Azure Networks are a logical isolation and representation of a network in the cloud. Since Azure’s core services use virtualization, we refer to these networks as Virtual Networks (VNet). These VNets can provision and manage Virtual Private Networks (VPNs) on Azure, connect with different VNets on Azure, link the Azure VNets with the on-premises environment, and much more.
Figure 1 source: microsoft.com
Since each VNet has its own CIDR blocks, it is possible to have a link between the on-premises networks and Azure VNets.
Virtual Azure Networks make it possible for different Azure resources such as virtual machines and web apps to communicate with each other and with devices on the internet and on-premises securely.
Is your Azure offering the best it can be? Learn how to improve it in our On-Demand Webinar
Azure Networking Components
Azure Networks contain similar components that are also in on-premises network environments. The following are the main components available in Azure Networks.
Subnets
Subnets are a range of IP addresses within a network divided into multiple subnets for security in different organizational departments.
IP Addresses
Azure resources can be assigned two types of IP addresses:
-
Public
Public IP address is assigned for Azure public-facing communication. By default, a dynamic IP address is assigned to the Azure resource, and each time the service is stopped, the IP releases and a new IP address is assigned. When a static IP is assigned, that IP address stays in place for the Azure resource until it is deleted.
-
Private
Private IP addresses can connect via a VPN gateway, express route, or when the Azure resource is on a separate VNet.
Azure Networking Options
Azure offers a variety of Microsoft Azure offerings and other third-party vendor networking features to make your Azure Environment fully-fledged and capable of handling all the traffic that draws into the environment.
Figure 2 source: microsoft.com
Figure 3 source: Azure Portal
Azure Network Security Groups (NSG)
Network Security Group is the primary tool that controls and enforces network traffic rules at the networking level. With NSGs, access either permits or denies between workloads. Additionally, the organization can limit who can work with resources in a virtual network.
Load Balancing
A load balancer takes new inbound flows that arrive and distributes the traffic to the backend pool instances, according to resource availability and rule assignment. Azure load balancing can scale business applications creating high availability for services. They also provide very low latency and high throughput and can scale up to millions of flows depending on the traffic of TCP and UDP applications.
Azure Load Balancers are available in two SKUs; basic and standard differing in scalability and features. These load balancers often have different solutions by category:
- Azure Traffic Manager – This is similar to the AWS offering Route53; DNS directs the traffic to the relevant destination. There are three destination selection modes: failover, performance and round robin.
- Azure Application Gateway – Performs L7 load balancing which supports HTTP requests, SSL termination, and resolves cookies.
Routing Tables
Azure Routing tables are handy when there is a need to change how the traffic routes, which overwrites the automatically provisioned Azure route systems. These routing changes are applied to the traffic leaving a subnet and can be set to go to the next hop of a virtual machine, virtual network or a virtual network gateway.
Virtual Private Networks (VPN)
A VPN is an encrypted, secure connection over the internet from a device to a separate network ensuring that any sensitive data that transmits over the network is secure by preventing any unauthorized personnel eavesdropping on the traffic. VPNs are the go-to solution as workplaces move to more work-from-home facilities.
Azure’s VPN solutions are handy when there is a need to transfer data among several VNets. Azure offers two types of gateways.
VPN
There are two types of Azure VPNs; route-based and policy-based.
- On a route-based VPN, the traffic routes via a tunnel interface in which the data packets get encrypted and decrypted.
- On a policy-based VPN, the traffic is encrypted and decrypted based on the policy applied. These policies contain the endpoint device networking details.
Business organizations can decide to apply these policies to a set of employees or the entire workforce. Also, this can be one of the main checkpoints in an auditing environment.
Express Route
Express Route is a direct connection between the on-premises data center and Azure data center. An Express route does not go through the public internet; a connectivity provider supplies the connection. An ExpressRoute connection offers a more reliable connection with faster speeds and lower latencies than the public internet. Additionally, ExpressRoute benefits in significant cost savings when there are data transfers between the on-premises environment and the Azure data center.
As of writing this article, Azure offers three connectivity options. The most basic is IPSec VPN, in simpler terms, over the public internet. ExpressRoute provides the other two options.
Figure 5 source: microsoft.com
Exchange Provider
Here, Azure makes a connection via point-to-point by an exchange provider having a direct link to Azure. Using this option grants full control of the routing but it is not ideal for multipoint WANs due to the need for point-to-point connections.
Network Service Provider
With the ExpressRoute option, the network service provider supplies a direct connection to Azure. Although the network service provider manages routing, each site or department uses multiple point connectivity.
ExpressRoute offers additional Azure Features suitable for any organization. One is Azure Site Recovery(ASR). With this ExpressRoute connection, you can replicate data without any concerns of bandwidth availability since it’s a delicate connection on Azure. Along with ASR, data migration, disaster recovery, and high availability strategies, many implementations allow you to make the most out of Azure.
Read more about Azure Site Recovery on our previous article here.
Azure Networks Watcher
The Network Watcher gives access details, such as logging, monitoring, diagnostic features, and automation. You can closely monitor the network’s health status and performance for higher visibility.
Competitor Network Offerings
As with any business in the world, Azure has a big cloud war with its main competitor Amazon Web Services (AWS). AWS offers the same solutions for networking components only with a few subtle changes.
| Service | Description | Azure offering | AWS offering |
| Cross-Premises connectivity | Connecting virtual networks to other networks | VPN Gateway | AWS VPN Gateway |
| Domain Name System Management | DNS record management | DNS/Traffic Manager | Route 53 |
| Content Delivery Network | Delivery of all types of content. | Content Delivery Network | CloudFront |
| Load Balancing | Automatically distributes the traffic depending on rules and resources availability | Express Route | Direct Connect |
| Cloud Virtual Network | An isolated private environment in the cloud. | Virtual Network | Virtual Private Network |
Importance of Azure Networks
If your business decides to embrace Azure, their networking solutions cover all of the critical considerations with cloud networking.
Isolation and Enhance Security
With the ability to assign private IP addresses and define subnets, along with routing policies and more, Azure Networks can isolate virtual machines and applications making the resource environment more secure.
Network Topologies
With virtual networks, there is no need to worry about cabling messes. You have the unique possibility of building sophisticated network topologies per the requirement to run virtual appliances on the network. It also allows for greater control of designing your system with load balancers, application firewalls, WAN optimizers, etc.
Figure 7 source: microsoft.com
Expanded Datacenters
When you need to expand the on-premises data center, and cost of expansion is over the top, Azure Cloud can provision the workloads and easily have them communicate with the on-premises datacenter using the powerful Azure networking options. As a result, there is no need for new hardware which results in almost no capital expenditure.
Hybrid application deployment
Business applications often need a backend SQL Server database to function. This is a major hurdle for businesses that have their SQL Databases hosting on-premises, which results in not using cloud power effectively. But, by using Virtual Networks, you can build hybrid cloud applications and securely connect them with the on-premises SQL databases.
Figure 9 source: microsoft.com
Third Party Solutions
With Azure’s massive marketplace, there is always a solution for any issue you may face. Networking vendors have a variety of networking solutions on the market for load balancers, firewalls, traffic management, and so on.
Azure Global Availability
With Azure’s global availability, business data and applications can host in an Azure data center that is close to the customer. Accessing data is faster and has minimum latencies. None of the leading cloud competitors have this ability yet. As of writing this article, Azure is available in 52 regions and is currently expanding in more areas and data centers.
Figure 10 source: microsoft.com
