Azure Network Connectivity Basics
Network connectivity in Azure is a critical element for controlling communication between resources, connecting to on-premises environments, and exposing services to the internet. This section explains the main connectivity options.
VNet Peering
VNet Peering connects two virtual networks (VNets) so that they can communicate as if they were one network.
Key Features
- Low Latency / High Bandwidth: Communication occurs over Microsoft's backbone network.
- Cross-Region Support: VNets in different regions can also be connected (Global VNet Peering).
- No Gateway Required: Direct communication is possible without using a VPN Gateway.
Use Cases
- Connecting Hub VNet and Spoke VNets in a Hub & Spoke architecture.
- Private data integration between different systems.
VPN (Virtual Private Network)
Azure VPN Gateway is used to securely connect on-premises networks, other clouds, or individual client devices to an Azure VNet.
Connection Types
- Site-to-Site (S2S) VPN: Connects an on-premises VPN device to an Azure VPN Gateway via an IPsec/IKE tunnel. Used to extend an entire office network to Azure.
- Point-to-Site (P2S) VPN: Securely connects individual client PCs to an Azure VNet. Used for remote work scenarios.
- VNet-to-VNet VPN: Connects different VNets via VPN Gateways (used when peering is not available).
VNet Integration
A feature that allows PaaS services like Azure App Service and Azure Functions to access resources within an Azure VNet.
Mechanism
- Routes outbound traffic from the PaaS service to a specified subnet in the VNet.
- This enables PaaS apps to access VMs, databases, or resources with Private Endpoints inside the VNet using private IPs.
Important Notes
- It does not privatize inbound access (access to the PaaS service); that is the role of Private Endpoint.
- Other resources may not be placed in the integrated subnet (delegated subnet).
Private Endpoint
A network interface that assigns a private IP address from a VNet to an Azure PaaS service (Azure SQL Database, Storage Account, App Service, etc.).
Benefits
- Enhanced Security: Access PaaS services privately from within the VNet without traversing the public internet.
- Data Exfiltration Protection: Allows connection only to specific resource instances, not granting access to the entire service.
- Access from On-Premises: Accessible via private IP from on-premises networks through VPN or ExpressRoute.
Relationship with Private Link
Private Endpoint is the network interface used to consume Azure Private Link services. Private Link is the underlying technology for privately exposing services to a VNet.
Typical Architecture Example
The following is a typical network configuration using App Service, SQL Database, and Blob Storage with enhanced security.
- Hub VNet: Contains the VPN Gateway and Jumpbox (Bastion host), aggregating entry points for on-premises and administrators.
- Spoke VNet: Contains application resources.
- VNet Peering: Connects Hub and Spoke, enabling access to resources in the Spoke via VPN.
- VNet Integration: Enables App Service to access Private Endpoints within the VNet.
- Private Endpoint: Privately exposes SQL Database and Blob Storage within the VNet.
This configuration provides the following benefits:
- Restricted Access to PaaS: Blocks public access to SQL and Storage, limiting access to within the VNet only.
- Secure Maintenance: Administrators connect to the Jumpbox via VPN and can operate each resource using private IPs from there.
- Network Isolation: The Hub-Spoke architecture separates network management from application resources.
Comparison Summary
| Feature | Purpose | Traffic Direction | Main Target |
|---|---|---|---|
| VNet Peering | Connection between VNets | Bidirectional | VNet - VNet |
| VPN | Connection between Site/Device and VNet | Bidirectional | On-premise/Client - VNet |
| VNet Integration | Access from PaaS to VNet | Outbound (PaaS -> VNet) | PaaS (App Service, etc.) |
| Private Endpoint | Access from VNet to PaaS | Inbound (VNet -> PaaS) | PaaS (SQL, Storage, etc.) |