Understanding Azure networking options – Network Connectivity and Security
In the previous chapter, we examined the different options when building computer services, from the different types of Virtual Machines (VMs) to web apps and containerization.
All solution components need to be able to communicate effectively and safely; therefore, in this chapter, we will discuss what options we have to control traffic flow using route tables and load balancing components, securing traffic with different firewalling options, and managing IP addressing and resolution.
With this in mind, we will cover the following topics:
- Understanding Azure networking options
- Understanding IP addressing and DNS in Azure
- Implementing network security
- Connectivity
- Load balancing and advanced traffic routing
Technical requirements
This chapter will use the Azure portal (https://portal.azure.com) and you need an Azure subscription for the examples.
Understanding Azure networking options
Services in Azure need to communicate, and this communication is performed over a virtual network, or VNET.
There are essentially two types of networking in Azure – private VNETs and the Azure backbone. The Azure backbone is a fully managed service. The underlying details are never exposed to you – although the ranges used by many services are available, grouped by region, for download in a JSON file. The Azure backbone is generally used when non-VNET-connected services communicate with each other; for example, when storage accounts replicate data or when Azure functions communicate with SQL and Cosmos DB, Azure handles all aspects of these communications. This can cause issues when you need more control, especially if you want to limit access to your services at the network level, that is, by implementing firewall rules.
Important Note
The address ranges of services in Azure change continually as the services grow within any particular region, and can be downloaded from this link: https://www.microsoft.com/en-us/download/details.aspx?id=56519.
Some services can either be integrated with, or built on top of, a VNET. VMs are the most common example of this, and to build a VM, you must use a VNET. Other services can also be optionally integrated with VNETs in different ways. For example, VMs can communicate with an Azure SQL database using a service endpoint, enabling you to limit access and ensure traffic is kept private and off the public network. We look at service endpoints and other ways to secure internal communications later in this chapter, in the Implementing network security section.
The first subject we will need to look at when dealing with VNETs and connectivity is that of addressing and Doman Name Services (DNSes).