User Defined Routing (Custom Routes)
Is a feature that allows users to have fine-grained control over the traffic flowing through their virtual networks or subnets.
Implementation
- Route Table: Contains a list of routes that define where traffic should go
- Assignment: Route Tables can be assigned to one or more VNet subents
- Routes: A route defines the Next Hop for a specific destination (Address Prefix)
-Name: A label describing the custom route
-Address Prefix: Destination address. Can be Service Tag or CIDR
-Next Hop: Defines where the traffic should go
Rule Processing
-Longest Prefix Match: Choose the rule where the address prefix is the most specific (/32)
Limitations
-VNets include default/system routes
-Route precedence: Custom > Border Gateway Protocol (BGP) > Default
-Routes can be advertised to a route table
VNet Peering
It’s the ability to create private connectivity between VNet’s that are isolated, without having to go over the internet.
-High bandwidth
-Low latency
-Not encrypted traffic, unless your VNet peers are going across data centers (MACsec), then the traffic is not going to be encrypted
Implementation
1. VNet Peerings: Two peers are created - one for each direction in the peering
2. Routes: System routes are automatically updated to allow connectivity
3. Options: Peers can support traffic forwarding and gateway/route-server access
-Allow on-premises through the hub VNet, as long as, you tick the allow box on that allow gateway access
Considerations
-Peering work across regions/subscriptions/tenants
-Peering is unsupported for overlapping IP ranges
-Transitive routing is not possible by default
Service Endpoints
Help us to get access to Microsoft publicly accessible solutions without the need of a public IP
-Uses the Microsoft Backbone, which means we can keep all traffic private.
-Still uses the Public Endpoints
Implementation
1. Subnet: Service Endpoints are configured on a per-subnet level
2. Service Endpoint: Enabled for a specific Resource Provider for the given subnet
3. Routes: When configured, a system route is automatically generated
Private Link
It enables customers to securely access services hosted on these cloud platforms privately, without exposing them to the public internet.
-Extension of resources into your VNet and give them a private IP
-On-premises resources connected via VPN or a VNet that is peered, they can access the private endpoint as well
Private Endpoints
- Private Endpoint: Network interface that is deployed to a subnet within a VNet
- Resource: The target resource/sub-resource (can be different region)
- DNS Integration: When configured, a Private DNS Zone will use the private IP addressing
-The DNS will tell the VM the private IP of the SA
Private Link Service
Provides private connectivity from a virtual network to Azure platform as a service (PaaS), customer-owned, or Microsoft partner services
-If you’ve got a partner that buils a solution within Azure, they put a standard Azuer Load Balancer in front, then you can go and configure exactly the same sort of private endpoint.
Resource Firewalls
Security mechanisms used to control incoming and outgoing network traffic to and from resources.
-Works at the public endpoint level, not for private endpoints
Implementation
- Resource: Most Azure services built for public availability network restrictions
- Network Rules: Once switched on, all traffic is blocked except that which is allowed (IPs or Subnets)
- Exceptions: Can be enabled for the platform (e.g. trusted services)
VPN Gateway
Is a managed networking service that allows organizations to establish secure connections between their on-premises networks or client devices and Azure virtual networks.
-It enables secure communication over the public internet by creating a virtual private network (VPN) tunnel (encrypted). (Using private IPs)
Implementation
Site-to-Site (S2S) Configuration
Allows organizations to establish encrypted connections between their on-premises networks and Azure virtual networks.
- VNet Gateway (VPN): Configured as VPN type, and Policy (static) or Route-based routing
-We deploy it to a Gateway Subnet
-You can use /29 but Microsoft recommends /27
-You will also need a public IP - Local Network Gateway: Remote networks available via Customer VPN Device (requires public IP)
-What is this other site that i want to connect to? What does it look like? What are the networks and what is the VPN device that i will connect to?
-What are the subnets that i can be accessing and what is the public IP address of the VPN device on the other site that the VPN Gateway will need to connect
-VPN Connection: IPSec IKE encrypted tunnel (encrypted using passphrase)
Point-to-Site (P2S) Configuration
Enables individual client devices (such as laptops or mobile devices) to securely connect to Azure virtual networks over the internet.
