Chapter 10 — Azure Networking Services - Clinux

Why Networking Matters in Azure

Networking is the backbone of any cloud infrastructure. It connects your resources, controls traffic, enables secure communication, and allows users to access your applications.

Azure networking services cover:

Private networks in the cloud
Secure connections from on-premises to Azure
Traffic management and load distribution
DNS and content delivery
Protection from attacks

1. Azure Virtual Network (VNet)

What Is It?

An Azure Virtual Network (VNet) is the fundamental building block of your private network in Azure. It allows Azure resources (VMs, databases, etc.) to communicate securely with each other, the internet, and on-premises networks.

Think of a VNet as your own private data center network — in the cloud.

Virtual Network: "MyApp-VNet" (10.0.0.0/16)
├── Subnet: "WebTier"     (10.0.1.0/24) — Web servers
├── Subnet: "AppTier"     (10.0.2.0/24) — Application servers
└── Subnet: "DataTier"    (10.0.3.0/24) — Databases

Key Concepts

Concept	Description
Address space	IP range assigned to the VNet (e.g., 10.0.0.0/16)
Subnets	Subdivisions of the VNet to separate workloads
Network Security Groups (NSG)	Firewall rules controlling inbound/outbound traffic
Private IP	Resources inside the VNet get private IPs
Public IP	Assigned when a resource needs to be accessible from the internet

VNet Peering

Two VNets can be connected using VNet Peering — traffic flows privately through Microsoft's backbone network (not the public internet), giving low latency and high bandwidth.

VNet A (East US)  ←──VNet Peering──→  VNet B (West Europe)

When to Use VNet

Isolate workloads from the public internet
Segment different application tiers (web, app, database)
Connect Azure resources securely without internet exposure

2. Network Security Groups (NSG)

An NSG is a virtual firewall that controls inbound and outbound traffic for Azure resources.

NSGs contain security rules — each rule specifies:

Source (where traffic comes from)
Destination (where traffic goes)
Protocol (TCP, UDP, Any)
Port (e.g., 80 for HTTP, 443 for HTTPS, 22 for SSH)
Action (Allow or Deny)

Example NSG Rules

Rule Name         Priority  Source       Port   Action
─────────────────────────────────────────────────────
Allow-HTTP        100       Internet     80     Allow
Allow-HTTPS       110       Internet     443    Allow
Allow-SSH         120       Trusted-IP   22     Allow
Deny-All          4096      *            *      Deny

Lower priority number = higher priority (100 is processed before 4096).

NSG Placement

NSGs can be attached to:

Subnet — applies to all resources in the subnet
Individual network interface — applies to a specific VM

3. Azure VPN Gateway

What Is It?

Azure VPN Gateway creates an encrypted tunnel between your on-premises network (or another VNet) and Azure — over the public internet.

Your Office Network
  └── On-Premises VPN Device
        │
        │  Encrypted tunnel (IPsec/IKE) over the internet
        │
  Azure VPN Gateway
        └── Azure Virtual Network

Types of VPN Connections

Type	Description
Site-to-Site (S2S)	Connect an entire on-premises network to Azure (permanent)
Point-to-Site (P2S)	Connect individual devices (laptops) to Azure remotely
VNet-to-VNet	Connect two Azure VNets in different regions

VPN Gateway SKUs

SKU	Throughput	Use Case
Basic	100 Mbps	Dev/Test
VpnGw1	650 Mbps	Production
VpnGw5	10 Gbps	High throughput

When to Use VPN Gateway

Secure remote worker access to Azure resources
Connecting a small office to Azure for hybrid scenarios
When budget is a concern and ExpressRoute is too expensive

4. Azure ExpressRoute

What Is It?

Azure ExpressRoute is a private, dedicated connection from your on-premises network to Azure — it does not travel over the public internet.

