Azure Network

1. Azure Networking Overview

2. Agenda
1) Virtual Networks (Vnets) & Subnet
2) Public IP Vs Private IP
3) Static IP vs Dynamic IP
4) Network Security Group (NSG)
5) Ingress & Egress Security Rules
6) Azure Firewall
7) Nat Gateway
8) Azure DNS
9) Azure Load Balancer
10) Application Gateway
11) Bastion Host
12) Express Route
13) VPN Gateway

3. Introduction Azure Networking
Azure Networking is a fundamental part of Microsoft Azure that allows your cloud
resources to securely communicate with each other, with the internet, and with your
on-premises network.
Azure provides a rich set of networking capabilities similar to what you would have in
your own data center—but fully managed and scalable in the cloud.

4. Connectivity to Azure
Cloud Customer Characteristics
Site-to-site
VPN connectivity
• High throughput, secure cross-
premises connectivity
• BGP, active-active for high
availability & transit routing
Remote access point-
to-site connectivity
• Remote Access to VNet/On-prem
• Connect from anywhere
• Mac, Linux, Windows
• Radius/AD authentication
ExpressRoute private
connectivity
• Private connectivity to Microsoft
services (O365, Azure PaaS
services)
• Mission critical workloads
Internet Connectivity
• Internet facing with public IP
addresses in Azure
• DNS, load balancing, DDoS
protection, WAF

5. 5
Virtual Networks (Vnets)
• Like your own private network in the cloud.
• Provides isolation, security, and routing control.
• You define the IP address range (CIDR block), e.g., 10.0.0.0/16.
• Resources like Virtual Machines (VMs), App Services, and Databases reside inside the
VNet.
Virtual Subnets
• Isolate workloads (e.g., web, app, database)
• Apply different security rules
• Control traffic flow within the network
VNet: 10.0.0.0/16
├─ SubnetA (Web): 10.0.1.0/24
└─ SubnetB (DB): 10.0.2.0/24

6. 10.0.0.0/1
6
10.0.1.0/2
4
10.0.2.0/2
4

7. Public IP vs Private IP
Public IP
A public IP address is the address that is assigned to a device to allow direct access over the Internet. A web
server, email server and any server device directly accessible from the Internet are candidate for a public IP
address. A public IP address is globally unique, and can only be assigned to an unique device.
Private IP
A private IP address is the address space allocated to NIC to allow organizations to create their own private
network. The computers, tablets and Smartphone sitting behind your home, and the personal computers within
an organizations are usually assigned private IP addresses. A network printer residing in your home or office is
assigned a private address so that only your local users can print to your local printer.

8. Static IP vs Dynamic IP
Static IP
A static IP address is an address that is permanently assigned to a device by the administrator, and does not
change even if the device reboots. A static IP address is usually assigned to a server who is hosting websites,
providing email, database and FTP services.
Dynamic IP
A dynamic IP address is dynamically assigned to device by the DHCP server. Each time the device is rebooted,
DHCP dynamically assigns an IP address to the device using DHCP protocol. Since DHCP dynamically assigns an
IP address to a device on reboot, the device may not always receive the same IP address.

9. Network Security Group (NSG)
You can use an Azure network security group to filter network traffic between
Azure resources in an Azure virtual network. A network security group
contains security rules that allow or deny inbound network traffic to, or
outbound network traffic from, several types of Azure resources. For each
rule, you can specify source and destination, port, and protocol.

10. Security Rules Ingress/Egress

11. Azure Firewall
Azure Firewall is a cloud-native and intelligent network firewall security
service that provides the best of breed threat protection for your cloud
workloads running in Azure. It's a fully stateful, firewall as a service with
built-in high availability and unrestricted cloud scalability. It provides
both east-west and north-south traffic inspection.

12. Bastion Host
Azure Bastion is a service you deploy that lets you connect to a virtual machine using
your browser and the Azure portal, or via the native SSH or RDP client already installed
on your local computer. The Azure Bastion service is a fully platform-managed PaaS
service that you provision inside your virtual network. It provides secure and seamless
RDP/SSH connectivity to your virtual machines directly from the Azure portal over TLS.
When you connect via Azure Bastion, your virtual machines don't need a public IP
address, agent, or special client software.

13. NAT Gateway
Virtual Network NAT is a fully managed and highly resilient Network Address
Translation (NAT) service. Virtual Network NAT simplifies outbound Internet connectivity
for virtual networks. When configured on a subnet, all outbound connectivity uses the
Virtual Network NAT's static public IP addresses.

14. Azure DNS
Azure DNS is a hosting service for DNS domains that provides name resolution by using
Microsoft Azure infrastructure. By hosting your domains in Azure, you can manage your
DNS records by using the same credentials, APIs, tools, and billing as your other Azure
services..

15. Azure Load Balancer
Load balancing refers to evenly distributing load (incoming network traffic) across a
group of backend resources or servers. Load balancer distributes inbound flows that
arrive at the load balancer's front end to backend pool instances. These flows are
according to configured load-balancing rules and health probes. The backend pool
instances can be Azure Virtual Machines or instances in a Virtual Machine Scale Set.

16. Azure Application Gateway
Azure Application Gateway is a web traffic load balancer that enables you to manage
traffic to your web applications.

17. Azure Express Route
ExpressRoute lets you extend your on-premises networks into the Microsoft cloud over a private
connection with the help of a connectivity provider. onnectivity can be from an any-to-any (IP
VPN) network, a point-to-point Ethernet network, or a virtual cross-connection through a
connectivity provider at a colocation facility. ExpressRoute connections don't go over the public
Internet. This allows ExpressRoute connections to offer more reliability, faster speeds, consistent
latencies, and higher security than typical connections over the Internet.

18. Azure VPN Gateway
VPN Gateway sends encrypted traffic between an Azure virtual network and an on-premises
location over the public Internet. You can also use VPN Gateway to send encrypted traffic
between Azure virtual networks over the Microsoft network. A VPN gateway is a specific type of
virtual network gateway. Each virtual network can have only one VPN gateway. However, you can
create multiple connections to the same VPN gateway. When you create multiple connections to
the same VPN gateway, all VPN tunnels share the available gateway bandwidth.

19. Site-to-Site VPN
A Site-to-Site (S2S) VPN gateway connection is a connection over IPsec/IKE (IKEv1 or IKEv2) VPN
tunnel. S2S connections can be used for cross-premises and hybrid configurations. A S2S
connection requires a VPN device located on-premises that has a public IP address assigned to it.
For information about selecting a VPN device

20. Point-to-Site VPN
A Point-to-Site (P2S) VPN gateway connection lets you create a secure connection to your virtual
network from an individual client computer. A P2S connection is established by starting it from
the client computer.

21. Vnet Peering
VNet peering (or Virtual Network peering) enables you to connect virtual networks. A VNet peering
connection between virtual networks enables you to route traffic between them privately through IPv4
addresses. Virtual machines in the peered VNets can communicate with each other as if they are within the
same network.
VNet Peering Types
1. Regional VNet Peering: Connecting VNets within the same Azure region.
2. Global VNet Peering: Connecting VNets across Azure regions.

22. © Copyright Microsoft Corporation. All rights reserved.
Thank You