Azure for Architects: Part3 - Azure Networking

1. Introduction to Azure Networking

Networking is a critical component of cloud architecture, enabling communication between cloud services, on-premises environments, and the internet. Azure Networking provides a suite of services that allow architects to design secure, high-performance, and scalable network infrastructures.

Key Networking Considerations for Architects

When designing an Azure network, architects must address the following:

?? Connectivity – How workloads communicate (e.g., Virtual Networks, VPN, ExpressRoute).

?? Security – Protection against threats (e.g., NSGs, Firewalls, Private Links).

?? Scalability – Supporting high traffic and growth (e.g., Load Balancers, CDN).

?? Resiliency – High availability and fault tolerance (e.g., Availability Zones, Traffic Manager).

?? Cost Optimization – Minimizing egress traffic costs and redundant networking components.

2. Azure Virtual Network (VNet) – Foundation of Networking in Azure

Azure Virtual Network (VNet) is the fundamental building block for networking in Azure. It provides an isolated environment for running cloud-based applications and connecting resources securely.

There are three common networking patterns for organizing workloads in Azure:

• Single virtual network
• Multiple virtual networks with peering
• Multiple virtual networks in a hub-spoke topology

Key Features of VNet:

• Subnetting: Divide VNets into smaller subnets for better resource organization.
• VNet Peering: Securely connect two VNets for seamless communication across regions.
• Private Link & Endpoints: Enable private access to Azure services without exposing them to the internet.
• Network Security Groups (NSG): Control inbound and outbound traffic at the subnet or NIC level.
• Virtual Network NAT: replaces the need for individual public IP addressing for outbound connectivity allowing VMs to communicate with outbound internet. One NAT can be associated with one or more subnets within a VNet.

Best Practices for Architects:

? Use CIDR blocks to plan IP addressing and avoid overlapping ranges.

? Segment subnets based on workload types (e.g., web, database, application tiers).

? Implement VNet Peering instead of VPN tunnels for better performance.

? Use Azure Private Link for secure connections to Azure PaaS services.

3. Hybrid Networking in Azure – Connecting On-Premises to Azure

Hybrid networking allows businesses to connect on-premises infrastructure to Azure securely. Azure provides multiple connectivity options:

VNet Peering

Securely connect two VNets for seamless communication across regions. Peering is non-reciprocal, connection must be established in both directions. Peering is non-transitive. Peering can be in the same region or cross regions, or cross subscriptions. The networks to peer should NOT overlap.

Azure VPN Gateway

Establishes connectivity between VNets, similar to VNet peering. It is through the internet. Between Azure and on-premises.

• Connects on-premises networks to Azure using IPsec/IKE VPN tunnels.
• Supports site-to-site (S2S) and point-to-site (P2S) connections.
• Best suited for low-to-medium traffic workloads and temporary connections.

Azure ExpressRoute

Dedicated physical connection. Built-in redundancy. Connectivity via private peering. Dynamic routing via BGP. Not encrypted by default. Your own connection to the cloud. Data is not transferred over the internet. Speed ranges from 50 Mbps to 10 Gbps.

You can combine Azure ExpressRoute and Azure VPN Gateway to create a failover to a VPN connection if there's a loss of connectivity in the ExpressRoute circuit.

• Establishes private, dedicated high-speed connections (up to 100 Gbps).
• Bypasses the public internet, providing low latency and high security.
• Ideal for enterprise workloads and regulatory compliance needs.

Azure Virtual WAN

A single operational interface to manage networks. Connects networks using hub-spoke architecture. A hub-spoke network topology is a way to isolate workloads while sharing services such as identity and security. The hub is a virtual network in Azure that acts as a central point of connectivity to your on-premises network. Spokes are virtual networks that peer with the hub. Shared services are deployed in the hub, while individual workloads are deployed as spokes. Spokes are connected to the hub by using virtual network peering. Traffic flows between the on-premises data center(s) and the hub through an ExpressRoute or VPN gateway connection. The main differentiator of this approach is the use of Azure Virtual WAN to replace hubs as a managed service.

