Azure Networking

 
Link 

1. VNet

2.  Service EndPoint

Youtube : Mastering Azure Virtual Network & Subnet creation - Step by Step Demo in Hindi


Youtube : Azure Networking For Beginners | Learn Azure Networking Basics | K21Academy



We have 5 different classes of IP Address




127 is missing which is called a Loop Back IP Address. It is also called home. If I want to check the internet connection of my laptop, I can ping 127.0.0.1






We have millions of Ip address so how do we know which one to use and which one to reserve. for which we need to understand

CIDR notion: Classless interdomain routing.




Here we are reserving firt 8+8 = 16 bits for Networking and the rest for host.


We also have two broad classifications of Yout IPV4: Public and Private . Public is many for Management Traffic
Microsoft get the list of Public Ip Address from IANA (Internet Assigned Number Authority)

we only have limited range of private IPs



For Azure there is an exception : you cannot choose the IP having , 0,1, 2, 3 -- This is for Azure 

0 --is for network
1, 2, 3 is for future useage such as gateway

and 
255 is for Broadcast




Private IP are assigned by Azure', we just give the network boundary using IP range.







Firewall is nothing but your access control list where you can allow certain IPs and block the IP that are not of interest 

Since VNet is always on IP Address level, firewall is implemented on the VNet level.

In Microsoft Azure, a Service Endpoint lets resources in your Virtual Network (VNet) securely connect to Azure services (like Storage or SQL) over the Azure backbone network instead of the public internet.

Example:

  • Your VM inside a subnet needs access to an Azure Storage account.
  • You enable a Service Endpoint for Microsoft.Storage on that subnet.
  • The Storage account can then allow traffic only from that subnet/VNet.

Key points:

  • Enabled at the subnet level.
  • Used for Azure PaaS services like:
    • Azure Storage
    • Azure SQL Database
    • Cosmos DB
    • Key Vault
  • Traffic still goes to the service’s public IP, but through Azure’s private backbone.
  • Helps restrict access using VNet/subnet identity.

Azure Virtual Network & Subnets:

Azure Virtual Network (VNet)

A Virtual Network (VNet) in Microsoft Azure is a logically isolated private network in the Azure cloud.

Think of it like your company’s on-premises network, but hosted inside Azure.

It allows Azure resources to communicate securely with:

  • each other
  • the internet
  • on-premises networks
  • other VNets

Core Purpose of a VNet

A VNet provides:

  • IP address space
  • Network isolation
  • Routing
  • Security boundaries
  • Connectivity options

Without a VNet, most Azure resources cannot communicate privately.

Basic Architecture

Azure Region

   |

   └── VNet (10.0.0.0/16)

          |

          ├── Subnet-Web (10.0.1.0/24)

          |

          ├── Subnet-App (10.0.2.0/24)

          |

          └── Subnet-DB (10.0.3.0/24)


Address Space

When creating a VNet, you define a CIDR IP range.

example

10.0.0.0/16

This means:

  • Total addresses ≈ 65,536

This means:

  • Total addresses ≈ 65,536

Azure supports:

  • Private IP ranges
  • Public ranges (rarely used)

Common private ranges:

  • 10.0.0.0/8
  • 172.16.0.0/12
  • 192.168.0.0/16

What is a Subnet?

A Subnet is a smaller network inside a VNet.

Subnets help:

  • organize resources
  • isolate workloads
  • apply security rules

Example:

SubnetPurpose
WebFrontend servers
AppApplication servers
DBDatabase servers


Subnet Example

VNet:

10.0.0.0/16

Subnets:


10.0.1.0/24
10.0.2.0/24
10.0.3.0/24
Each /24:
  • 
has 256 IP addresses

    • 

Azure Reserved IPs
Azure reserves 5 IPs in every subnet.
Example:
Subnet:
1.0.1.0/24


For the subnet 10.0.1.0/24, there are 256 total IP addresses (0–255).
In Microsoft Azure, 5 IPs are reserved in each subnet:


Reserved IPPurpose
10.0.1.0Network address
10.0.1.1Reserved by Azure
10.0.1.2Reserved by Azure
10.0.1.3Reserved by Azure
10.0.1.255Broadcast address
So the usable IP range is:
10.0.1.4 – 10.0.1.254
Reserved:
    

  • .0 → Network address

    • 

  • .1 → Azure gateway

    • 

  • .2

    • 

  • .3

    • 

  • .255 → Broadcast

    • 

Usable:
  • 251 IPs

Components Inside a VNet

Resources commonly deployed inside subnets:

  • Virtual Machines
  • VM Scale Sets
  • AKS nodes
  • App Gateway
  • Bastion
  • Private Endpoints

Each VM gets:

  • NIC (Network Interface Card)
  • Private IP

Communication Types

1. VM-to-VM Communication

VMs in same VNet communicate privately.

