Azure Networking Crash Course

Mike Pfeiffer

@mike_pfeiffer

Want your own version of this deck?�Go to File -> Make a copy

Projects in this course

1. Single VNet Design & Network Segmentation
2. Hub-Spoke Network Topology & Shared Services
3. Load Balancing & High Availability
4. Secure Hybrid Networking
5. Infrastructure as Code & Automation

​

Think about your home network…

We’re just doing the same thing in Azure

• ISP
• Router
• WAN/WLAN
• LAN
• Hosts

​

Single VNet Design & Segmentation

https://github.com/mikepfeiffer/azure-network-101

​

Virtual Network: 192.168.0.0/16

Database Subnet�192.168.2.0/24

Allow MySQL� TCP 3306

Azure Bastion Subnet�192.168.0.0/26

App Users

Cloud Team

theazurelab.org

Allow HTTP(s)�TCP 80/443

Public IP

Allow SSH�TCP 22

Web Front-End Subnet�192.168.1.0/24

Azure Networking Core Concepts

• Virtual Network
• Logical network boundary
• Subnets not VLANs
• Peering�
• IP Allocation
• Public & Private�
• Routing
• System/Default routes
• User Defined Routes (UDR)
• Service endpoint routes
• BGP routes�
• Security
• NSGs & ASGs
• Azure Firewall & Network Virtual Appliances (NVA)
• VPN/Express Route

​

Networking Foundations

The OSI (Open Systems Interconnection) Model

Theoretical model of networking that helps us understand how a packet traverses through a network through seven different layers.

​

The TCP/IP Model

The TCP/IP model uses the TCP/IP protocol suite. These protocols work together to specify how data should be gathered, addressed, transmitted and routed through a network.

​

• Application Layer
• This is “Layer 7” which uses things like HTTP/HTTPs/SMTP
• Helps us view the data that gets sent or received within our applications�
• Transport Layer
• This is “Layer 4” which uses TCP (reliable) and UDP (unreliable) delivery
• Data transmission, including checking ports, the integrity of the data, and delivering packets�
• Network Layer
• This is “Layer 3” that uses IP and ICMP
• Specifies how to move packets between hosts and across networks�
• Link Layer
• Specifies how to send data via physical hardware (ethernet, fiber, etc.)

​

IPv4

The IPv4 address is a 32-bit number that uniquely identifies a network interface on a machine.

​

IPv4 vs IPv6

IPv4

The IPv4 address is a 32-bit number that uniquely identifies a network interface on a machine.

​

Subnets

A subnet is a group of hosts with IP addresses that are on the same network segment.

​

• Subnet Masks
• Subnet masks determine what part of your IP address is the network portion and what part is the host portion.�
• Here’s a typical IP address you might have to assign to a VM:�
• 192.168.2.44 (IP Address)
• 255.255.255.0 (Subnet Mask)�
• If you convert each subnet octet to decimal form, how many addresses do you have left for hosts?

​

https://www.rapidtables.com/convert/number/binary-to-decimal.html

​

RFC 1918

https://datatracker.ietf.org/doc/html/rfc1918

​

CIDR

CIDR (classless inter-domain routing) is used to represent a subnet mask in a more compact way.

​

• CIDR Notation�
• 192.168.0.0/255.255.255.0 is written as 192.168.0.0/24�(which means it includes both the subnet prefix and the subnet mask)�
• Remember an IP address consists of 4 bytes or 32 bits, CIDR indicates the amount of bits used as the network prefix. So 123.12.24.0/23 means that the first 23 bits are used. Well what does that mean? How many hosts is that?�
• A simple trick is to subtract the total bits an IP address can have (32) from the CIDR address (23), so that leaves 9 bits, 2^9 = 512…. but we have to remove 2 addresses (subnet address and broadcast address) so we have 510 usable hosts.�

​

https://bit.ly/3EUj1gm

​

​

​

Virtual Network: 192.168.0.0/16

Database Subnet�192.168.2.0/24

Allow MySQL� TCP 3306

Azure Bastion Subnet�192.168.0.0/26

App Users

Cloud Team

theazurelab.org

Allow HTTP(s)�TCP 80/443

Public IP

Allow SSH�TCP 22

Web Front-End Subnet�192.168.1.0/24

Hub-Spoke Network Topology & Shared Services

https://github.com/mikepfeiffer/azure-network-101

​

Projects in this course

• Single VNet Design & Network Segmentation
• Hub-Spoke Network Topology & Shared Services
• Load Balancing & High Availability
• Secure Hybrid Networking
• Infrastructure as Code & Automation

​

Hub Virtual Network�192.168.0.0/16

Shared Services Subnet�192.168.2.0/24

Azure Bastion Subnet�192.168.1.0/26

Azure Firewall Subnet�192.168.0.0/26

Spoke Virtual Network�10.10.0.0/16

Workload Subnet�10.10.1.0/24

Spoke Virtual Network�10.100.0.0/16

Workload Subnet�10.100.1.0/24

Cloud Team

Peered VNet

Outbound Traffic

Peered VNet

Hub-Spoke Network Topology

https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/hub-spoke

​

Potential Use Cases�Hub-Spoke Network Topology

​

• Separate workload environments (dev/test/prod) that require shared services such as DNS, IDS, NTP, or AD DS
• Workloads that don't require connectivity to each other but require access to shared services
• Enterprises that require central control over security aspects, such as a firewall in the hub as a DMZ, and segregated management for the workloads in each spoke

​

https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/hub-spoke

​

Alternate Solution

​

Hub-spoke network topology with Azure Virtual WAN

​

https://docs.microsoft.com/en-us/azure/architecture/networking/hub-spoke-vwan-architecture

​

Let’s build a Hub-Spoke Network Topology with a Shared Service

https://github.com/mikepfeiffer/azure-network-101

​

Hub Virtual Network�192.168.0.0/16

Shared Services (DNS)�192.168.2.0/24

Azure Bastion�192.168.1.0/26

Azure Firewall�192.168.0.0/26

Spoke Virtual Network�10.10.0.0/16

Workload Subnet�10.10.1.0/24

Spoke Virtual Network�10.100.0.0/16

Workload Subnet�10.100.1.0/24

Cloud Team

Peered VNet

Outbound Traffic

Peered VNet