Microsoft Azure Virtual Networks – Reading #3

IP Addresses

You can assign IP addresses to Azure resources to communicate with other Azure resources, your on-premises network, and the Internet. There are two types of IP addresses you can use in Azure:

Private and Public IP Addressing - Classic

Private and Public IP Addressing Azure Resource Management
Public IP addresses: Used for communication with the Internet, including Azure public-facing services, such as Azure Redis Cache, Azure Event Hubs, SQL databases, and Azure storage.

In Azure Resource Manager, a public IP address is a resource that has its own properties. You can associate a public IP address resource with any of the following resources:
Virtual machines (VM)
Internet-facing load balancers
VPN gateways
Application gateways

Public IP Allocation Method
There are two methods in which an IP address is allocated to a public IP resource: dynamic (default) or static.

The public IP address is allocated when you start (or create) the associated resource (like a VM or load balancer), and released when you stop (or delete) the resource. IP address will change when you stop and start a resource.

To ensure the IP address for the associated resource remains the same, you can set the allocation method explicitly to static. In this case, an IP address is assigned immediately. It is released only when you delete the resource or change its allocation method to dynamic. Static Public IP is assigned from a pool of available IP addresses in the Azure.

Static public IP addresses are commonly used in the following scenarios:
End-users need to update firewall rules to communicate with your Azure resources.
DNS name resolution, where a change in IP address would require updating A records.
Your Azure resources communicate with other apps or services that use an IP address-based security model.
You use SSL certificates linked to an IP address.

Public IP DNS Hostname Resolution
You can specify a DNS domain name label for a public IP resource, which creates a mapping for domainnamelabel.location.cloudapp.azure.com to the public IP address in the Azure-managed DNS servers. Each domain name label created must be unique within its Azure location.

Assigning a Public IP to a VM
You can associate a public IP address with a Windows or Linux VM by assigning it to its network interface. In the case of a multi-network interface VM, you can assign it to the primary network interface only. You can assign either a dynamic or a static public IP address to a VM.

Assigning a Public IP to an Internet-Facing Load Balancer
You can associate a public IP address with an Azure Load Balancer, by assigning it to the load balancer front end configuration. This public IP address serves as a load-balanced virtual IP address (VIP). You can assign either a dynamic or a static public IP address to a load balancer front-end. You can also assign multiple public IP addresses to a load balancer front-end, which enables multi-VIP scenarios like a multi-tenant environment with SSL-based websites.

VPN and Application Gateways
Azure VPN Gateway is used to connect an Azure virtual network (VNet) to other Azure VNets or to an on-premises network. You need to assign a public IP address to its IP configuration to enable it to communicate with the remote network. Currently, you can only assign a dynamic public IP address to a VPN gateway.

You can associate a public IP address with an Azure Application Gateway, by assigning it to the gateway’s frontend configuration. This public IP address serves as a load-balanced VIP. Currently, you can only assign a dynamic public IP address to an application gateway frontend configuration.

Private IP addresses: Used for communication within an Azure virtual network (VNet), and your on-premises network when you use a VPN gateway or ExpressRoute circuit to extend your network to Azure, without using an Internet-reachable IP address.

In the Azure Resource Manager deployment model, a private IP address is associated with the following types of Azure resources:
VMs
Internal load balancers (ILBs)
Application gateways

Private IP Allocation
There are two methods in which a private IP address is allocated: dynamic (default) or static. Dynamic IP address is automatically allocated from the resource’s subnet (using DHCP). This IP address can change when you stop and start the resource.

Static private IP addresses are commonly used for:
VMs that act as domain controllers or DNS servers.
Resources that require firewall rules using IP addresses.
Resources accessed by other apps/resources through an IP address.

Assigning a Private IP to a VM
A private IP address is assigned to the network interface of a Windows or Linux VM. In the case of a multi-network interface VM, each interface gets a private IP address assigned. You can specify the allocation method as either dynamic or static for a network interface.

Internal DNS Hostname Resolution for VMs
All Azure VMs are configured with Azure-managed DNS servers by default unless you explicitly configure custom DNS servers. These DNS servers provide internal name resolution for VMs that reside within the same VNet.

VMs configured with Azure-managed DNS servers will be able to resolve the hostnames of all VMs within their VNet to their private IP addresses.

Internal Load Balancers (ILB) & Application Gateways
You can assign a private IP address to the front end configuration of an Azure Internal Load Balancer (ILB) or an Azure Application Gateway. This private IP address serves as an internal endpoint, accessible only to the resources within its virtual network (VNet) and the remote networks connected to the VNet. You can assign either a dynamic or static private IP address to the front end configuration.

Multiple NICs in Virtual Machines

You can create virtual machines (VMs) in Azure and attach multiple network interfaces (NICs) to each of your VMs.
Multi-NIC is a requirement for many network virtual appliances, such as application delivery and WAN optimisation solutions. Multi-NIC also provides more network traffic management functionality, including isolation of traffic between a front end NIC and back-end NIC(s), or separation of data plane traffic from management plane traffic.

Limitations of Multiple NICs

  • Internet facing VIP (classic deployment) is only supported on the default NIC. There is only one VIP to the IP of the default NIC
  • Multi-NIC VMs must be created in Azure virtual networks (VNets). Non-VNet VMs cannot be configured with Multi NICs.
  • All VMs in an availability set need to use either multi-NIC or single NIC. There cannot be a mixture of multi-NIC VMs and single NIC VMs within an availability set. Same rules apply for VMs in a cloud service.
  • A VM with single NIC cannot be configured with multi NICs (and vice-versa) once it is deployed, without deleting and re-creating it.
  • Only can be configure using PowerShell, ARM or CLI. Not supported in portal

Network Security Groups

Network Security Groups provide advanced security protection for the VMs that you create using Azure classic or Azure resource deployment method. They control inbound and outbound traffic passing through a Network Interface Card (NIC) (Resource Manage deployment model), a VM (classic deployment), or a subnet (both deployment models).

Network Security Group Rules
NSGs contain rules that specify whether the traffic is approved or denied. Each rule is based on a source IP address, a source port, a destination IP address, and a destination port. Based on whether the traffic matches this combination, it either is allowed or denied. Created using Portal or PowerShell.

Azure Network Security Groups (NSG) – Best Practices and Lessons Learned.

Custom Network Security Group Rules
There are predefined default rules for inbound and outbound traffic. You cannot delete these rules, but you can override them using custom rule because they have the lowest priority.

Planning Network Security Groups

  • By default, you can create 100 NSGs per region per subscription. You can raise this limit to 400 by contacting Azure support.
  • You can apply only one NSG to a VM, subnet, or NIC.
  • By default, you can have up to 200 rules in a single NSG. You can raise this limit to 500 by contacting Azure support.
  • You can apply an NSG to multiple resources.