Web VM → App VM

Traffic stays inside Azure backbone.


2. Internet Communication

Outbound internet is allowed by default.

Inbound requires:

  • Public IP
  • Load Balancer
  • NAT Gateway
  • Application Gateway


3. VNet-to-VNet

Using:

  • VNet Peering
  • VPN Gateway

Example:

Prod VNet ↔ Shared Services VNet


4. Hybrid Connectivity

Connect Azure to on-premises using:

  • Site-to-Site VPN
  • ExpressRoute

Network Interface (NIC)

Every VM attaches to a NIC.

VM → NIC → Subnet → VNet

NSGs can attach to:

  • NIC
  • Subnet

Network Security Groups (NSG)

NSGs filter traffic using rules.

Example rules:

  • Allow HTTP
  • Allow SSH
  • Deny all inbound

Applied at:

  • Subnet
  • NIC

Route Tables (UDR)

Azure automatically creates system routes.

You can customize routing using:

  • User Defined Routes (UDR)

Example:

Force traffic through Azure Firewall

Service Endpoints
Enabled on a subnet.
Allow secure access to Azure services.
Example:
Subnet → Azure Storage

Traffic uses Azure backbone.
VNet Peering


Connects two VNets privately.


Benefits:


    

  • 
low latency

    • 

  • 
high bandwidth

    • 

  • 
no VPN required

    • 



Example:


Hub VNet ↔ Spoke VNet
Correct — Microsoft Azure Storage is not inside your VNet.
With Service Endpoints:
    

  • Your subnet gets direct access to Azure services like:

      

    • Azure Storage

      • 

    • Azure SQL

      • 

    • Key Vault

      • 

    • 

  • The service still remains a public Azure service.

    • 

  • Traffic stays on the Azure backbone network instead of going over the public internet.

Private Endpoint
Creates a private IP for Azure services inside your VNet.
Example:
Storage Account gets private IP 10.0.2.5
Much more secure than Service Endpoint.




DNS in VNet
Azure provides default DNS.
You can also use:
    

  • custom DNS servers

    • 

  • Active Directory DNS

    • 

VMs resolve names inside VNet automatically.

VNet Peering
Connects two VNets privately.
Benefits:
    

  • low latency

    • 

  • high bandwidth

    • 

  • no VPN required

    • 

Example:
Hub VNet ↔ Spoke VNet
When to Use Which


Use Service Endpoint when:
  • Simplicity matters

    • 

  • Lower cost is preferred

    • 

  • Public endpoint is acceptable

    • 

  • Internal Azure traffic only is enough

    • 

Use Private Endpoint when:
  • Maximum security is required

    • 

  • Public internet access must be blocked

    • 

  • Compliance/security policies demand private connectivity

    • 

  • Hybrid/on-prem private routing is needed



Supported Azure resources for Service Endpoints
1. Storage services
    

  • Azure Storage Accounts

      • 

    • Blob Storage

    • File Storage

    • Queue Storage

    • Table Storage
  • 2. Databases
    • Azure SQL Database

    • Azure Cosmos DB

    • Azure Database for MySQL

    • Azure Database for PostgreSQL
3. Messaging / Integration
  • Azure Service Bus

  • Azure Event Hubs
4. Key management
  • Azure Key Vault

IP Address Types (Azure Networking)


1. Public IP vs Private IP
Public IP
  • Accessible from the Internet

  • Used for external communication

  • Example: Web apps, Load Balancers, VPN gateways

  • Format examples: 20.x.x.x, 52.x.x.x
Private IP
  • Used inside a Virtual Network (VNet)

  • Not accessible from the Internet

  • Used for internal communication between resources

  • Example ranges:

    • 10.0.0.0 – 10.255.255.255

    • 172.16.0.0 – 172.31.255.255

    • 192.168.0.0 – 192.168.255.255


    • 

2. Static IP vs Dynamic IP
Static IP
  • Fixed IP address (does NOT change)

  • Assigned manually or reserved

  • Used for servers that must always be reachable

  • Examples: DNS servers, databases, firewalls


Dynamic IP
  • Automatically assigned (via DHCP)

  • Can change when resource restarts or deallocates

  • Used for temporary or general-purpose workloads

  • Example: development VMs

3. Combination Types
Public Static IP
  • Fixed Internet-facing IP

  • Example: 52.x.x.x always stays the same
Public Dynamic IP
  • Internet-facing but can change over time

Private Static IP
  • Fixed internal VNet IP (recommended for servers)

  • Example: 10.0.0.4 always same
Private Dynamic IP
  • Internal IP that may change on restart

