Chapter 5 Networking

The most fundamental part of the Azure private network for your infrastructure is a virtual network. A virtual network, often called a VNet, enables many types of Azure resources, such as Azure virtual machines, or VMs, to securely communicate with each other, the internet, and on-premises networks. A virtual network is virtual because, while you get access to it, you don't have any access to the hardware. Just like a virtual machine, it is yours to use, but the physical hardware is hidden away. It is abstracted.

There are four main concepts you need to understand when it comes to VNets.

So let's go through each in detail.

An address space is the range of IP addresses that are available. An IP address is like a street address for a house, as we went through before.

Designed to uniquely find the resource. Every service or resource that is connected to a VNet will get its own unique address on that VNet within the address space. That is how services on the same VNet can find each other and communicate. You assign an address space to the VNet, and each connected device, service, or resource automatically gets an IP address assigned in that address space.

Subnets enable you to segment the virtual network into one or more subnetworks and allocate a portion of the virtual network's address space to each subnet. Doing that, you can have multiple networks on the same VNet. So why would you do that, though? Well, it makes it easier to keep track of which services go together, address allocation is more efficient - but probably the most important reason is that you can secure individual subnets using a network security group. We will cover those in the chapter on security. Every VNet belongs to a single region. That means services and resources on a VNet must all be physically located in the same region as the VNet. You can connect VNets, though, to communicate across regions, if need be. Each VNet belongs to a single subscription. Each subscription can have more than one VNet, though. The advantages you get from using a cloud-based network compared to a network in your own data center are significant too.

Resource Grouping:

Group resources onto the same subnet to make it easier to keep an overview.

Address Allocation:

More efficient to allocate addresses to resources on a smaller subnet.

Subnet Security:

Use network security groups to secure individual subnets.

Regions

A VNet belongs to just one subscription, but a subscription can have multiple VNets.

Subscriptions

A VNet belongs to a single region. Every resource on the VNet must be in the same region too.

Scaling:

Adding more VNets or more addresses to one is simple.

High Availability:

Peering VNets, using a load balancer or using a VPN gateway all increase availability.

Isolation

Manage and organize resources with subnets and network security groups.

You can scale a VNet to suit your needs with a click of a button.

Because VNets are a core part of Azure, they also benefit from scaling.

If you suddenly need more addresses in your address space,

it is a simple exercise to add more. If you need a brand new VNet,

that is a simple action too. VNets ensure high availability for your resources.

This can usually happen through peering VNets,

which is connecting 2 VNets using a load balancer or through a VPN gateway -

the last 2 services we cover in this chapter too.

You can isolate services and products very efficiently and simply with VNets.

Using subnets and network security groups,

you can manage and organize your resources within a VNet.

This feature lets you connect 2 or more virtual networks in Azure.

Traffic between virtual machines in a peered network uses the private Microsoft

backbone network and never passes through the public internet.

Just like if the VMs were on the same virtual network.

Low Latency, High Bandwidth:

Resources in virtual networks are connected with a low-latency, high-bandwidth connection.

Link Separate Networks:

Resources in separate virtual networks can communicate with each other.

Data Transfer:

Transfer data easily between subscriptions and deployment models in separate regions.

A low-latency, high-bandwidth connection between resources in different virtual networks.

Resources in separate virtual networks can communicate.

You can transfer data between subscriptions, deployment models, and Azure regions.

This is used a lot to allow infrastructure scenarios that span multiple virtual

networks but belong to the same company.

VIRTUAL NETWORK: A virtual network is a fundamental part of your Azure infrastructure.

• An address space is a range of IP addresses you can use for your resources.

• A subnet is a smaller network, which is part of your VNet. Use these for security and logical division of resources.

• A VNet is in a single region and single subscription.

• VNets in the cloud can scale and have high availability and isolation.

When you have more than one VM serving the application, how do you decide which VM gets a particular user? A load balancer is the answer. Imagine this scenario. Your online business for booking removals of angry llamas is going super well. You're starting to get much more traffic than you originally anticipated. The VM that you use for processing some of the old data is getting overloaded at times. You add a second VM, but how do you now manage the traffic flow and use both? Adding a load balancer in front of the two VMs to capture the traffic before it reaches them means you can manage where the traffic goes. As Microsoft puts it, load balancer distributes new inbound flows that arrive on the load balancer's frontend to backend pool instances, according to rules and health probes.

