C 24 8 N.N.N.H
10. 10
Virtual Networks (Vnets)
AzureVirtual Network is a logical boundary of a private network in azure.The
Azure resources can securely connect via internet or on premises byVnet.
Virtual Subnets
With the subnet we can divide a virtual network in multiple networks and can
assignVms ,Nics others resources associate with them for as per
requirements.
11.
12. Public IP address:
A public IP address is the address that is assigned to a
device to allow direct access over the Internet. A web
server, email server and any server device directly
accessible from the Internet are candidate for a public IP
address. A public IP address is globally unique, and can
only be assigned to an unique device. Public IP
addresses are internationally routable and saleable.
Public VS Private IP address
13. Private IP address:
A private IP address is the address space allocated to NIC to allow organizations to
create their own private network. The computers, tablets and Smartphone sitting
behind your home, and the personal computers within an organizations are
usually assigned private IP addresses. A network printer residing in your home or
office is assigned a private address so that only your local users can print to your
local printer. Private IP addresses are non routable and non saleable.
Public VS Private IP address
14. Class Starting IP Ending IP # of host
A 10.0.0.0 10.255.255.255 1,67,77,216
B 172.16.0.0 172.31.255.255 1048576
C 192.168.0.0 192.168.255.255 65536
All the rest are public IP address
Range of Private IP addresses
15. Static IP address:
A static IP address is an address that is permanently assigned to a
device by the administrator, and does not change even if the device
reboots. A static IP address is usually assigned to a server who is
hosting websites, providing email, database and FTP services.
Static VS Dynamic IP address
16. Dynamic IP address:
A dynamic IP address is dynamically assigned to device by the DHCP
server. Each time the device is rebooted, DHCP dynamically assigns
an IP address to the device using DHCP protocol. Since DHCP
dynamically assigns an IP address to a device on reboot, the device
may not always receive the same IP address.
Static VS Dynamic IP address
18. Network Security Group (NSG)
You can use an Azure network security group to filter network traffic between Azure
resources in an Azure virtual network. A network security group contains security rules
that allow or deny inbound network traffic to, or outbound network traffic from, several
types of Azure resources. For each rule, you can specify source and destination, port, and
protocol.
20. Service Endpoint
Virtual Network (VNet) service endpoint policies allow you to filter egress virtual
network traffic to Azure Storage accounts over service endpoint, and allow data
exfiltration to only specific Azure Storage accounts. Endpoint policies provide
granular access control for virtual network traffic to Azure Storage when connecting
over service endpoint.
21. Application Security Group (ASG)
Application security groups enable you to configure network security as a natural
extension of an application's structure, allowing you to group virtual machines and
define network security policies based on those groups. You can reuse your security
policy at scale without manual maintenance of explicit IP addresses. The platform
handles the complexity of explicit IP addresses and multiple rule sets, allowing you
to focus on your business logic.
22. Azure Firewall
Azure Firewall is a cloud-native and intelligent network firewall security service that
provides the best of breed threat protection for your cloud workloads running in
Azure. It's a fully stateful, firewall as a service with built-in high availability and
unrestricted cloud scalability. It provides both east-west and north-south traffic
inspection.
23. Azure Firewall Manager
Azure Firewall Manager is a security management service that provides central security
policy and route management for cloud-based security perimeters.
Secured virtual hub
An Azure Virtual WAN Hub is a Microsoft-managed resource that lets you easily
create hub and spoke architectures. When security and routing policies are
associated with such a hub.
Hub virtual network
This is a standard Azure virtual network that you create and manage yourself.
When security policies are associated with such a hub, it is referred to as a hub
virtual network. At this time, only Azure Firewall Policy is supported. You can
peer spoke virtual networks that contain your workload servers and services. You
can also manage firewalls in standalone virtual networks that aren't peered to
any spoke.
24. Bastion Host
Azure Bastion is a service you deploy that lets you connect to a virtual machine using your browser
and the Azure portal, or via the native SSH or RDP client already installed on your local computer. The
Azure Bastion service is a fully platform-managed PaaS service that you provision inside your virtual
network. It provides secure and seamless RDP/SSH connectivity to your virtual machines directly
from the Azure portal over TLS. When you connect via Azure Bastion, your virtual machines don't
need a public IP address, agent, or special client software.
