Microsoft Azure (AZ-104): Understand Virtual Networks
Understand Virtual Networks
Virtual networks can be in different regions and from different subscriptions. When you connect VNets from different subscriptions, the subscriptions don’t need to be associated with the same Active Directory tenant.
When designing a system architecture in Azure, you will often need to connect Azure VMs (Virtual Network Peering if in the same region, or using VPN Gateway if not) to each other or to extend your on-prem network to the Azure cloud.
Virtual Network Creation and Configuration
App Dev Manager Chris Tjoumas has published a very good article on this:
As you create your Virtual Network, Azure will help to ensure you do not have your address range overlap with other Virtual Networks. In the portal, you’ll have to create a default subnet when you create your Virtual Network.
The first thing to understand is that Azure holds 5 IP addresses for every subnet:
- The first and last IP in each subnet is reserved for the network identification and for broadcast, respectively.
- Azure also holds 3 additional addresses for internal use starting from the first address in the subnet.
Adding Address Spaces to Azure Virtual Network
Think of address space as a feature that could automate VLAN routing for you.
For example, once you add these address spaces to your virtual network (192.168.1.0/24, 10.0.0.0/16, 172.16.0.0/16) and it will automatically allow traffics between these address spaces to be routed.
VNet Peering Configuration
i. VNet to VNet
Configuring a VNet-to-VNet connection is a simple way to connect VNets.
Both connection types use a VPN gateway to provide a secure tunnel with IPsec/IKE.
When you create a VNet-to-VNet connection, the local network gateway address space is automatically created and populated. If you update the address space for one VNet, the other VNet automatically routes to the updated address space.
It’s typically faster and easier to create a VNet-to-VNet connection than a Site-to-Site connection.
To establish a Site-to-Site VPN connection, a gateway subnet needs to be in place to be used by the virtual network gateway. The gateway subnet is part of the virtual network IP address range that you specify when configuring your virtual network. Microsoft recommends that you create a gateway subnet that uses a /27 or /28.
If you see an error that specifies that the address space overlaps with a subnet, or that the subnet is not contained within the address space for your virtual network, check your VNet address range. You may not have enough IP addresses available in the address range you created for your virtual network.
For example, if your default subnet encompasses the entire address range, there are no IP addresses left to create additional subnets.
ii. Site-to-Site (IPSec)
If you’re working with a complicated network configuration, you may prefer to connect your VNets by using a Site-to-Site connection instead.
When you follow the Site-to-Site IPsec steps, you create and configure the local network gateways manually. If the address space for a VNet changes, you must manually update the corresponding local network gateway.
iii. VNet Peering
VNet peering doesn’t use a VPN gateway and has different constraints.
Generate Certificates
Certificates are used by Azure to authenticate clients connecting to a VNet over a Point-to-Site VPN connection.
Once you obtain a root certificate, you upload the public key information to Azure.
You also generate client certificates from the trusted root certificate, and then install them on each client computer.
The client certificate is used to authenticate the client when it initiates a connection to the VNet.
Important!!!!
- To ensure your Azure web app connects to SMB share on your on-premises network, you need a VPN gateway. Don’t confuse it with Azure Application Gateway. Azure Application Gateway is a web traffic load balancer. It does not provide connectivity to on-premises resources.
- You can’t add address ranges to, or delete address ranges from a virtual network’s address space once a virtual network is peered with another virtual network. To add or remove address ranges, delete the peering, add or remove the address ranges, then re-create the peering.