Inbound flows is any kind of traffic, whether from the internet or from a local VNet. Any inbound traffic will be received by the load balancer. The load balancer's frontend is the gatekeeper of all traffic to the VMs it manages. In effect, whoever calls the service the VMs are running only sees one access point, which is the load balancer's frontend. Backend pool instances are the VMs that are receiving the traffic from the load balancer. And rules and health probes refers to the load balancer rules for directing the traffic. More on that in just a sec. A health probe is a service that makes sure a VM is ready to receive trafficbefore the load balancer sends any. This ensures the load balancer always sends traffic to a healthy VM.

Load Balancer distributes new inbound flows that arrive on the Load Balancer's frontend to backend pool instances, according to rules and health probes.

Inbound Flows

Traffic from the Internet or local network.

Frontend

The access point for the load balancer. All traffic goes here first.

Backend Pool

The VM instances receiving traffic.

Rules & Health Probes

Checks to ensure backend instance can receive the data.

Internet Traffic:

Balance the load of incoming Internet traffic into a system or application.

Internal Networks:

A load balancer works well with internal applications.

Port Forwarding:

Traffic can be forwarded to a specific machine in the backend pool.

Outbound Traffic:

Allow outbound connectivity for backend pool VMs.

Some of the scenarios where you would apply a load balancer includes load balancing incoming traffic - as we went through in the example at the start of the lecture - load-balanced traffic from internal networks across both Azure and hybrid scenarios, port forwarding of traffic - you can forward traffic to a specific port on a specific machine in a backend pool. And a port is a way to specify a specific process. Each process on a computer listens for traffic and messages on one or more ports. A load balancer can also provide outbound connectivity for the VMs in the backend pool should that be necessary. Alright. Load balancers - done. Let's move on to the next lecture.

When you want to securely communicate between your Azure resources and

your on-premises network, what do you do? Well, you use a VPN gateway, of course. Before we get into the VPN gateway encryption magic, let's start with a virtual network gateway first. A virtual network gateway is composed of two or more virtual machines that are deployedto a specific subnet you create, which is called the gateway subnet. Remember, a subnet is a dedicated part of a VNet that has a specific range of IP addresses it can use. The VMs that are located in the gateway subnet are created when you create the virtual network gateway. A VPN gateway is a specific type of virtual network gateway that is used to send encrypted traffic between an Azure virtual network and an on-premises location over the public internet. Let's say you have an established company that has its own on-premises infrastructure. This is working well, but you are wanting to move parts of your system to the cloud to take advantage of the cloud goodness, such as scalability, high availability, and costs reduction. This means you'll have a hybrid solution, with some of your data on-premises and some on Azure. In order to communicate securely between the two, you create a VPN gateway, which is a specific kind of VNet gateway. A VPN gateway is a key part of having a secure and available hybrid cloud architecture. There are various ways to connect your on-premises servers with the VPN gateway, but that is outside the scope of this course. You should know the main three components of a VPN gateway setup though. An Azure VNet with a VPN gateway attached - this gateway will have its own public IP address - a secure connection called a tunnel, which has one of a number of encryption mechanisms, an on-premises network with a complementary gateway that can accept the encrypted data. And this is called a site-to-site connection. You can also have one VPN gateway with more than one on-premises network connecting to it. This is called a multi-site connection. For the exam, you need to know about VPN gateways as they are critical for efficient cloud computing in a hybrid architecture. A VPN gateway is a specific kind of VNet gateway, which is two or more machines deployed to a specific subnet. A VNet gateway of type VPN becomes a VPN gateway. And a VPN gateway is used to send encrypted data from Azure to on-premises. There are three parts to a VPN gateway use case scenario. Azure gateway subnet of two or more machines, a secure tunnel for data to be transmitted, and an on-premises gateway to connect to as well. Up next, a different type of gateway.

VPN Gateways are instrumental in a hybrid cloud architecture.

• A VPN Gateway is a specific VNet Gateway. It consists of two or more dedicated VMs.

• VNet Gateway + “vpn” becomes a VPN Gateway.

• Sends encrypted data between Azure and on premises network.

• Azure Gateway Subnet, secure tunnel and on-premises gateway makes up a VPN Gateway scenario.

What do you get if you take a load balancer and sprinkle a little cloud on it?