25. NAT Gateway
Virtual Network NAT is a fully managed and highly resilient Network Address Translation (NAT)
service. Virtual Network NAT simplifies outbound Internet connectivity for virtual networks. When
configured on a subnet, all outbound connectivity uses the Virtual Network NAT's static public IP
addresses.
26. Azure DNS
Azure DNS is a hosting service for DNS domains that provides name resolution by using
Microsoft Azure infrastructure. By hosting your domains in Azure, you can manage your DNS
records by using the same credentials, APIs, tools, and billing as your other Azure services..
27. Azure Load Balancer
Load balancing refers to evenly distributing load (incoming network traffic) across a group of
backend resources or servers. Load balancer distributes inbound flows that arrive at the load
balancer's front end to backend pool instances. These flows are according to configured
load-balancing rules and health probes. The backend pool instances can be Azure Virtual
Machines or instances in a Virtual Machine Scale Set.
28. Public & Private Load Balancer
A public load balancer can provide outbound connections for virtual machines (VMs) inside
your virtual network. These connections are accomplished by translating their private IP
addresses to public IP addresses. Public Load Balancers are used to load balance internet
traffic to your VMs.
An internal (or private) load balancer is used where private IPs are needed at the frontend
only. Internal load balancers are used to load balance traffic inside a virtual network. A load
balancer frontend can be accessed from an on-premises network in a hybrid scenario.
29. Azure Application Gateway
Azure Application Gateway is a web traffic load balancer that enables you to manage traffic
to your web applications.
31. Azure Traffic Manager
Azure Traffic Manager is a DNS-based traffic load balancer. This service allows you to
distribute traffic to your public facing applications across the global Azure regions. Traffic
Manager also provides your public endpoints with high availability and quick responsiveness.
32. Azure Express Route
ExpressRoute lets you extend your on-premises networks into the Microsoft cloud over a private
connection with the help of a connectivity provider. onnectivity can be from an any-to-any (IP VPN)
network, a point-to-point Ethernet network, or a virtual cross-connection through a connectivity provider
at a colocation facility. ExpressRoute connections don't go over the public Internet. This allows
ExpressRoute connections to offer more reliability, faster speeds, consistent latencies, and higher
security than typical connections over the Internet.
33. Azure VPN Gateway
VPN Gateway sends encrypted traffic between an Azure virtual network and an on-premises location
over the public Internet. You can also use VPN Gateway to send encrypted traffic between Azure virtual
networks over the Microsoft network. A VPN gateway is a specific type of virtual network gateway. Each
virtual network can have only one VPN gateway. However, you can create multiple connections to the
same VPN gateway. When you create multiple connections to the same VPN gateway, all VPN tunnels
share the available gateway bandwidth.
34. Site-to-Site VPN
A Site-to-Site (S2S) VPN gateway connection is a connection over IPsec/IKE (IKEv1 or IKEv2) VPN
tunnel. S2S connections can be used for cross-premises and hybrid configurations. A S2S connection
requires a VPN device located on-premises that has a public IP address assigned to it. For information
about selecting a VPN device
35. Point-to-Site VPN
A Point-to-Site (P2S) VPN gateway connection lets you create a secure connection to your virtual
network from an individual client computer. A P2S connection is established by starting it from the client
computer.
36. VNet-to-VNet connections
Connecting a virtual network to another virtual network (VNet-to-VNet) is similar to connecting a VNet
to an on-premises site location. Both connectivity types use a VPN gateway to provide a secure tunnel
using IPsec/IKE. You can even combine VNet-to-VNet communication with multi-site connection
configurations.
37. Local Network Gateway
A local network gateway represents the hardware or software VPN device in your local network at on
prem. This is generally created in Azure to set up a site to site (s2s)VPN connection between an Azure
Virtual network and your local network.
38. Vnet Peering
VNet peering (or Virtual Network peering) enables you to connect virtual networks. A VNet peering connection
between virtual networks enables you to route traffic between them privately through IPv4 addresses. Virtual
machines in the peered VNets can communicate with each other as if they are within the same network.
VNet Peering Types
1. Regional VNet Peering: Connecting VNets within the same Azure region.
2. Global VNet Peering: Connecting VNets across Azure regions.