Your Data Center
  └── ExpressRoute Circuit (via connectivity partner)
        │
        │  Private connection (not internet)
        │
  Microsoft Edge Router
        └── Azure Virtual Network

ExpressRoute vs. VPN Gateway

Feature	VPN Gateway	ExpressRoute
Connection type	Encrypted over internet	Private, dedicated line
Reliability	Internet-dependent	Very high (SLA-backed)
Bandwidth	Up to 10 Gbps	Up to 100 Gbps
Latency	Variable	Consistent and low
Cost	Lower	Higher
Setup	Easy	Requires connectivity partner

When to Use ExpressRoute

Large organizations with high-bandwidth needs
Mission-critical workloads requiring guaranteed SLA
Financial institutions, healthcare, government (compliance requirements)
When you need consistent, low-latency connectivity

5. Azure DNS

What Is It?

Azure DNS is a hosting service for DNS (Domain Name System) zones. It translates human-readable domain names (like www.mycompany.com) into IP addresses.

User types: www.mycompany.com
Azure DNS resolves: → 52.123.45.67 (the IP of your Azure resource)

Azure DNS Features

Feature	Detail
Reliability	Hosted on Azure's global infrastructure
Performance	Anycast networking — nearest DNS server responds
Security	Integrates with Azure RBAC and Resource Manager
Private DNS zones	Name resolution within your VNet (private resources)
Custom domains	Point your custom domain to Azure services

Private DNS Zones

A Private DNS Zone allows resources within a VNet to resolve each other by name, without exposing anything to the internet.

VM "WebServer" in VNet → resolves "database.internal.company.com" → SQL VM IP
(no public DNS involved — stays private within the VNet)

6. Azure Load Balancer

What Is It?

Azure Load Balancer distributes incoming network traffic across multiple servers (VMs) to ensure no single server is overwhelmed.

Incoming Traffic (1,000 users)
        │
  ┌─────▼──────┐
  │ Load Balancer│
  └─────┬──────┘
        │
  ┌─────┴─────┐
  ▼           ▼           ▼
 VM 1        VM 2        VM 3
(~333 users) (~333 users) (~334 users)

Load Balancer Tiers

Tier	Features
Basic	Simple load balancing, no SLA, limited features
Standard	Zone-redundant, SLA-backed, HTTPS health probes

Load Balancer Types

Type	Works At	Use Case
Public Load Balancer	Internet-facing	Balance traffic from internet
Internal Load Balancer	Inside VNet	Balance traffic between internal tiers

7. Azure Application Gateway

What Is It?

Azure Application Gateway is a Layer 7 (HTTP/HTTPS) load balancer with additional web application features — it's smarter than a standard load balancer.

Feature	Description
URL-based routing	Route `/api/` to one server pool, `/images/` to another
SSL termination	Decrypt HTTPS at the gateway, send HTTP internally
Web Application Firewall (WAF)	Block common web attacks (SQL injection, XSS)
Cookie-based session affinity	Keep a user's session on the same backend server
HTTP/2 support	Faster protocol support

8. Azure Content Delivery Network (CDN)

What Is It?

Azure CDN delivers web content (images, videos, scripts, CSS) from servers close to the user — instead of always from a single origin server.

User in Tokyo requests an image:
  Without CDN: Request goes to East US server → high latency
  With CDN:    Request goes to Tokyo CDN "edge" node → low latency

Benefits

Faster page load times globally
Reduced load on origin servers
Better user experience worldwide
HTTPS support and DDoS protection at the edge

Networking Services Summary

Service	Purpose
Virtual Network (VNet)	Private network in Azure
NSG	Firewall rules for traffic control
VPN Gateway	Encrypted tunnel to Azure over internet
ExpressRoute	Private dedicated connection to Azure
Azure DNS	Domain name resolution
Load Balancer	Distribute traffic across VMs (Layer 4)
Application Gateway	Smart HTTP load balancer + WAF (Layer 7)
CDN	Deliver content from servers near the user

Quick Recap

VNet       → Your private network in the cloud
NSG        → Firewall rules (allow/deny traffic)
VPN        → Encrypted tunnel over internet (hybrid connectivity)
ExpressRoute → Private line to Azure (no internet)
DNS        → Name to IP resolution
Load Balancer → Distribute traffic evenly
App Gateway → Smart HTTP routing + web firewall
CDN        → Fast global content delivery

Official References

Next Chapter → Chapter 11: Azure Storage Services