• Centralized networking service that integrates VPN, ExpressRoute, and SD-WAN.
• Best for managing global, multi-site connectivity.

Best Practices for Hybrid Connectivity:

? Use ExpressRoute for mission-critical, high-bandwidth applications.

? Implement BGP (Border Gateway Protocol) for dynamic routing between on-prem and Azure.

? Secure connections using VPN and IPsec encryption.

4. Azure Load Balancing & Traffic Management

Azure load-balancing services can be categorized along two dimensions:

• Global or Regional
• HTTP(S) or non-HTTP(S)

Azure provides multiple services for distributing traffic efficiently:

Azure Load Balancer (Layer 4 - TCP/UDP)

A networking solution for distributing traffic between backend compute. Layer 4. Highly Available. Backend resources must be redundant.

• Routes traffic to VMs/VMSS in a backend pool.
• Supports high availability and failover across zones.

Azure Application Gateway (Layer 7 - HTTP/HTTPS)

A networking solution for distributing traffic between backend compute. Layer 7. URL path-based routing. VMs, VMSS and App Service. Backend resources must be redundant. Requires that its subnet should only contain it.

• Offers intelligent traffic routing, SSL termination, and Web Application Firewall (WAF).
• Supports path-based routing and multi-site hosting.

Azure Front Door (Global Load Balancing)

Azure Front Door is a content acceleration solution that leverages Microsoft’s global edge network to provide fast connectivity to your solution, across the globe. A global load balancer.

Azure Front Door improves a user's access to web applications by caching dynamic and static content across Microsoft's global edge networks.

• Provides global, low-latency traffic routing based on real-time performance monitoring.
• Used for CDN-like acceleration and application security.

Traffic Manager (DNS-Based Traffic Routing)

Azure Traffic Manager is a DNS-based traffic load balancer that enables you to distribute traffic optimally to services across global Azure regions while providing high availability and responsiveness.

Traffic Manager uses DNS to direct client requests to the most appropriate service endpoint based on a traffic-routing method and the health of the endpoints. An endpoint is an Internet-facing service hosted inside or outside of Azure.

• Routes requests to the nearest Azure region using latency-based DNS resolution.
• Best for disaster recovery and geo-distributed applications.

Comparison Table: Choosing the Right Load Balancer

Decision Tree for traffic management options

Best Practices:

? Use Load Balancer for internal VM failover.

? Choose Application Gateway for web applications with WAF security.

? Leverage Front Door for global application acceleration.

5. Azure Network Security – Protecting Workloads in the Cloud

Azure offers multiple security solutions to protect workloads from cyber threats.

Network Security Groups (NSG)

Create rules that define what is allowed/denied for inbound/outbound traffic. Controls security at the subnet or NIC levels. Default rules can’t be deleted, used-defined rules can be created. The lower the priority of the rule the higher precedence. NSGs are stateful (if a request is allowed in, the response is also allowed out). Includes a default DENY rule for inbound and outbound traffic.

Each subnet and network interface can have one network security group applied to it. Network security groups support TCP, UDP, and ICMP, and operate at Layer 4 of the OSI model. For inbound traffic, NSG assigned at the subnet level is evaluated before NSG assigned to the NIC, for outbound the reverse.

You can use augmented security rules for network security groups to simplify managing large numbers of rules. Augmented security rules also help when you need to implement more complex network sets of rules. Augmented rules let you add the following options into a single security rule: Multiple IP addresses, multiple ports, Service tags, and App security groups.

Application Security Groups (ASG)

An Application Security Group (ASG) is a logical grouping of virtual machines (VMs) that enables simplified management of NSG rules based on application roles rather than IP addresses.

