Mastering Azure Network Design: A Guide for Network Engineers

Networking Fundamentals in the Cloud

Networking fundamentals remain essential whether on-premises or in the cloud. While the terminology might change, the core concepts often stay the same. In Azure, a VRF is similar to a VNET, a VLAN is now a subnet, and an ACL is referred to as a Network Security Group (NSG). However, there are some distinct differences. For instance, every host on the same subnet in the ARP table will have a MAC address of 12:34:56:78:9A, an artifact of Microsoft’s layer 3 overlay. While ARP functions as usual on the host, the overlay alters some traffic flows. Additionally, broadcast and multicast don’t work in a VNET, impacting designs for high availability. Without multicast, first-hop routing protocols like HSRP and VRRP are unavailable, necessitating alternative redundancy strategies.

Understanding the Terminology

Before designing a network architecture, it’s crucial to understand the new terminology and the additional tools at your disposal. Knowing what can and should be done versus what can’t or shouldn’t be done is vital for moving on to gathering requirements and assisting the business on its cloud journey.

There are numerous resources, both free and paid, available to help you get started. Here are some we recommend:

Design Considerations

Armed with Azure networking fundamentals, network engineers can use these tools as building blocks to support application and business requirements.

Cloud Connectivity

How will end users connect to applications in the cloud? There are three main options: Internet, IPSec VPN, and ExpressRoute, each with its advantages.

  • Internet Connectivity: This is the simplest method. For businesses embracing SaaS offerings such as Office 365 or Microsoft Dynamics, this is often the best solution. Users transit the internet directly to resources in Azure, which is Microsoft’s preferred method for accessing Office 365, Teams, and other SaaS products.
  • VPN Connectivity: A blend of security, scalability, and speed. It’s quick to set up, can scale into a hub-and-spoke model, but relies on internet connectivity to reach Azure, making it only as robust as your internet connection.
  • ExpressRoute: A private connection to the Azure cloud. It’s slower to provision and more costly but offers higher security, better reliability, faster speeds, and lower and more consistent latency. This service is offered in partnership with ISPs and is available in most data centers.

ExpressRoute Peering Options

There are two types of ExpressRoute peering, both usable over the same physical link:

  • Microsoft Peering: Accesses the public IP range of Azure via ExpressRoute, providing connectivity to Office 365, Azure AD, Power BI, IaaS, and other Azure services.
  • Private Peering: Connects directly to one or more VNETs, providing connectivity to resources within a VNet.

These methods can be combined, with dual VPNs configured as active/passive for high availability or using VPN as a backup for ExpressRoute private peering. Each Azure use case has unique requirements that will determine the best connectivity option for the business.

VNET and Subnet Design

Azure resources live in Virtual Networks (VNets), facilitating communication between different resources. A VNet is a logical isolation within the Azure cloud, separate from all other VNets. It’s crucial to plan out VNet IP space before deploying resources, ensuring the address space is large enough for growth but doesn’t overlap with any on-premises networks. Avoiding NAT is recommended where possible.

Once the VNet is defined, it is divided into subnets. Grouping services and resources by type and function into different subnets allows for easy implementation of network and security controls where needed.

Network Security

Azure offers robust built-in security tools, mainly network security groups (NSGs) and Azure firewalls, with the option to bring your own security tools via the Azure Marketplace.

  • Network Security Groups (NSGs): These are basic, stateful, layer-4 firewalls that allow for the creation of complex rules using flexible and scalable tags and groups. This feature is essential to ensure only necessary communications occur between hosts.
  • Azure Firewall: A managed, scalable layer-7 firewall in Azure that protects VNets and subnets.

Bringing Your Own Security Appliances

Virtual network security appliances can also be run in Azure. Vendors such as Cisco and Fortinet offer versions of their next-generation firewalls, load balancers, web application firewalls, and other security tools that can operate in the cloud. This approach provides familiar tooling and visibility for businesses used to on-premises setups.

However, the disadvantage of bringing your own security appliance is that scaling, maintenance, and availability responsibilities fall on the customer. This typically requires running at least two of everything and implementing automation for scaling as needed. Azure’s native offerings, if they fit business needs, are fully managed, taking care of scaling, maintenance, and availability.

Additional Built-In Tools

Azure also offers additional tools such as virtual network tap, DDoS protection, Azure Front Door, and Traffic Manager, which can be leveraged to ensure confidentiality, integrity, and availability according to business requirements.

Conclusion

In the end, networking both is and isn’t the same in the cloud. Understanding the fundamentals and the tools Azure and the Azure Marketplace provide, along with your business requirements, will allow you to build a secure and robust cloud presence. Need help navigating all of these options? We at Elevate Technology Partners are here to assist you on your journey.