VNET = Azure Virtual Network
A virtual network (VNet) allows you to specify an IP address range for the VNet, add subnets, associate network security groups (NSG), and configure route tables.
Azure Subnet= A range of IP addresses in your VNet (CIDR Style). You can launch Azure resources into a specified subnet.
When using multiple subnets, no overlapping is possible in SAME VNet.
First 4 and last address of CIDR Block are reserved in EACH subnet for Azure. This makes a /29 the smallest viable CIDR block.
Subnet Delegation for Azure Services = Allows a subnet to be allocated to Paas, for example AKS.
To protect the Azure resources in each subnet, use network security groups (NSG).
Azure Network Security Group=Control incoming and outgoing traffic using L4 ACL’s.
Azure creates automically rules with Priority 65000,65001 and 65500 (greyed out) for incoming as well as outgoing traffic. These rules can not be deleted.
The automatic rules are not so strict, if you want to tighten control. You can precede them with Custom Rules (Priority 100-4096)
Rules are executed considering Priority. The lowest first.
Rules apply only to the initiating direction. The return path is not considered.
Changing Rules only applies to NEW connections, not existing ones.
NSG can be applied to both VM Interfaces or Subnets. DON’T use both at the same time.
Use IP flow verify in Azure Network Watcher to check which network security rule allows or denies the traffic.
Route tables = used to determine where network traffic is directed.
A Subnet can have only one Route Table.
3 Types of Routes exist : User-defined route, BGP route, and System route. If the CIDR is the same, priority is given in this order.
- System Routes = Azure automatically creates system routes and assigns the routes to each subnet in a virtual network. You can’t create system routes, nor can you remove system routes, but you can override some system routes with custom routes. Azure creates default system routes for each subnet, and adds more optional default routes to specific subnets, or every subnet, when you use specific Azure capabilities.
| Source | Address Prefixes | Next Hop Type |
| Default | All Unique addresses of the associated Virtual Network | Virtual Network |
| Default | All Unique addresses of the virtual network with who we peer. | VNET Peering |
| Virtual Network Gateway | Prefixes advertised from on-premises via BGP, or configured in the local network gateway.(Either VPN or ExpressRoute) | Virtual Network Gateway |
| Default | Multiple. (For example: Azure Key Vault or Azure SQL DB or…) | VirtualNetwork ServiceEndpoint |
| Default | 0.0.0.0/0 | None |
| Default | 10.0.0.0/8 | None |
| Default | 172.16.0.0/12 | None |
| Default | 192.168.0.0/16 | None |
| Default | 100.64.0.0/10 | None |
NAT Gateway=Network Address Translation (NAT) service.Which? Dynamic Source NAT port translation
Only Requires a Public IP and add the subnets that will use it.
VNET Peering=Interconnect two Virtual Network directly (without passing via Internet).
Warning : Full connectivity is the default option. This may not be what you desire.
To confirm that virtual networks are peered, you can check effective routes
Service Chaining a technique to redirect traffic from one virtual network to a virtual appliance or gateway in a peered network through user-defined routes.
How do you do this : User-defined routes that point to virtual machines in peered virtual networks as the next hop IP address
Bastion = Platform as a Service (PaaS) that you provision to securely connect to virtual machines via private IP address. It provides secure and seamless RDP/SSH connectivity to your virtual machines directly over TLS from the Azure portal, or via the native SSH or RDP client already installed on your local computer. When you connect via Azure Bastion, your virtual machines don’t need a public IP address, agent, or special client software. Bastion provides secure RDP and SSH connectivity to all of the VMs in the virtual network for which it’s provisioned. Using Azure Bastion protects your virtual machines from exposing RDP/SSH ports to the outside world, while still providing secure access using RDP/SSH.
Bastion has 3 Tiers: Basic and Standard are Generally Available; Developer SKU is in preview (free for now)
If you want to exchange files Standard is the only one usable.
Storage Account = contains all of your Azure Storage data objects: blobs, files, queues, and tables. The storage account provides a unique namespace for your Azure Storage data that’s accessible from anywhere in the world over HTTP or HTTPS. Data in your storage account is durable and highly available, secure, and massively scalable. I use it now just to store logfiles of VM’s or Application Gateway so Standard v2 SKU is fine.
A storage account name (3-24 lowercase characters + numbers) must be unique within Azure. No two storage accounts can have the same name.
Key Vault = Service to store and access secrets in a secure manner.
These secrets can be anything : Certificate, Password, API Keys, …
Azure Virtual Machines= Allows to create Linux and Windows Virtual Machines.
Sizing of the VM basicly differs on vCPU/Memory and Storage.
VM’s can also be found on the MarketPlace.
VM’s are billed hourly. Paid monthly or upfront. You can reserve or pay as you go.