Azure -- All Networking Components

 

 1. Virtual Network (VNet)

📌 One-paragraph explanation

A Virtual Network (VNet) is the core private networking space in Azure where all cloud resources communicate securely. It is used to isolate workloads, control IP ranges, and create a private environment similar to a traditional data center network but fully software-defined in the cloud.

🔍 Details

• Where used: Hosting VMs, AKS clusters, databases, internal services
• Connected services: VM, Load Balancer, Application Gateway, Azure Firewall, Private Endpoint
• Dependencies: None (foundation component)
• Purpose in architecture: Acts as the main “network boundary” for all resources

🧩 2. Subnet

📌 One-paragraph explanation

A subnet is used to divide a VNet into smaller logical networks so that different layers of an application (web, app, database) can be separated and controlled independently for security and traffic management.

🔍 Details

• Where used: Tiered architectures (web/app/db layers), microservices isolation
• Connected services: VM, NAT Gateway, Azure Firewall, Load Balancer
• Dependencies: Must exist inside a VNet
• Key role: Enables segmentation and security boundaries inside a VNet

🖧 3. Network Interface (NIC)

📌 One-paragraph explanation

A NIC is used to connect a virtual machine to a subnet, giving it a private IP address and enabling communication within the VNet or externally if configured. It acts as the network identity of a VM.

🔍 Details

• Where used: Every Azure VM
• Connected services: VM, NSG, IP configurations
• Dependencies: Subnet + VNet
• Key role: Binds compute to network

🌍 4. Public IP

📌 One-paragraph explanation

A Public IP is used to allow Azure resources to communicate with the internet or be accessed externally, such as web servers or load balancers exposed to users.

🔍 Details

• Where used: Web apps, VM access, load balancers
• Connected services: NIC, Application Gateway, Load Balancer
• Dependencies: Assigned to a resource (not standalone usage)
• Key role: Internet exposure layer

🔗 5. VNet Peering

📌 One-paragraph explanation

VNet Peering is used to connect two Azure virtual networks privately, enabling resources in different VNets to communicate as if they were in the same network without using the public internet.

🔍 Details

• Where used: Multi-VNet architectures, prod/dev separation
• Connected services: VNet A ↔ VNet B
• Dependencies: Two VNets
• Key role: Private network-to-network communication

🌐 6. VPN Gateway

📌 One-paragraph explanation

A VPN Gateway is used to create a secure encrypted tunnel between an on-premises network and an Azure VNet, enabling hybrid cloud connectivity over the internet.

🔍 Details

• Where used: Hybrid cloud setups
• Connected services: On-prem VPN device, VNet
• Dependencies: Gateway subnet + public IP
• Key role: Secure site-to-site connectivity

🚀 7. ExpressRoute

📌 One-paragraph explanation

ExpressRoute is used to establish a private dedicated connection between on-premises infrastructure and Azure, bypassing the public internet for higher security, reliability, and bandwidth.

🔍 Details

• Where used: Enterprises, banks, large-scale systems
• Connected services: On-prem data center, Azure backbone
• Dependencies: ExpressRoute circuit + VNet gateway
• Key role: Private high-speed hybrid connectivity

🔥 8. Network Security Group (NSG)

📌 One-paragraph explanation

NSG is used to control inbound and outbound traffic at the subnet or NIC level using allow/deny rules, acting as a basic firewall to protect Azure resources.

🔍 Details

• Where used: Subnets, VMs
• Connected services: VM, subnet
• Dependencies: None
• Key role: Packet-level security filtering

🧱 9. Azure Firewall

📌 One-paragraph explanation

Azure Firewall is used to centrally manage and filter network traffic across VNets with advanced security rules, logging, and threat intelligence, making it suitable for enterprise-grade network protection.

🔍 Details

• Where used: Hub-spoke architecture
• Connected services: Subnets, UDR routes
• Dependencies: Dedicated firewall subnet required
• Key role: Central security control plane

⚖️ 10. Load Balancer

📌 One-paragraph explanation

Azure Load Balancer is used to distribute incoming network traffic evenly across multiple virtual machines at Layer 4 (TCP/UDP) to ensure high availability and scalability.

