The Fundamentals for a Beginner’s Guide to Azure Networking
Good networking practices are still fundamental, whether on premises or in the cloud. Often times, new terminology is used, but what network engineers are used to calling one thing just has a new name. A VRF is similar to a VNET in Azure. A VLAN is now a subnet. An ACL is a Network Security Group (NSG).
However, somethings are different as well. For example, every host on the same subnet in the ARP table will have a MAC address of 12:34:56:78:9A:BC. This is an artifact of Microsoft’s layer 3 overlay. ARP still functions as normal on the host, but the overlay changes how some traffic flows.
Another difference would be broadcast and multicast don’t work in a VNET. This impacts what kind of tools are available for high availability—without multicast, first-hop routing protocols such as HSRP and VRRP are no longer at our disposal. Thus, redundancy will have to be accomplished in another way.
Before a network architecture can be designed, however, the new terminology needs to be understood as well as some additional tools networkers have at our disposal. Once we understand what can (or should) be done versus what can’t (or shouldn’t), we can move on to gathering requirements and helping the business on its cloud journey.
There are a multitude of resources, both free and paid, available on the internet to help you get started. Here are some we recommend:
- Azure Documentation – https://docs.microsoft.com/en-us/azure/
- Microsoft Networking Academy – https://channel9.msdn.com/Shows/MNA and https://www.youtube.com/channel/UCy6v89YQ_u12dsxK4FH0NuA/featured
Armed with Azure networking fundamentals, a network engineer can use these tools are building blocks to support the application and business requirements. Here are some other important considerations as we explore a beginner’s guide to Azure networking.
How will end users connect to applications in the cloud? There are three main options – Internet, IPSec VPN, and ExpressRoute. Each one has its own advantages.
Internet connectivity is the simplest of methods. If the business is embracing SaaS offerings such as Office 365 or Microsoft Dynamics, this is often the simplest and best solution. Users will transit the internet directly to resources in Azure. This is Microsoft’s preferred method for Office 365, Teams, and other SaaS product access.
VPN connectivity is a good blend between security, scalability, and speed. It’s quick to setup. It can also scale into a hub-and-spoke model, but has all the limits of any internet service as it is dependent on internet connectivity to reach Azure. Plus, it is only as robust as your connectivity to the internet.
ExpressRoute is a private connection to the Azure cloud. It is slower to provision and more costly than other options. But, it offers higher security and better reliability. You will also see faster speeds with lower and more consistent latency. This service is offered in partnership with ISPs and is available in most Data Centers.
There are two types of ExpressRoute peering, and both can be used over the same physical link. Microsoft peering allows you to access the public IP range of Azure via ExpressRoute. This provides connectivity to Office 365, Azure AD, Power BI, IaaS, and other Azure services devices would normally access over a public peering via ExpressRoute. The other type of peering is private peering. Private peering connects directly to one or more VNETs and provides connectivity to resources within a VNET.
These methods can be combined as well, and a blend often makes the most sense. Dual VPNs can be configured as active/passive for high availability. Additionally, VPN connectivity can be used as a backup connection for ExpressRoute private peering. Each Azure use case has its own requirements that will determine which connectivity option is best for the business.
VNET and Subnet Design
Azure resources live in Virtual Networks, VNETs–this is how different resources communicate with each other. A VNET is a logical isolation within the Azure cloud, isolated from all other VNETs. It’s crucial to plan out VNET IP space before beginning to deploy resources in Azure. Make sure the address space dedicated to the VNET is large enough to account for growth, but does not overlap with any on-premises networks. Avoid NAT as much as possible in these designs.
Once the VNET is defined, it is divided into subnets. We recommend grouping services and resources by type and function into different subnets. This allows you to implement network and security controls easily, where needed.
Azure has a built-in set of robust security tools for network security, mainly network security groups (NSGs) and Azure firewalls. Additionally, you can bring your own security tools, with appliances offered all major OEMs in the Azure Marketplace. Both have their advantages and disadvantages.
Network Security Groups are a basic, stateful, layer-4 firewall. They allow you simplify create complex rules, using tags and groups that are flexible and scalable. This is a must-use feature to ensure only hosts that should be talking are talking. The Azure Firewall is a managed firewall that is a Layer 7, scalable, modern firewall in Azur. It can be used to protect VNets and subnets.
Virtual network security appliances can also be run in Azure. Vendors such as Cisco, Fortinet, and others make versions of their next-generation firewalls, load balancers, web application firewalls, and other security tools that can run in the cloud. For many businesses, this is an easy on-ramp that provides the same tooling and visibility they’re used to leveraging on premises…just now in the cloud.
The disadvantage of bringing your own security appliance is operational effort. All scaling, maintenance, and availability is on the customer to provide. This generally means, at minimum, running two of everything for redundancy. Plus, one should consider supplying the automation framework to scale out as needed. Azure’s native offerings, if they fit the business needs, are fully managed and take on the scaling, maintenance, and availability for you.
There are some additional built-in tools as well, such as virtual network tap, DDoS protection, Azure Front Door, and Traffic manager as well that can be leveraged to provide confidentiality, integrity, and availability as needed by business requirements.
In the end, networking both is and isn’t the same in the cloud. Understanding the fundamentals, what tools Azure and the Azure Marketplace provide along with your business requirements will allow you build a secure, robust cloud presence.
We hope you found our short track on a Beginner’s Guide to Azure Networking helpful. If the cloud is relevant to your business outcomes, you can check out come of our supporting posts here:
- The Advantages of a Cloud-Based Data Management Strategy
Need help navigating all of these options? We are here to help.
Hit us up in the chat window or give us a call at (616) 202-6518.