Private connections into Azure are either via ExpressRoute (comparable to AWS DirectConnect) or VPN. The former is more expensive than the latter with the benefits of providing an additional layer of security – routing packets through non-public Internet. Here is the run-down of Azure networking with some practical examples.
Virtual Network (VNet)
- No overlapping subnets
- Can contain multiple subnets
- No multicast and broadcast spanning between VNets
- First 5 IP addresses in any subnets are reserved for Azure
- IP addresses in VNets are classless; thus, Classless Inter-Domain Routing (CIDR) convention is used (e.g. x.x.x.x/8 or x.x.x.x/29)
- Peering or Virtual Network Gateway are common practices
- Private DNS can be set to bypass the default Azure assignment
- VNet-2-VNet and VNet peering are options to securely joint disparate subnets within Azure
Network Security Group (NSG)
- uses Access Control List (ACL) to filter traffic.
- Default outbound traffic is unrestricted.
- A typical setup would include two (2) NSGs: (1) to for Backend subnet and (1) for Frontend subnet.
- Not application aware (layer 7)
- 100 rules limit per region
- Inbound/Outbound rule labels:
- Service
- Port range
- Priority
- Name
- Description
Virtual Network Gateway
- Connects on-prem networks into Azure Vnets
- Types
- VPN: uses public routing. 4 SKU’s with speed-based pricing. Basic 100Mbps, VpnGw1 650Mbps, VpnGW2 1Gbps, VpnGW3 1.25Gbps
- ExpressRoute: uses MPLS circuits, logical dual BGP circuit on layer 3 (requires 2 x x.x.x.x/30 subnets per peer), typical providers are Equinix or Megaport, Azure private peering is matched with tunnel on-prem using BGP
- Hybrid: Site-2-site and/or Point-2-site
- Must be connected to an existing VNet
- Route based: dynamic and most common
- Policy based: static and does not support IKEv2
- Site-to-site: supports active-active and active-passive. BGP, Available on SKU VpnGw1 and above
- Point-to-site: supports only active-passive
- Limit of 1 gateway per VNet
How to Create VPN Gateway in Azure
Access Azure portal > select Create a resource > Networking Services > choose Local Network Gateway > input sample values in these fields and wait 29 minutes 59 seconds
- Name: VPN1
- Address space (local summarized subnets):
- Subscription: default
- Resource group: create if one doesn’t exist
- Region: US West
- Type: VPN
- VPN type: Route based
- SKU: VpnGw1 (default)
- VNET: Dev
- Public IP: Create new
- IP Name: VPN1_GW
- Active-active: Disabled
- BGP: Disabled
How to Create Site-to-site VPN in Azure
Access Azure portal > select Create a resource > Networking Services > Add Connection > fill in the blanks
- Name: S2S_VPN
- Connection type: site-to-site
- Local network gateway > click Create
- Local_Gateway
- IP address: x.x.x.x (this is the public IP of the on-prem gateway)
- Address space: x.x.x.x/CIDR_MASK
- Shared Key: PSK_somestring
- RSG: locked
How to Create Point-to-site in Azure
Access Azure portal > select Create a resource > Networking Services > Add Connection > fill in the blanks
- Name: P2S_VPN
- Address Pool: x.x.x.x/CIDR_MASK (this is the local subnet)
- Tunnel Type: Open VPN
- Auth Type: Azure Cert
How to Create ExpressRoute Gateway
Access Azure portal > select Create a resource > Networking Services > choose Express Route Gateway > input these values
- Subscription: Default
- Resource Group: Derived
- Name: ER_Gateway
- Region: US West
- Type: Express Route
- SKU: Standard
- VNET: Create new or use existing
- Virtual Network: ER_VNnet
- Virtual Network IP: x.x.x.x/CIDR_MASK
- Public IP: Create new
- IP Name: ER_Public_IP
How to Create ExpressRoute Circuit
Access Azure portal > Home > Express Route Circuits > fill in the blanks
- Circuit Name: ExpressRoute
- Provider: T&TA
- Peering Location: <blank>
- Bandwidth: 50Mbps
- SKU: Standard
- Billing model: metered
- Sub: Free Trial
- Resource Group: Some_RG
- Location: US West