🔍 Details

• Where used: VM scale sets, internal services
• Connected services: VMs, subnet
• Dependencies: Backend pool (VMs)
• Key role: Traffic distribution

🌐 11. Application Gateway

📌 One-paragraph explanation

Application Gateway is used to route and balance HTTP/HTTPS traffic at Layer 7 with features like SSL termination, cookie-based routing, and Web Application Firewall (WAF) for secure web applications.

🔍 Details

• Where used: Web applications, APIs
• Connected services: VMs, App Services, WAF
• Dependencies: Subnet + public IP
• Key role: Smart web traffic routing

🚀 12. Azure Front Door

📌 One-paragraph explanation

Azure Front Door is used to globally route user traffic to the nearest or best-performing Azure region, providing low latency, CDN capabilities, and global load balancing.

🔍 Details

• Where used: Global SaaS applications
• Connected services: Multi-region backend apps
• Dependencies: Public endpoints
• Key role: Global edge traffic optimization

🌐 14. Service Endpoint

📌 One-paragraph explanation

Service Endpoint is used to extend a VNet identity to Azure services so they can be accessed securely over the Azure backbone without requiring a private IP setup.

🔍 Details

• Where used: Storage, SQL
• Connected services: Subnet → Azure services
• Dependencies: Enabled at subnet level
• Key role: Secure direct service access

🧭 15. Azure Bastion

📌 One-paragraph explanation

Azure Bastion is used to provide secure RDP/SSH access to virtual machines directly from a browser without exposing public IPs, improving security posture.

🔍 Details

• Where used: VM administration
• Connected services: VM, browser
• Dependencies: Dedicated subnet
• Key role: Secure remote access

🛰️ 16. NAT Gateway

📌 One-paragraph explanation

NAT Gateway is used to enable outbound internet access for resources in private subnets without allowing inbound internet traffic, ensuring secure one-way connectivity.

🔍 Details

• Where used: Private subnet internet access
• Connected services: Subnet
• Dependencies: Subnet association
• Key role: Controlled outbound traffic

📊 17. Network Watcher

📌 One-paragraph explanation

Network Watcher is used to monitor, diagnose, and troubleshoot network issues in Azure, providing tools like packet capture, flow logs, and topology visualization.

🔍 Details

• Where used: Network debugging
• Connected services: NSG, VNet
• Dependencies: Diagnostic settings enabled
• Key role: Network observability

🛡️ Web Application Firewall (WAF)

📌 One-paragraph explanation

A Web Application Firewall (WAF) in Microsoft Azure is used to protect web applications from common internet attacks such as SQL injection, cross-site scripting (XSS), and other OWASP Top 10 vulnerabilities. It sits in front of your web app and inspects HTTP/HTTPS traffic, blocking malicious requests before they reach your application, while allowing legitimate user traffic through.

---

🔍 Where WAF is used in Azure networking

WAF is not a standalone network layer—it is attached to specific traffic-handling services:

🌐 1. Azure Application Gateway WAF

• Protects regional web applications
• Works at Layer 7 (HTTP/HTTPS)
• Common in internal enterprise apps

📍 Flow:
User → Application Gateway (WAF) → Backend VMs / App Service

---

🚀 2. Azure Front Door WAF

• Protects global applications
• Works at the edge (nearest to user worldwide)
• Best for SaaS and globally distributed apps

📍 Flow:
User → Front Door (WAF at edge) → Regional backend

---

⚙️ What WAF actually does

WAF inspects web requests and applies security rules like:

🔐 Attack protection

• SQL injection blocking
• Cross-site scripting (XSS) prevention
• Command injection protection
• File inclusion attack blocking

🚦 Traffic control

• Rate limiting (stop bots / DDoS-like abuse)
• Geo-blocking (block countries)
• IP allow/deny lists

📜 Rule sets

• OWASP Core Rule Set (CRS)
• Custom enterprise rules

---

🔗 Dependencies (very important)

WAF is NOT independent. It must be attached to:

Required parent services:

• Application Gateway OR Front Door

Supporting dependencies:

• Public IP (for App Gateway scenario)
• Backend pools (VMs, App Services, APIs)
• Virtual Network (for App Gateway version)

---

🧠 Where WAF fits in Azure networking stack

Internet
   ↓
Front Door (WAF)  ← global protection
   ↓
OR
Application Gateway (WAF) ← regional protection
   ↓
Load Balancer (optional)
   ↓
VMs / App Services / AKS