Notes from MS Learn AZ-700 Module 1: Introduction to Azure Virtual Networks – Unit 2: Explore Azure Virtual Networks
Overview:
Azure Virtual Networks = VNets
Mimic on-premises networks with Azure infrastructure benefits such as scale, availability, and isolation
VNets have their own CIDR and can be linked to other Vnets and on-prem networks as long as they don’t overlap.
Vnets offer control of DNS server settings and segmentation in to subnets
Capabilities:
- Communication with internet by default outbound
- Inbound requires assigning a public IP or public Load Balancer which can also be used for outbound connections
- Communication between Azure resources
- VNets
- VNet service endpoints
- VNet peering
- Can connect not just to VM’s but also Azure resources such as:
- App Service. Environment
- Azure Kubernetes Service
- Azure Virtual Machine Scale Sets
- Service Endpoints can connect to Azure resource types such as:
- Azure SQL database
- Azure storage accounts
- Communication between on-prem resources
- Extend using Point-to-site VPN
- Azure ExpressRoute
- Filter network traffic
- Network security groups
- Network virtual appliances
- Routing network traffic
- Azure routes between subnets, connected virtual networks, on-prem networks, and internet by default.
- Create route tables or BGP routes to override the default Azure created routes
VNET Design Conderations:
- Create multiple virtual networks per region per subscription. Multiple subnets within each VNet
- Virtual Networks:
-
- Use RFC 1918 rages
- 10.0.0.0-10.255.255.255 (10/8)
- 172.16.0.0-172.31.255.255 (172.16/12)
- 192.168.0.0-192.168.255.255 (192.168/16)
- Additional Ranges
- 224.0.0.0/4 (Multicast)
- 255.255.255.255/32 (Broadcast)
- 127.0.0.0/8 (Loopback)
- 169.254.0.0/16 (Link-local)
- 168.63.129.16/32 (Internal DNS)
- Use RFC 1918 rages
- Azure assigns resources IP’s from address space provisioned. Azure reserves the first 4 and last IP.
- x.x.x.0-x.x.x.3 as well as the last address is the subnet
- When planning consider:
- No overlapping address space with other networks
- Is security isolation required
- Need to mitigate IP limitations
- Connections between Azure VNets and On-prem
- Isolation requirements for admin purposes
- Use of Azure services that create their own VNets
- Subnets
- Range of IP addresses in a VNet. You can segment VNet into difference size subnets within subscription limit.
- Smallest supported is /29 and largest is /2.
- For IPv6 must be exactly /64
- Considerations:
- Each subnet must have unique address range in CIDR format
- Certain Azure services require their own subnet
- Can be used for traffic management
- Can limit access to Azure resources to specific subnets with virtual network service endpoint. Can create multiple subnets and enable service endpoint for some subnets and not others.
Determine a naming convention:
- Example (taken from MS Learn)
- Pip-sharepoint-prod-westus-001
- Resource Type-Workload/App-Environment-Region-Instance
- Azure resource types have a scope that defines level resource must be unique
- Management group
- Subscription
- Resource group
- Resource
Regions and Subscriptions:
- Resource can only be created in a VNet that exists in the same region and subscription as the resource
- You can connect VNets that exist in different subscriptions and regions
- Deploy as many VNets as needed up to subscription limit
- Azure Availability Zones
-
- Enables you to define unique physical locations with in a region. Zone is made up of one or more datacenters with independent power, cooling, networking.
- Consider availability zones when designing Azure network and plan for services that support them.
- Availability Zone categories:
- Zonal services = Resources pinned to a specific zone
- Zone-redundant services = Resources replicated/distributed across zones automatically.
- Azure replicated across three zones for failure resiliency
- Nonregional services = Service available from geographies is resilient to zone-wide outages