AZ104 —Azure Virtual Network (VNET)
· Azure virtual networks provide key networking capabilities:
- Isolation and segmentation
- Internet communications
- Communicate between Azure resources
- Communicate with on-premises resources
- Route network traffic
- Filter network traffic
- Connect virtual networks
- VM in Azure can connect out to the Internet by default.
- You can enable incoming connections from the Internet by defining a public IP address or a public load balancer.
- Point-to-site Virtual Private Networks
o This approach is like a Virtual Private Network (VPN) connection that a computer outside your organization makes back into your corporate network, except that it’s working in the opposite direction.
o In this case, the client computer initiates an encrypted VPN connection to Azure, connecting that computer to the Azure virtual network.
- Site-to-site Virtual Private Networks
- A site-to-site VPN links your on-premises VPN device or gateway to the Azure VPN gateway in a virtual network.
- In effect, the devices in Azure can appear as being on the local network.
- The connection is encrypted and works over the Internet.
- Azure ExpressRoute
o For environments where you need greater bandwidth and even higher levels of security, Azure ExpressRoute is the best approach.
o Azure ExpressRoute provides dedicated private connectivity to Azure that does not travel over the Internet.
· You can control routing and override those settings as follows:
o Route tables
§ A route table allows you to define rules as to how traffic should be directed. You can create custom route tables that control how packets are routed between subnets.
o Border Gateway Protocol
§ Border Gateway Protocol (BGP) works with Azure VPN gateways or ExpressRoute to propagate on-premises BGP routes to Azure virtual networks.
· Azure virtual networks enable you to filter traffic between subnets by using the following approaches:
- Network security groups
§ A network security group is an Azure resource that can contain multiple inbound and outbound security rules.
§ You can define these rules to allow or block traffic, based on factors such as source and destination IP address, port, and protocol.
- Network virtual appliances
§ A network virtual appliance is a specialized VM that can be compared to a hardened network appliance.
§ A network virtual appliance carries out a particular network function, such as running a firewall or performing WAN optimization.
· Port 3389 is opened automatically by default when you create a Windows VM in Azure.