Networks are one of the most important topics when talking about infrastructure, as they provide basic security mechanisms for our services and allow us to segment them. In Azure, networking is quite an extensive subject – networks integrate not only with Infrastructure-as-a-Service (IaaS) components such as Azure Virtual Machines but can also be found in Platform-as-a-Service (PaaS) scenarios. This chapter is going to give you a thorough overview of Azure virtual networks and accompanying services.

Topics from this chapter will help you better understand networks in Azure and what capabilities they offer in terms of integration, security, and network segmentation.

In this chapter, we’re going to cover the following main topics:

• Planning and deploying virtual networks
• Understanding network security groups (NSGs)
• Working with virtual network peerings
• Network routing and endpoints

To perform the exercises from this chapter, you’ll need the following tools:

• The Azure CLI (https://learn.microsoft.com/en-us/cli/azure/installazure-cli)
• A favorite IDE (I recommend VS Code)
• cURL or similar tool allowing you to perform HTTP requests
• A tool supporting SSH connections (you can use the built-in capabilities of your terminal or download PuTTY or something similar)

The Code in Action video for this book can be viewed at: https://packt.link/GTX9F

Before we start designing and building networks in Azure, let’s define what a virtual network actually is. When working with physical infrastructure (for example, on-premises), most of the elements of the system infrastructure are physically available and installed in a data center. Networks of such systems consist of multiple switches, routers, and firewalls that need to be managed by administrators and IT engineers locally.

In a cloud environment, you don’t have access to physical infrastructure. Instead, you’re given access to a virtualized environment where you can decide which service you’d like to deploy. The physical networks are still there – the only difference is that it’s not your responsibility to administer them.

This is why we’re going to talk about virtual networks instead – an abstract software layer over physical components that emulates capabilities of existing hardware...

Virtual networks in Azure are used for segmentation and security boundaries for resources, but alone cannot be configured to define more granular access when it comes to defining which protocol and which port can be used for communication. To establish that level of control, you will need to use NSGs. This section is meant to give you a general overview of that resource type and possible use cases.

How do NSGs work?

Azure NSGs are a way to filter incoming and outgoing traffic for Azure networks. They allow you to decide how traffic should be handled depending on ports, protocols, or origin of traffic. NSGs can be assigned to either network interfaces or subnets, giving you flexible setup and granular configuration options.

It’s important to remember that NSGs work differently depending on the resource to which they are attached. However, all instances of that service share some common features, which are set out as follows:

• DenyAllInbound...

In Azure, virtual networks work as a way of isolating your services. By default, there’s no direct way of communicating between resources that span multiple networks. Of course, if you expose your services publicly (for example, via configuration in NSGs), you’ll be able to make a connection between them. However, what if you want to keep them private and still be able to connect? To achieve such functionality, you need to use network peering. Let’s discover that topic.

How does peering work?

When you set up a peering between networks, they will appear as a single network, even though they will be still separate Azure resources. This implies that your network cannot have overlapping address spaces – a problem we discussed at the very beginning of this chapter. Azure supports two types of peering – peering within the same region and global peering, which can be used if your networks are deployed to different...

In Azure, basic networking setup is done automatically when you provision network components such as virtual networks and subnets. In many scenarios, the default setup can be enough, and you don’t need to incorporate a custom configuration. For everything else, Azure gives you the possibility to introduce custom routes, use Border Gateway Protocol (BGP), and leverage service and private endpoints for improved security. We’ll briefly characterize them in this section.

System routes

When a subnet is provisioned, Azure automatically assigns a set of default routes to that resource. Those default routes are called system routes and cannot be created manually or customized. You can, however, override them using custom routes. Before we dive deeper into that topic, let’s quickly describe a route.

The easiest way to describe a route in Azure is by imagining a book’s index. That part of a book contains specific words or topics...

That’s all for Chapter 3! We discussed lots of different things, including fundamental topics when planning and structuring networks and resizing, deploying, and securing them using native services. Those topics will enhance your skills when working with networking in Azure and simplify learning more advanced concepts. After this chapter, you should be able to build your own networks, secure them using NSGs, and integrate them using peerings. You also learned some basics of routing and using endpoints in Azure for improved security when using managed Azure resources. You’ll improve your knowledge in the next chapters when we leverage concepts from this chapter into real-world scenarios.

In Chapter 4, you’ll learn about Azure Load Balancer, which is an important component of many Azure architectures, as it allows for distributing traffic between multiple VMs and services. This will also enable us to talk about scale sets and availability sets used for...