For full text search please use the '?' prefix. e.g. ? Onboarding

Virtual Networking

Virtual networks have many address spaces and subnets can have many address prefixes. The ranges do not have to be consecutive, allowing easy expansion. Virtual networking supports both IPv4 and IPv6. Subnets can be dedicated to Azure services via service delegations.

Networks

Networks have a list of address spaces in which a number of subnets can be created.

Subnets

Subnets have a list of address prefixes in which IP addresses can be assigned, either statically or dynamically (via DHCP; default).

Some services (such as application gateways) require subnet delegations, allowing them to manage their address space autonomously.

Service endpoints

Service endpoints allow IaaS resources to access Azure resources over the Microsoft backbone rather than having to go out over the Internet, allowing increased performance and easier management of firewall rules via virtual network links. In this setup virtual network rules are created against the resource, and matching service endpoints are created for each specified subnet.

Network Security Groups

Network security groups provide access control for virtual networks and resources. They're generally assigned to a NIC (for more specific rules) and/or subnet (for more general rules).

A 5-tuple hash is used to identify traffic streams, comprising,

Traffic can be filtered in either direction: inbound or outbound.

Service tags represent known addresses for Azure services.

Application Security Groups

Application security groups are user-defined service tags: they allow marking individual IP configurations with labels for clearer expression of NSG rules.

Note that an ASG can be used as a source or destination only if the target is within the same virtual network.

Peerings

Virtual networks can be peered irrespective of their location. A peering must be created for each pair of networks to be peered, each referencing the other as the remote virtual network by ID. Peerings can be used to share a gateway between multiple subnets (often used in hub and spoke topologies to access on-premises resources).

If either end of the peering is destroyed, the other end is invalidated to avoid security breaches, and must be recreated to reenable.

Public IP addresses

Public IP addresses provide endpoints for resources.

IP addresses can be assigned dynamically or statically:

  • Dynamic IP addresses will change when they're removed from resources or the resource is stopped/deallocated.
  • Static addresses cost a fixed monthly amount for a reserved address that won't change with the stopping of its associated resource, and it be safely reassigned.

There are two SKUs:

  • Basic is open by default, and can be statically or dynamically allocated.
  • Standard is secure by default, statically assigned, and availability zone aware.
Backlinks