Key Features of ASG:

? Works alongside NSGs to group VMs dynamically based on logical roles (e.g., Web Servers, Database Servers).

? Allows applying NSG rules to groups of VMs instead of IP addresses.

? Helps in scaling network policies without manually updating IP-based rules.

? Supports flexibility when adding/removing VMs without changing NSG rules.

Use NSG when you need explicit control over traffic flows using IP addresses, ports, and protocols. Use ASG when you want to simplify security management by grouping VMs logically instead of defining rules for individual IP addresses. Combine NSG & ASG for scalability and security – use NSGs for network-wide policies and ASGs for role-based VM grouping.

Azure Firewall

Fully managed firewall as a service, including HA and scale. Filter traffic with a PAAS firewall. FQDN support, FQDN is not supported in NSG. You need to create an AzureFirewallSubnet with /26 or lower to provision the firewall, this is because the firewall itself uses some IPs for autoscaling. The firewall should exist in the same region as the VNET. You need to create a route table and routes for the firewall, and create the rules (DNAT, network, application) for the firewall. We use DNAT rule to RDP to a VM using the public IP of the Firewall itself.

Firewall management: firewall policy (new) and firewall rules (classic).

Azure Firewall Manager

If you have multiple locations and you want to manage the firewall rules you have to set up these rules individually. Instead, you can use Azure Firewall Manager to apply these rules centrally. This can be done by creating policies and applying these policies to different locations. You can also use a global policy as a parent for other policies.

Web Application Firewalls

Protecting web applications from common vulnerabilities and exploits such as SQL injection, XSS, common injection, and HTTP request smuggling. We can use managed rules (OWASP) or custom rules. The WAF can be assigned to Azure Gateway or Azure Front Door.

DDoS Protection

Automatic mitigation of Distributed Denial of Service attacks. Protects public endpoints and internet-facing applications.

Azure Private Link

Both Azure Private Link and Service Endpoints allow secure access to Azure services, but they differ in how they achieve private connectivity and security isolation.

Azure Private Link allows services (PaaS or custom applications) to be accessed privately over the Microsoft Azure backbone without exposing them to the public internet. A Private IP is assigned to the service inside the customer’s VNet. No exposure to public IPs; traffic flows through Microsoft’s backbone. Connect on-premises workloads to Azure services without a public IP.

Service Endpoints

By default, Azure services have public endpoints (through internet). Using service endpoints, you can provide private connectivity to a service from inside your virtual network. Not all services support service endpoints, supported services differ per region. Service endpoints are enabled per subnet. It doesn’t give services a private IP.

Service Endpoints allow Azure PaaS services to extend into a VNet, meaning traffic to those services comes from the VNet’s private IP range instead of the public internet. However, the service itself still has a public IP. Services still remain publicly accessible but only allow traffic from selected VNets.

Best Practices:

? Use NSGs for basic subnet-level security.

? Deploy Azure Firewall for centralized security enforcement.

? Enable DDoS Protection for public-facing services.

6. Connectivity Patterns and Best Practices

Networking Architectures:

?? Hub-Spoke Model – Centralized security and shared services (Best for enterprises).

?? Mesh Model – Direct connectivity between VNets (Best for small, dynamic deployments).

?? Hybrid Network Design – Integrating on-premises, ExpressRoute, and VNets for seamless connectivity.

Monitoring & Troubleshooting:

• Azure Network Watcher – Monitors traffic flow, connection health, and latency.
• Azure Monitor & Traffic Analytics – Provides deep insights into network performance.

Cost Optimization Strategies:

? Use Azure Peering instead of VPNs to reduce latency and cost.

? Leverage Private Endpoints to minimize egress traffic.

? Choose Azure CDN for reducing bandwidth consumption.

Conclusion

Azure networking offers a comprehensive set of services to build secure, scalable, and high-performance cloud architectures. By using the right networking patterns and security best practices, architects can optimize connectivity while minimizing costs.