Azure Network Watcher was announced yesterday and is available in Preview in the following regions:
- US West Central
- US North Central
- US West
Read more here.
Virtual Private Networks (VPN) provide a secure connection between an endpoint or site. An endpoint is a single device with the VPN client installed. A site is a location connected by a VPN device. Azure VPN Gateways support both Point-to-Site and Site-to-Site VPNs for supported devices.
- A Dynamic Routing (aka Route-based) VPN gateway is required
- A Standard or High Performance VPN gateway may be provisioned
- Standard = 80Mbps, 10 S2S Tunnels
- High Performance = 200Mbps, 30 S2S Tunnels
- A client certificate must be created and installed on VPN clients
- A configuration package can be downloaded from Azure for client setup
- VPN clients are assigned an IP address from the user configured range
- Utilises the Secured Socket Tunnelling Protocol (SSTP)
- A Static Routing (aka Policy-based) or Dynamic Routing VPN gateway is required
- Some VPN devices only support Static Routing however this limits you to a single connection
- Supported VPN devices are listed here
- Providing Dynamic Routing is used Site-to-Site and Point-to-Site VPNs can coexist
- Multiple sites can be connected to a single VPN Gateway, this is known as a Multi-site VPN
- ExpressRoute provides a reliable, resilent and private connection of up to 10 Gbps into the customer network
- There are 2 ways to connect
- Exchange Service Provider – up to 10 Gbps
- Network Service Provider – up to 1 Gbps
- Connections into Office 365 are also possible using ExpressRoute
- ExpressRoute Fridays archived webinars and
- Connect 2 Azure Virtual Networks
- Supports georedundancy and geopresence
Virtual Networks on Azure are broken down into Address Spaces and Subnets:
- Virtual Networks (VNets) provide network connectivity for Azure resources both internally and externally via a VPN Gateway.
- Address spaces define the IP ranges in CIDR format which will be used within the VNet.
- Subnets are defined within Address spaces, from which resources are assigned IP addresses.
Virtual Machines have at least 2 IP addresses:
- Virtual IP (VIP) is a public facing IP address, dynamically assigned by default though up to 20 (default subscription limit) can be reserved
- Dynamic IP (DIP) is a private IP address, dynamically or statically assigned within a subnet
A third type of IP address also exists:
- Instance-Level Public IP (IL-PIP) is assigned directly to a VM rather than the Cloud Service in which it resides up to 5 (default subscription limit) can be assigned
Name resolution and DNS:
- VMs on the same network can resolve each other using the DIP address
- A DNS service is required for name resolution beyond this
- Role instances within a Cloud Service are set as the name of the VM appended with a 2 digit role number e.g. MyServer01, MyServer02, etc.
- The DNS name of a Cloud Service will be cloudservicename.cloudapp.net
- A custom domain can be associated with the Cloud Service using CNAME or A records
Access Control Lists (ACLs) and Network Security Groups (NSGs) control traffic.
- VM Endpoints map a Public Port to a Private Port
- RDP (TCP 3389) and SSH (TCP 22) are automatically set as endpoints for VMs
- The Public Port is associated with the VIP assigned to the Azure Load Balancer
- The Private Port is associated with the DIP assigned to the VM
- ACLs are applied to Endpoints to control traffic
- NSGs allow more granular rules to be defined to control traffic and can be associated with a VM or Subnet whereas ACLs are associated with an Endpoint
The following resource is available as an aid when designing a network architecture on Azure:
Microsoft Cloud Networking for Enterprise Architects is available in PDF and Visio format on Microsoft Technet.