What is the correct option to how do you protect internal network on Azure?
Are you ready to move your data center to the cloud? You might be planning for things like identity, governance, and security, but one major topic is networking. How are you going to connect to the resources in the cloud? You’re going to need Azure Virtual Networks!
Show
Networking is a fundamental concept when moving compute workloads to the cloud. Your resources need to communicate with each other but also protected against outside threats. In this article, you will learn the fundamentals of Azure Virtual Networks, followed by creating Virtual Networks using three methods: the Azure Portal. Azure PowerShell, and Azure CLI. Quick Review: What are Azure Virtual Networks?Azure Virtual Network is your private network within Azure. Azure Virtual Network is commonly abbreviated as “vnet.” Like on-premises servers, Azure virtual machines need networking for communication to other resources, like other virtual machines or storage accounts. While you define VNets in the Azure cloud, VNets can also communicate with the Internet and on-premises resources. By default, all VNet resources can communicate outbound to the Internet. To allow inbound communication from the Internet, you can create rules to allow Internet traffic or add a public IP or Load Balancer. You can create a point-to-site VPN, where your individual computer can connect to the network. If you need to configure a connection to your on-premises network, you can deploy a site-to-site VPN solution, and the Azure VNet becomes an extension of your on-premises datacenter. If you require a more private connection to the Azure cloud, consider implementing ExpressRoute so your traffic does not traverse the Internet. Elements of Azure Virtual NetworksAzure VNets provide multiple services and functionalities for connecting Azure resources. Microsoft designs these services so organizations have all the tools to meet their cloud deployment requirements. The following sections describe some of the key concepts for deploying Azure Virtual Networks. Address SpaceWhen you create a VNet, you first need to specify a private IP address space in the RFC 1918 range. This IP address space contains familiar IP addresses, such as 10.0.0.0, 192.168.0.0, and 172.16.0.0. A virtual network contains one or more of these address ranges where you create additional subnets. Azure Virtual Network address spaces cannot overlap with each other. Azure will display a warning message if you try to create a virtual network using an existing address space. You can continue past this warning if you do not plan to peer the two virtual networks. As a best practice, you should not use overlapping network spaces with your on-premises data center if you intended on creating a hybrid network. SubnetsSubnets are smaller segmentations of the virtual network. Subnetting allows you to allocate a smaller portion of the VNet’s address space to specific resources. Subnets improve IP address allocation by defining fewer IP addresses in the virtual network’s usable space. Network Security GroupsWithin a virtual network, Network Security Groups (NSG) protect each subnet. You use NSGs to filter traffic in and out of a virtual network. For each rule, you define the source and destination, port, and protocol to identify the traffic. An NSG contains default security rules that automatically secure resources by blocking Internet traffic but allowing traffic from other virtual networks. Routing and PeeringAzure automatically creates routes between subnets, virtual networks, on-premises networks, and the Internet. However, you can implement route tables to control where Azure routes traffic for each subnet. For example, you can deploy a hub-and-spoke network and force all subnet traffic to go to a central hub first. You can also use your on-premises BGP routes to your Azure virtual networks. You use these when you connect your on-premises data center to the Azure cloud through an Azure VPN Gateway or ExpressRoute connection. While Azure automatically connects subnets in the same virtual network together, routing between different virtual networks requires network peering. Virtual network peering connects multiple VNets together, and the virtual networks appear as one for connectivity purposes. The traffic between the virtual networks traverses the Microsoft backbone infrastructure, not the Internet. How to Create Azure Virtual NetworksMicrosoft provides multiple ways to create Azure Virtual Networks. This tutorial covers three ways:
This tutorial uses a resource group named virtualNetworks-rg to host each virtual network. You will create each virtual network in a different region. To follow along with this tutorial, you will need:
Azure PortalTo create an Azure Virtual Network using the Azure Portal:
Azure PowerShellTo create a virtual network and subnets using Azure PowerShell:
Save the new virtual network to a variable named $vnet. $vnet = New-AzVirtualNetwork ` -Name 'vnet-eastus-001' ` -AddressPrefix 172.16.0.0/16 ` -Location eastus ` -ResourceGroupName 'virtualNetworks-rg'
$vnet = New-AzVirtualNetwork ` -Name 'vnet-eastus-001' ` -AddressPrefix 172.16.0.0/16 ` -Location eastus ` -ResourceGroupName 'virtualNetworks-rg'
Save the new subnet to a variable named $subnet1. $subnet1 = Add-AzVirtualNetworkSubnetConfig ` -Name 'subnet1' ` -AddressPrefix 172.16.20.0/24 ` -VirtualNetwork $vnet
$subnet1 = Add-AzVirtualNetworkSubnetConfig ` -Name 'subnet1' ` -AddressPrefix 172.16.20.0/24 ` -VirtualNetwork $vnet
$subnet1 | Set-AzVirtualNetwork
$subnet1 | Set-AzVirtualNetwork If you want to create a virtual network and subnets simultaneously, you need to create the subnet object first. When you create the virtual network, you specify the subnet objects.
