Azure VNet
Categories:
5 minute read
A Virtual Network (VNet) is a logically isolated network in the cloud that allows you to create and manage virtual machines and connect to other Azure resources, on-premises networks, and the internet. With a VNet, you can segment your resources and apply network security and routing rules to control traffic flow. You can create subnets within a VNet to organize and allocate resources and use features like Virtual Private Network (VPN) gateways and Network Security Groups (NSGs) to connect and secure your resources.
VNet is the Azure-specific term for a virtual network, whereas other cloud providers such as AWS use the term Virtual Private Cloud (VPC) to refer to their equivalent offering.
While you can create many Azure resources without a VNet, a VNet is often a necessary and recommended component of your Azure infrastructure.
By creating a VNet, you can establish a logical network environment in the cloud that you can use to connect and secure your Azure resources. VNets provide you with additional network segmentation, security, and routing capabilities to help you manage your resources more effectively.
Address Space
The address space represents the set of IP addresses that are allocated to the resources within the VNet.
When creating a VNet, specify a CIDR notation IP address range for the address space. CIDR (Classless Inter-Domain Routing) notation represents IP addresses and subnet masks in a compact format. For example, if you specify an address space of “10.0.0.0/16”, the VNet has a range of 65,536 IP addresses, from 10.0.0.0 to 10.0.255.255.
You divide the address space of the VNet into multiple subnets to organize and allocate resources. Each subnet has its address range, a subset of the VNet address space. You can specify the subnet address ranges when creating subnets within the VNet.
Choosing an appropriate address space for your VNet ensures you have enough IP addresses to allocate to your resources. You must avoid overlapping IP address ranges with other VNets or on-premises networks to prevent routing conflicts.
For more details about subnets, see the subnet page.
DDOS Protection
Distributed Denial of Service (DDoS) attacks are a common and serious threat to network security. DDoS attacks can overwhelm a network or service with traffic, making it unavailable to legitimate users.
An attack can come from any source, not just the internet. While many DDoS attacks are launched from the internet, attackers can launch DDoS attacks from other sources, such as within your network or compromised devices outside your network.
Azure provides basic DDoS protection capabilities by default for all public IP addresses created in Azure. This basic DDoS protection is free of charge and includes automatic detection and mitigation of common network-level DDoS attacks. Azure basic DDoS Protection protects against both external and internal Distributed Denial of Service (DDoS) attacks.
The basic DDoS protection service includes automatic detection and mitigation of common DDoS attack types, such as SYN floods, UDP floods, and reflection attacks. When a DDoS attack is detected, traffic is automatically rerouted to Azure’s traffic scrubbing centers, which are inspected and filtered before reaching your resources.
The Azure DDoS Protection Plan is an upgrade from the basic DDoS protection. It provides customizable DDoS protection policies, real-time monitoring and reporting, advanced traffic analysis and threat intelligence, multi-layered protection, and 24/7 support from Microsoft’s security experts. The Azure DDoS Protection Plan is priced based on the size and complexity of your Azure deployment and is available in Standard and Premium tiers. By upgrading to the Azure DDoS Protection Plan, you can improve the security and resiliency of your Azure infrastructure and maintain the availability and performance of your applications and services.
Azure Firewall
An Azure Firewall is not required for every VNet, but it is recommended as a best practice for securing your Azure infrastructure.
Azure Firewall provides a central point of control for inbound and outbound network traffic, allowing you to create and enforce security policies for your VNet.
With Azure Firewall, you can create rules to control traffic flow based on source and destination IP addresses, ports, protocols, and applications.
You can also use Azure Firewall to perform advanced threat detection and monitoring and integrate with other Azure services such as Azure Security Center and Azure Sentinel.
That being said, there may be situations where you don’t need an Azure Firewall, such as when you only have a small number of resources deployed within your VNet or using other security measures like Network Security Groups (NSGs) or third-party firewalls. Ultimately, the decision to use Azure Firewall should be based on your specific security requirements and the size and complexity of your Azure deployment.
For more details about Azure Firewall, see the subnet page.
DNS Servers
DNS servers are essential to any VNet, as they are responsible for resolving domain names to IP addresses. In Azure, you can use Azure-provided DNS or custom DNS servers.
If you choose to use Azure-provided DNS, Azure assigns a default DNS server to your VNet that provides name resolution for Azure-provided services and resources. The Azure-provided DNS server also forwards requests to your on-premises DNS servers if you have configured a connection between your VNet and your network.
Alternatively, you can bring your own custom DNS servers to your VNet. This allows you to use your domain names and DNS server configurations and provides more control over name resolution for your resources.
When configuring custom DNS servers in Azure, you can specify up to four IP addresses for each DNS server. Azure will assign these IP addresses to the DNS servers configured for your VNet.
Peering
VNet peering is a feature in Azure that allows you to connect two virtual networks in the same region or different regions using Microsoft’s backbone network. VNet peering enables resources in both VNets to communicate as if they were in the same network.
For more details about Azure Virtual Network Peering, see the subnet page.