Implement Virtual Networks
- 4/10/2018
Chapter summary
This chapter covered the many topics that make up Virtual Networks in Azure. These topics range from designing and implementing Virtual Networks, to connecting Virtual Networks to other Virtual Networks. Configuring Azure VMs for use with Virtual Networks was also covered including how to secure them using network security groups which are essentially firewalls. You also reviewed deploying web applications, both internet and Intranet facing, by using the Azure load balancer and the Azure Application Gateway. This chapter also discussed the different options for connecting on-premises networks to Azure, including Site-to-Site VPNs and ExpressRoute.
Below are some of the key takeaways from this chapter:
Azure Virtual Networks are isolated cloud networks using the IP address space and are required for deploying virtual machines in Azure.
Subnets allow you to isolate workloads and can be used with network security groups to create firewall rules.
The GatewaySubnet is a special subnet that is only used for VPN Gateways.
Azure provides DNS services, but a customer can implement their own DNS servers. The DNS servers can be configured either at the VNet or the network interface level.
The Azure Application Gateway is a Layer 7 load balancer that can offload SSL traffic, provide web application firewall services, and URL based routing.
Azure VNets can be connected to each other either by using peering or VPN tunnels.
VNet peering allows VMs to see each other as one network, but their relationships are non-transitive. If VNETA and VNETB are peered and VNETB and VNETC are peered VNETA and VNETC are not peered.
There are three types of hybrid connections with Azure Point to Site, Site-to-Site and ExpressRoute.
VPN Gateways make hybrid connections possible and choosing the correct one should be based on the throughput that is required and the type of connection, but most connections are route-based.
BGP Routing is used for ExpressRoute and Multi-Site VPN connections.
ExpressRoute is only available in certain cities around the world and has a premium add-on to support large global networks.
Public and private IP addresses have two allocation methods: dynamic or static.
Public IPs can be assigned to VMs, VPN Gateways, internet-facing load balancers or Application Gateways.
User Defined Routes change the default behavior of subnets allowing you to direct the traffic to other locations. Typically, traffic is sent through a virtual appliance such as a firewall. If traffic is sent to a virtual appliance, IP forwarding must be enabled on the NIC of the VM.
The Azure load balancer can be used for internet or intranet workloads providing web based applications in a highly available configuration. Health probes are used to ensure the VMs are ready to accept traffic.
Direct Server Return is an Azure load balancer configuration that is used with SQL Server Always On Availability group clusters deployed on VMs in an Azure VNet.
Hybrid connections in Azure are a specific type of connection that allows for Azure Applications Apps to connect to on-premises resources such as databases without the need for a VPN. These are different than the hybrid cloud connections that are created by using S2S VPNs.