Azure/Networking

From Ever changing code
Jump to navigation Jump to search

This is being innovated by Microsoft quite often but basis should stay the same. Virtual Network Documentation covers most of the subject here

  • routing, service endpoints, security groups, more...

Azure Virtual Network

Resources

Peering

Virtual networks can be in the same, or different, supported Azure regions. The virtual networks can be in the same or different Azure subscriptions.

VPN gateway

Connects a virtual network to your on-premises network using p2s, s2s or ExpressRoute.

Routing

Resources

Service endpoints

Virtual Network (VNet) service endpoints extend your virtual network private address space and the identity of your VNet to the Azure services, over a direct connection. Allow you to secure your Azure service resources to only your virtual networks. Traffic from your VNet to the Azure service always remains on backbone network.

When enabling a service endpoint for an existing subnet, ensure that no critical tasks are running on any resource in the subnet. Service endpoints switch routes on every network interface in the subnet from using the default route with the 0.0.0.0/0 address prefix and next hop type of Internet, to using a new route with the address prefixes of the service, and a next hop type of VirtualNetworkServiceEndpoint. During the switch, any open TCP connections may be terminated. The service endpoint is not enabled until traffic flows to the service for all network interfaces are updated with the new route. To learn more about routing, see Routing overview.

Example service endpoint, these can be fount in Vnet blade > Service Endpoints, and additional added route in Nic > Effective routes

  • Microsoft.Sql

So the technique that is used with Service endpoints is basically done by creating a route that has “VirtualNetworkServiceEndpoint” as the next hop type.

Secondary note

A Virtual Network service endpoint is a subnet whose property values include one or more formal Azure service type names. VNet services endpoints use the service type name Microsoft.Sql, which refers to the Azure service named SQL Database. This service tag also applies to the Azure SQL Database, Azure Database for PostgreSQL and MySQL services. It is important to note when applying the Microsoft.Sql service tag to a VNet service endpoint it configures service endpoint traffic for all Azure Database services, including Azure SQL Database, Azure Database for PostgreSQL and Azure Database for MySQL servers on the subnet.

List Service endpoints in Subnet

When creating a subnet following service endpoints are available to enable:

  • Microsoft.AzureActiveDirectory
  • Microsoft.AzureCosmosDB
  • Microsoft.EventHub
  • Microsoft.KeyVault
  • Microsoft.ServiceBus
  • Microsoft.Sql
  • Microsoft.Storage

DNS Name Resolution

Resources in one Vnet cannot resolve the names of resources in a peered vnet using built-in DNS. To resolve names in a peered virtual network, requires

  • own DNS server
  • Azure DNS private domains

Resolving names between Vnet and on-premises networks requires

  • own DNS server


Azure DNS Private Zone is in Public Preview.


Resources