Week of July-25
Philipp Weckerle
Advocating customer experience and innovation through cloud technologies on Microsoft Azure.
Before we start, here is an Azure Networking primer, in case you have not had too much exposure to it yet.
Networking Options
Networking has always been a topic for select few experts. In the cloud world, however, things are much more fluent and hence networking has to be less intimidating and needs to be more efficiently manageable.
Traditional Hub-Spoke Topology
When starting Azure Networking for larger, interconnected scenarios, we have the traditional Hub-Spoke topology at our disposal, in order to minimize complexity.
This topology, while more traditional, is still a valid approach, also represented in the Landing Zone Accelerator. This topology does still require considerations when it comes to Spoke2Spoke communication, on-prem connectivity, etc.
However, there is an even easier option, which is Azure Virtual WAN.
Azure Virtual WAN
With Azure Virtual WAN, the service takes care of not only the peering and routing aspects but also makes securing the topology much easer. Also creating on-prem connectivity using VPN or Express Route.
So let's consult the excellent Summary of Azure Virtual WAN by John Savill, and then walk though the corresponding Learn Module.
Finding Things
Now that we have laid down the foundation (Hub-Spoke or VirtualWAN) the next -obvious- question is how to manage the name resolution for all those Infrastructure resources that will live in this networking infrastructure (e.g. VMs, Private Endpoints, ...)
The answer to this is Domain Name Servers (DNS), which are an age old concept and well situated in the on-prem world. With the fluidity of the cloud world, however, traditional was no longer cut it and leveraging the built in DNS that comes with the cloud environment is essential to retain a smooth cloud experience.
Azure DNS
The built-in service in Azure is called Azure DNS. This service takes care of managing the name resolution across Azure's public platform services and provides services for us to manage our private names (a.k.a Private Zones).
There is an excellent Learn Module on Azure DNS, and it is the perfect time to go ahead and run through it to get acquainted with Azure DNS.
Private DNS Zones
Azure Private DNS Zones are the mechanism with which you can create your own name server entries and associate those zones to select virtual networks to control how names out of those private zones are resolved by resources in the specific virtual network.
But Private DNS Zones are only half of the story. While they handle name resolution for resources that live in your virtual network, in hybrid scenarios, where seamless interaction between on-prem resources and cloud resources is desired, bi-directional name resolution is a necessity.
领英推荐
Private Resolver
In the DNS world, it is very common to leverage conditional forwarding of requests to other DNS for resolution, in order to avoid unnecessary duplication. While you can stand up your own DNS server in Azure that acts as the counterpart for your on-prem DNS and communicates with the Azure DNS for resolving the Azure-hosted resources, there is an even better option, Azure Private Resolver.
At its core, it is a managed service that takes on the responsibility for handling name resolution requests from on-prem but also allow forwarding of requests for on-prem resources, coming from the Azure side, to the on-prem DNS.
As so often, there is an excellent starting point with John Savill's videos on Azure DNS Overview, and Azure Private Resolver.
Securing Things
Not even last, when it comes to networking, and most certainly not least is the topic around securing network traffic. This topic is especially challenging at the beginning as there are various different mechanisms that can be used to secure traffic within a network, and across the larger network topology.
A great resource here is the Learn Module around Securing network connectivity in Azure and now is a perfect time to try to grab those 1000 XPs.
Azure Network Security Groups
The most basic options to secure network traffic are Network Security Groups. They act as filter for network traffic and can be used at the vNet or VM level to control the flow out of, into and within a virtual network.
However, with a growing complexity of your network topology, Network Security Groups, as the only way of control, can become difficult to manage.
Azure Firewall, Web Application Firewall & Application Gateway
For more complex topologies, or specialized requirements, Azure provides a set of services that can be used to protect and control the access to vNet based traffic.
The main services in focus here operate at different OSI layers, and therefore can be used for different use cases.
Just as a side not, Azure Platform Services -like Storage, Databases, etc.) do have service specific firewalls as those services "live" in the public side of Azure and therefore require vNet independent security mechanisms to provide service integrity when accessed through their public endpoints.
Puh! Now we need a treat
This was, indeed, a heavy one. Let's kick back, relax and have a nice cool cone.