-P2S does support more than one user
- VNet Gateway (VPN): Configured as VPN type, and Route-based routing
-Has to use Route-based routing, Policy is not supported - Authentication: Supports certificate-based, RADIUS, or Azure AD authentication
- VPN Connection: A VPN client is required to establish the tunner (type depends on config)
-Will allow to have private IP connectivity
-Microsoft offers several different VPN clients, you can have an open VPN client (OpenVPN - SSL/TLS), that supports SSL or TLS so it works over port 443. Supports all O.S
-You can use SSTP (TLS), works over port 443, but it only works with TLS and it only suppors Windows
-You can use IPSec (IKEv2) protocol but only supports Mac
ExpressRoute
Is a dedicated private connection service offered by Microsoft Azure that provides high-performance, low-latency, and secure connectivity between on-premises networks and Azure data centers, as well as other Microsoft cloud services like Microsoft 365 and Dynamics 365.
-Not only does it avoid the public internet, but it also provides you with private access to a range of Microsoft Public services
-We are using a “Partner” provider. Also called “Partner Edge” that supports ExpressRoute
-Allows us to have private connectivity from on-premises into either Microsoft VNet or Microsoft Peering
Implementation
- VNet Gateway: Configured as ExpressRoute type with BGP routing
-We deploy it to a Gateway Subnet
-You can use /29 but Microsoft recommends /27
-You will also need a public IP - ExpressRoute Circuit: Determines peering location/provider, bandwidth, billing model, SKU.
- ExpressRoute Peering (What do i want to be connected to?)
-Microsoft: to public MS services (Have a private IP connectivity to publicly accessible services)
-Private: to one or more Azure VNets (Connectivity to a private VNet)
-You can have multiple networks. For the Standard ExpressRoute pricing, you can have up to 10 additional VNets, that are connected to your ExpressRoute
Pricing/Feature - Considerations
-Can co-exist with VPN (not Basic VPN SKU), it can help you to failover
-Can support FastPath (Ultra/ERGw3Az SKU), for better performance and low latency connectivity
-Standard supports up to 10 VNets that can be connected to your circuit, if you need more use “Premium”
-Premium supports cross-geography & greater limits
Virtual WAN
Is a networking service that aims to simplify connectivity and manage traffic routing between various Azure resources and on-premises locations.
-Help out with the idea of any-to-any network connectivity with shared resources and allowing site-to-site, point-to-site, expressroute and hub to spoke, all sorts of connectivity, all through a nice centralized management interface
-It provides a unified platform for connecting branch offices, remote users, and Azure-based resources through a centrally managed network architecture.
Implementation
First, you need to deploy a Virtual WAN. The partent container for managing all the different networks connections that you want to establish. This is also where you set the Pricing Tier.
- Hub: One or more Microsoft-managed VNets within a region
-Is like a VNet, you give it an IP address and address range and deploy it to a specific region
-Central point that Microsoft is going to use for all of the connections to be established to all of the express route circuits and so on. - Hub Gateway: Microsoft-managed gateway that is deployed as part of the Hub
-Part of the Hub
-Is what allows the connectivity - Connections: Supports ExpressRoute, S2S, P2S, VNet-to-VNet, and hub-to-hub connecitvity
-Basic SKU allows you to connect VNet’s and S2S
-Standard allows you to connect any-to-any
Azure DNS
Is a cloud-based Domain Name System (DNS) service. It allows users to host and manage their DNS domains and records in Azure’s global network of DNS servers.
-Offers high availability, scalability, and performance for domain name resolution, enabling organizations to efficiently manage their DNS infrastructure.
Public Zones
-Access for public resources
- Public Zone: A collection of publicly available records to resolve names to IPs
-Use it with the domain you want to use (needs to be a real domain that you’ve gone and purchased form a DNS Registrar) - Records: Supports common DNS records, e.g. A, TXT, CNAME, MX, PTR, SOA, SRV, etc.
-Once you buy a domain from a domain registrar, you’re gogin to tell it, where your records are stored … - Delegation: Your domain registrar NS records must point to Azure DNS
Private Zones
-Access for private resources
- Private Zone: Can only be used by VNets for private IPs
-You can configure anything that you want, because you don’t need to purchase a domain
-You need a minimum of 2 labels to be able to use private zones (.com/.io) - VNet Link: VNets must be linked to (at most one) zone to use a Private Zone
- Records: Registered automatically using VM private IP, or created manually
-You can set up a VNet to automatically register and create a record, on any VMs within that VNet
-We don’t have to configure that manually, if we have “Automation Registration” ticked for our VNet link to that VNet.
The other VNet will be able to use this private zone to go and look up something like “web1.prev.ozymart.com” to easily talk to that web application using private IP.
Considerations
-DNS zones has to have at least 2 labels (.com/.io)
-If you have “Automatic Registration” turned on, not only will you get an A record, you’ll also get a pointer records (ip to domain name - reverse lookup) as well.
-With private zones, it doesn’t matter if you have a public IP address attached to your VMs. That public IP will not be used within private zones.