    • 

4. Azure Quick Mapping
  • Virtual Machine (default) → Private Dynamic IP

  • Virtual Machine (configured) → Private Static IP

  • Application Gateway → Public Static IP

  • Load Balancer → Public or Private Static IP
5. Simple Summary
  • Public = Internet access

  • Private = Internal network

  • Static = Fixed IP

  • Dynamic = Changeable IP

Route Tables and Route Rules (Azure Networking)

1. What is a Route Table?
A Route Table is a set of rules that tells a subnet:
  • Where to send network traffic

  • Which path to use (next hop)
It is used inside a Virtual Network (VNet) to control traffic flow.
Subnet → Route Table → Next Hop (Destination)


2. What is a Route Rule?
A Route Rule is a single entry inside a route table.
Each rule defines:
  • Destination address (CIDR range)

  • Next hop type

  • Optional next hop IP

3. Route Rule Structure

Destination Prefix   →  Next Hop Type
10.0.0.0/16          →  Virtual Network
0.0.0.0/0            →  Internet
10.0.2.0/24          →  Virtual Appliance


7. System Routes vs User Defined Routes (UDR)
System Routes (default)
  • Automatically created by Azure

  • Cannot be deleted

  • Basic routing inside VNet
User Defined Routes (UDR)
  • Custom routes created by you

  • Override system routes

  • Used for:

    • Firewalls

    • Forced tunneling

    • Network appliances
8. Key Idea
  • Route Table = container of routing rules

  • Route Rule = individual path decision

  • Subnet uses route table to decide traffic flow
9. Simple Memory Trick
  • Route Table = “Map”

  • Route Rule = “Street direction”

  • Next Hop = “Where traffic goes next”

    • 

What is NVA?
NVA = Network Virtual Appliance
It is a virtual network device (software-based appliance) used to control, inspect, or filter network traffic inside a VNet.
Subnet → Route Table → NVA → Internet / Other Subnet







Comments

Post a Comment

Popular posts from this blog

Azure Migrate

Image
 Azure Site Recovery an earlier tool for migration: Thought purpose built for Disaster Recovery ASR: Azure Site Recovery Yes — Azure Site Recovery (ASR) is commonly used as a migration tool , even though its primary purpose is disaster recovery. How ASR Is Used for Migration Organizations use ASR to perform: Lift-and-shift migrations VMware to Azure migrations Hyper-V to Azure migrations Physical server to Azure migrations ASR replicates workloads continuously from on-premises infrastructure to Azure. During the final cutover, the replicated VM is started in Azure with minimal downtime. Migration Workflow Using ASR Typical Flow Discover on-prem servers Enable replication Continuous data synchronization Test failover (optional) Planned failover/cutover Azure VM becomes production workload This approach minimizes: Downtime Data loss Manual rebuild effort Why ASR Is Popular for Migration ASR vs Azure Migrate Real-World Use Case Example: Company has 200 VMware VMs on-premises. The...
Read more

Azure -- All Networking Components

   1. Virtual Network (VNet) 📌 One-paragraph explanation A Virtual Network (VNet) is the core private networking space in Azure where all cloud resources communicate securely. It is used to isolate workloads, control IP ranges, and create a private environment similar to a traditional data center network but fully software-defined in the cloud. 🔍 Details Where used: Hosting VMs, AKS clusters, databases, internal services Connected services: VM, Load Balancer, Application Gateway, Azure Firewall, Private Endpoint Dependencies: None (foundation component) Purpose in architecture: Acts as the main “network boundary” for all resources 🧩 2. Subnet 📌 One-paragraph explanation A subnet is used to divide a VNet into smaller logical networks so that different layers of an application (web, app, database) can be separated and controlled independently for security and traffic management. 🔍 Details Where used: Tiered architectures (web/app/db layers), microse...
Read more

All Kuberneters - Components

  Kubernetes Core Resources Explained 1. Pods What It Is A Pod is the smallest deployable unit in Kubernetes. It contains one or more containers that share: Network Storage Lifecycle Used For Running application containers Grouping tightly coupled containers together Example A web application container running inside a pod. 2. Deployments What It Is A Deployment manages Pods and ReplicaSets. Used For Rolling updates Application version upgrades Scaling applications Self-healing applications Example Deploying 3 replicas of an NGINX application. 3. ReplicaSets What It Is A ReplicaSet ensures a specified number of pod replicas are always running. Used For High availability Maintaining desired pod count Example Keeping 5 backend pods running at all times. 4. DaemonSets What It Is A DaemonSet ensures one pod runs on every node (or selected nodes). Used For Monitoring agents Log collectors Security agents Example Running Fluentd or Prometheus Node Exporter on all nodes. 5. StatefulSets W...
Read more