Networking to and within the Azure Cloud, part 1

Gepost op 11 april, 2017

Global Black Belt - Azure Networking, Microsoft Azure

Hybrid networking is a nice thing, but the question then is how do we define hybrid networking? For me, in the context of the connectivity to virtual networks, ExpressRoute’s private peering or VPN connectivity, it is the ability to connect cross-premises resources to one or more Virtual Networks (VNets). While this all works nicely, and we know how to connect to the cloud, how do we network within the cloud? There are at least 3 Azure built-in ways of doing this. In this series of 3 blog posts, my intent is to briefly explain:

  1. Hybrid networking connectivity options
  2. Intra-cloud connectivity options
  3. Putting all these concepts together

Hybrid Networking Connectivity Options

What are the options? Basically, there are 4 options:

  1. Internet connectivity
  2. Point-to-site VPN (P2S VPN)
  3. Site-to-Site VPN (S2S VPN)
  4. ExpressRoute

Internet Connectivity

As its name suggests, internet connectivity makes your workloads accessible from the internet, by having you expose different public endpoints to workloads that live inside of the virtual network. These workloads could be exposed using internet-facing Load Balancer or simply assigning a public IP address to the ipconfig object, child of the NIC which is a child of the VM. This way, it becomes possible for anything on the internet to be able to reach that virtual machine, provided host firewall if applicable, network security groups (NSG), and User Defined Routes allows that to happen.

So in that scenario, you could expose an application that needs to be public to the internet and be able to connect to it from anywhere, or from specific locations depending on the configuration of your workloads (NSGs, etc.).

Point-to-Site VPN or Site-to-Site VPN

These two, fall into the same category. They both need your VNet to have an VPN Gateway, and you can connect to it using either a VPN Client for your workstation as part of the Point-to-Site configuration or make sure you configure your on-premises VPN device to be able to terminate a Site-to-Site VPN. This way, on-premises devices are able to connect to resources within the VNet. The next blog post in the series will touch on intra-cloud connectivity options.

ExpressRoute

This connectivity is well described in the ExressRoute technical overview. Suffice to say that as with the Site-to-Site VPN options, ExpressRoute also allows you to connect to resources that are not necessarily in only one VNet. In fact, depending on the SKU, it can allow the connection to more than 1 VNet, up to 10 or, having the premium add-on, up to 100 depending on bandwidth. This is also going to be described in greater details in the next section, Intra-Cloud Connectivity Options.