An application gateway, of course! If you recall, a load balancer receives your internet

and network traffic and, based on an IP address and a port, it will send that data to one of the VMs in the backend pool. But what if you want to route the traffic based on other parameters than simply IP address and port number? With Application Gateway, you can make routing decisions based on additional attributes of an HTTP request, such as URI path or host headers. An HTTP request is the data format that is received from any kind of internet traffic. The URI path is the web address for the request, and a host header is a piece of information that is sent with the request. This means you can send traffic from a specific web address to a specific machine. For example, if you have a request for a URL that is images, you could send that to a specific pool of machines that are better at handling images. The same can be done for videos. One of the great things about a lot of Azure services is that they work so well together, and for the Application Gateway, that is no difference. A few of the benefits for using an application gateway are that an application gateway can scale up or down based on the traffic that comes to it. As always this can cost more, but it also means you don't have to worry about managing the resources needed to serve your application. An application gateway has end-to-end encryption for all traffic, meaning you can comply with any requirements about securing the traffic. If not needed, you can disable secure transfer to the backend pool to improve processing times too. Zone redundancy - this is an application gateway that can span multiple availability zones, offering better fault resiliency, and you don't have to set up more gateways to cater for each zone either.You can use multi-site hostingto use the same application gateway for more than one website. You can, in fact, add up to 100 websites to the same instance of an application gateway. This will both save you on cost and complexity. So, in summary, an application gateway is another type of load balancer that works on a higher level. It works on the HTTP request of the traffic instead of the IP address and port. Traffic from a specific web address, such as an image or video URL, can go to a specific machine in the backend pool. It works well with all the Azure services and can share the same cloud benefits like high availability and pricing. And this supports auto scaling, end-to-end encryption, zone redundancy, and multi-site hosting, among other benefits.

Scaling:

Scale the Application Gateway up or down based on the amount of traffic received.

Encryption:

Comply with any security policies. Disable or enable traffic encryption to the backend.

Zone Redundancy:

Span multiple availability zones and improve fault resiliency.

Multi-site Hosting:

Use the same application gateway for up to 100 websites.

An application gateway is a higher level load balancer.

• It works on the HTTP request of the traffic, instead of the IP address and port.

• Traffic from a specific web address can go to a specific machine.

• Is a fit for most other Azure services.

• Supports auto-scaling, end-to-end encryption, zone redundancy and multisite hosting.

Content Delivery Network = CDN.

It is a distributed network of servers that can deliver web content close to users.

Better Performance:

Improve the user experience and the performance of your application.

Scaling:

Scale to suit any spikes in traffic, and also protect your main backend server instance from high loads.

Distribution:

Edge servers will serve requests closest to the user. Less traffic is then sent to the server hosting your application.

Cache:

Collection of temporary copies of original files. The primary purpose is to optimize speed for an application. When a copy expires, a new copy is needed.

Origin Server

The original location of the files, such as a web application. It is the master copy of your application.

If you require a super-fast connection, right into the bowels of Azure, that is completely private, then ExpressRoute is for you. For example, if a company need their data to be both on-premises on Azure, it has to be highly available, and it needs to be periodically migrated, then ExpressRoute is the must-have connection from the company to Azure. (Yeah, that's the logo for ExpressRoute. It's nice, isn't it?) ExpressRoutes don't go over the public internet, which means the security of your data and infrastructure is better. You get a more reliable and faster connection that has lower latency than any standard internet connection. It can look something like this. The implementation details are outside the scope of this course, as are some of the technical benefits you get from ExpressRoute. The key takeaway is that if you need a private, secure, high-bandwidth, low-latency connection, directly from your data center or infrastructure to Azure, ExpressRoute is the service you want.

Data

• On-premises and on Azure

• Highly available

• Periodically migrated

Virtual Network:

A fundamental part of Azure. All services are connected to a VNet. Includes an IP address range and subnets. Belongs to a single region and a single subscription.

Load Balancer

Distributes and balances the incoming traffic to an application or network. Uses IP address and port number to determine the receiving VM in the backend pool.

VPN Gateway

Connects your Azure network with your onpremises network securely.

Application Gateway

Distributes incoming traffic based on HTTP request properties, such as URL and host headers. Same session traffic can be handled by multiple servers.

ExpressRoute

Direct link between on-premises and Azure. Enables a private, secure, high-bandwidth, lowlatency connection

Content Delivery Network

Stores a cached version of your application on an edge node. Provides better performance and less traffic to your main server. Content cache is updated as necessary.