Over the years, in my work, I often meet people struggling with Azure networking. And it is comprehensive, some of them have never been trained to do networking and some others have only a basic knowledge of on-premises networking. That is why I wanted to make this post.
At the heart of Azure Network, you will find the Virtual Network or VNET. A VNET let you define your network in subscription for an Azure Region. In clear, Azure provides a software-defined private and isolated network that spans an entire region over multiple data centers.
What does a VNET do? First, it is an address space. It allows us to define which prefix can be used. It is also a container for subnets. A subnet can be viewed as a broadcast domain or a VLAN if you prefer. They use one prefix or a fraction of a prefix from the address space. Every IP address in a subnet can be seen within the subnet and this is where you will connect your assets.
VNET is also a DHCP service, it will allocate IP addresses depending on the subnet and apply DHCP options like IP reservation and DNS servers.
Finally, VNET is also a routing space, every subnet can route traffic inside the VNET so by default, un VM in subnet A can contact a VM in subnet B if the two subnets belong to the same VNET.
Routing is an important part of understanding VNET because a VNET is also a virtual router. If you have 3 subnets in your VNET, the routing service will automatically create routes to make sure these 3 subnets communicate with each other. Each subnet prefix will have a record in the route table with the virtual network as the next hop.
To see default routes, you will need to create a VM and connect it to a subnet. Then go to the virtual network interface and select effective routes in the left menu.
You will see your subnet prefix with Virtual Network as the next hop, a 0.0.0.0/0 (default route) with Internet as the next hop. You will also see a list of public IP prefixes; these are managed by MS so you can not use them. The next hop in this case is none which means the traffic is dropped.
You will also see 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 with none as the next hop. Do not worry, Azure will use the virtual network next hop if you add one of these prefixes. If you add a smaller prefix within these prefixes, the routing rule is to route smaller prefixes first, so no worry here too.
If you peer a VNET to another VNET, a new route will be added to the VNET default route, prefixes of the peered VNET with VNet peering as the next hop.
If your VNET can access a Virtual Network Gateway connected to an Express Route or a VPN with BGP enabled, either because the VNG is directly connected to the VNET or because the VNET is peered to a VNET with a VNG, Azure will override routes learned by the VNG (via BGP only, so ER a VPN with BGP enabled) with Virtual Network Gateway as next hop, and IPs of the VNG. You can also enable route learning with Azure Route Server if you have an NVA.
Default routes can not be modified. You cannot add, remove, or change any of these default routes. But you can override these routes by adding a user define route or UDR. User Defined Routes are static routes that can be added to subnets.
UDR is a simple object, you add a prefix, a destination type, VNET, Gateway, None (packets will be dropped), Internet (if you want to explicitly route to Internet), and Virtual Appliance with the next hop IP, if you want traffic to be routed through an NVA.
The destination could be an IP prefix, but you can also use an Azure Service Tag. It could be a service (storage, AzureBackup, …) or a regional tag, see.
Another important point to understand about virtual networks is Internet access. By default, we see that a VNET has a default route for 0.0.0.0/0, Internet. It means that the VNET is responsible for routing packet internet to every IP from its subnets. But in this case, you don't control two things, the public IP that will be used by VMs and the SNAT port allocation (that could lead to SNAT port exhaustion; packet that could not get a source nat port, see). To avoid that you may have to deploy either a Load Balancer or a Nat Gateway.
This is the basic knowledge you should have to understand and operate Azure Virtual Network. Forget, almost everything you know about VLAN, and start to learn about routing and BGP. It is more used than you think.
Top comments (0)