$subnet1 = New-AzVirtualNetworkSubnetConfig ` -Name 'subnet1' ` -AddressPrefix 172.16.20.0/24
$subnet1 = New-AzVirtualNetworkSubnetConfig ` -Name 'subnet1' ` -AddressPrefix 172.16.20.0/24
$vnet = New-AzVirtualNetwork ` -Name 'vnet-eastus-001' ` -ResourceGroupName 'virtualNetworks-rg' ` -Location 'eastus' ` -AddressPrefix 172.16.0.0/16 ` -Subnet $subnet1,$subnet2,$subnet3
$vnet = New-AzVirtualNetwork ` -Name 'vnet-eastus-001' ` -ResourceGroupName 'virtualNetworks-rg' ` -Location 'eastus' ` -AddressPrefix 172.16.0.0/16 ` -Subnet $subnet1,$subnet2,$subnet3 Azure CLITo create a virtual network and subnets using the Azure CLI:
$vnet = New-AzVirtualNetwork ` -Name 'vnet-eastus-001' ` -AddressPrefix 172.16.0.0/16 ` -Location eastus ` -ResourceGroupName 'virtualNetworks-rg'0
$vnet = New-AzVirtualNetwork ` -Name 'vnet-eastus-001' ` -AddressPrefix 172.16.0.0/16 ` -Location eastus ` -ResourceGroupName 'virtualNetworks-rg'0
$vnet = New-AzVirtualNetwork ` -Name 'vnet-eastus-001' ` -AddressPrefix 172.16.0.0/16 ` -Location eastus ` -ResourceGroupName 'virtualNetworks-rg'2
$vnet = New-AzVirtualNetwork ` -Name 'vnet-eastus-001' ` -AddressPrefix 172.16.0.0/16 ` -Location eastus ` -ResourceGroupName 'virtualNetworks-rg'2 More Azure Virtual Network InformationNow that you have created your first Azure Virtual Networks, here is some additional Azure networking information to consider. Azure Virtual Networks provide many more advanced capabilities outside the core networking services. PricingUnlike a virtual machine or other Azure resources, creating virtual networks is free of charge. Creating a virtual network does not incur costs for the resource, and you can create up to 50 virtual networks per subscription. However, if you create a peering connection between different virtual networks, Azure charges for the inbound and outbound data transfers. For example, peering between two virtual networks in the East US region charges $0.01 per GB for inbound and outbound data transfers. Creating a peering connection between networks in different regions incurs an extra charge. You can view more pricing information for your specific regions here on the virtual network pricing page. Protecting ResourcesAzure also provides several capabilities for protecting your network resources. One is Azure Firewall, which is a cloud-based network security service. Azure Firewall protects resources by enforcing application and network connectivity policies. Azure Firewall has built-in high availability and unrestricted cloud scalability. In addition to the Azure Firewall, the Azure Web Application Firewall (WAF) is purposefully built for protecting web applications. WAF protects against common exploits and vulnerabilities found in web applications, including those in the OWASP Top Ten list. Azure also includes basic distributed denial-of-service (DDoS) attack protection at no additional cost. The basic service provides traffic monitoring and automatic attack mitigation. You can also scale up to standard protection, including rapid response support, mitigation policies, and metrics and alerts. Azure Virtual Network FAQsWhat is a virtual network in Azure?An Azure Virtual Network is a private IP address space for you to deploy resources to, like virtual machines. It uses IP ranges in the RFC 1918 range. What is the difference between a VNet and a subnet?A virtual network (vnet) encompasses a larger IP address space, like 10.10.0.0/16. A subnet represents a smaller subset of that IP address range, like 10.10.5.0/24. Subnets allow for separating resources on the network into logical groupings, like a group of Web or database servers. How do I make an Azure Virtual Network?You can make Azure Virtual Networks through the Azure portal, Azure PowerShell, or Azure CLI. Many infrastructure as code languages can make virtual networks, such as ARM templates, Ansible, Terraform, and Azure Bicep. How much do Azure Virtual Networks cost?Creating Azure Virtual Networks is free. However, if you peer virtual networks, you are charged based on traffic ingressing and egressing the network. Additional options, like virtual network gateways and firewalls, incur an additional charge. ClosingNow that you’ve created your first Azure Virtual Network, you should start planning on securing and protecting resources placed in the networks. Whether everything is cloud-only or a hybrid approach with an on-premises data center, the same networking concepts still apply. You need to determine and secure which resources can access other resources and protect against outside threats. To learn more about how to monitor and troubleshoot virtual networks, check out How to Create and Manage the Azure Network Watcher Resource. What you should do nowWhenever you're ready... here are 3 ways we can help you start your road to reducing data risk at your company:
Jeff BrownJeff Brown is a cloud engineer specializing in Microsoft technologies such as Office 365, Teams, Azure and PowerShell. You can find more of his content at https://jeffbrown.tech. What is the basic way of protecting an Azure Virtual Network?By default, there are no network access controls between the subnets that you create on an Azure virtual network. Detail: Use a network security group to protect against unsolicited traffic into Azure subnets.
Which Azure network security solution provides a way to secure identity?Azure Active Directory, a comprehensive identity and access management cloud solution, helps secure access to data in applications on site and in the cloud, and simplifies the management of users and groups.
Which Azure tool helps to prevent a network from being flooded?Azure Firewall is a managed, cloud-based network security service that protects your Azure Virtual Network resources. Learn what types of attacks Azure DDoS Protection protects against.
Which two options can you use to connect Azure virtual networks to each other each correct answer presents a complete solution?Route via the Internet. VNet peering. Site-to-site VPN.
|