By AzureMDM 
Hello everyone! Welcome back to Azure Fundamentals course. This is Pavan, and in episode 10, we’re covering the basics of Azure Networking Service. Stay tuned! The focus of the 10th episode is around Azure Networking Services. The core services that we will learn today are Virtual Networks, Load Balancers, VPN Gateways, Application Gateways, and Content Delivery Networks. But before we move to those services, let’s talk about what networking services are in general.
Azure Networking Services Overview
Networking services are a category of services that allow customers to connect their on-premise and cloud resources. They also help with protection and monitoring of the networking for those services, as well as helping customers with application delivery. The first service that we will learn about today is Azure Virtual Network.
Azure Virtual Network
Imagine you have two resources in Azure, let’s say two virtual machines. Because virtual machines are a representation of the physical hardware in the cloud, they also need to be placed into a representation of the physical network infrastructure. That representation in Azure is called Azure Virtual Network. Virtual Networks allow customers to create, manage, monitor, and secure connectivity between Azure resources, but also between Azure resources and their on-premise environments.
Virtual Networks can be segmented into smaller pieces called subnets. There are two main purposes for having subnets. One is to allow customers to manage their IP address allocation in a more efficient manner, but also to group related resources together so that you can apply filters and security rules across multiple resources within the same subnet. For example, by grouping all the resources hosting your web applications and only allowing web traffic to go to that subnet.
As a customer, you have the freedom of how you manage subnets and virtual networks. If you want, you can group multiple resources within the same subnet, and it is your choice how you want to represent your networking infrastructure in the cloud.
There are many reasons why you would want to have multiple Virtual Networks and many technical limitations forcing you to do that. For example, a Virtual Network can only reside within a single region and spawn resources from that specific region. So, if you are building multi-region applications, you will end up with multiple Virtual Networks. If you want to connect multiple Virtual Networks, you can do one of two things. You can either use a feature called VNet Peering, which allows you to combine Virtual Networks together and allow them to act as one, or you can use a VPN Gateway to do so. While there are benefits and drawbacks to using one or another, it is a little bit too advanced a topic for Azure Fundamentals.
For now, just remember you have two options, and those are VNet Peering and VPN Gateway. So, let me summarize. Azure Virtual Networks is an emulation of a physical network infrastructure in the cloud. It is designed to allow customers isolation and segmentation of their network to enable communication, filtering, and routing between Azure and on-premise resources. Remember that Virtual Networks are scoped to a single region, so in multi-region architecture, you will have multiple Virtual Networks which you can connect to each other using either VNet Peering or VPN Gateway. When it comes to segmentation, you can achieve that using subnets. Subnets allow customers to divide Virtual Networks so that they can better and more effectively manage their IP address allocation and manage network filtering through something called Network Security Groups or Application Security Groups. We will learn more about those in a future video about security and compliance.
Network Security Groups
For today, imagine you have two virtual machines within a single Virtual Network placed in two separate subnets. If you want to control the traffic that comes from the internet to that virtual machine, you can place a Network Security Group on that subnet, and those security groups will only allow specific traffic to reach that virtual machine. You can also use Network Security Groups to manage the traffic across subnets. It is really a tool for you to manage your networking in a secure and efficient manner. We’ll get back to that in a future episode.
Let me now move to Azure Portal, where I will show you how to create a Virtual Network. As usual, you go to the left-hand side menu, select “Create a resource,” and type in “Virtual Network.” This will allow you to create a Virtual Network infrastructure in Azure. Just hit “Create” and fill in the form. In order to create a Virtual Network, you need to select a resource group, for instance, “AC900 Networking.” Provide a name like “am-demo-vnet.” Next, we need to select an Azure region. As I mentioned, this is a single-region resource, so for me, this will be West Europe. Now, go to the next tab called “IP Addresses,” where you can allocate address space for your Virtual Network. If you leave it as default, it will allocate 65,000 addresses for you to use. At the bottom, you have a default subnet. The default subnet is a requirement for every Azure Virtual Network. This is the place where you can allocate part of your address space. If you’re done, move to the next section. Go to the security tab, where you can enable some additional security features for your Virtual Network, like Azure Firewall, DDoS protection, or Bastion Host. If you’re satisfied with your selection, simply hit “Review and create,” and create it. It only takes about 10-15 seconds for a Virtual Network to be created. Once created, you can hit “Go to the resource” to review your Virtual Network.
This is the place where you will manage everything about that Virtual Network. But I want to show you something more interesting by going to the Resource Groups and selecting the resource group that I created in the previous episode called “AZ900 VM,” where I created my virtual machine. When you create a virtual machine, by default, a virtual machine is created with a Virtual Network with a default setting. When you open this, there’s a cool feature of Virtual Networks that allows you to draw a diagram of your infrastructure.
By simply typing “diagram” here, you can select “Monitoring diagram,” and Azure will draw a diagram for you representing your current networking infrastructure for that specific Virtual Network.
As you see, we have an “AC900 VM” Virtual Network with one subnet called “default,” and there is one network interface that is connected directly to this subnet, which is used by a virtual machine called “am-demo-vm.” There is also a public IP connected to this networking interface, allowing me to connect to this virtual machine from the public internet, and the Network Security Group, which controls all the traffic that goes to this virtual machine through this networking interface.
This diagram not only allows you to see how your networking is organized within this Virtual Network, but it also allows you to quickly find related resources. For instance, if I want to manage security rules for this virtual machine, I can simply click on this Network Security Group to do so. All those components that you have seen on the diagram are used to manage everything related to networking for this virtual machine.
But that’s it for now. Let me move back to the presentation. I’ve also mentioned something called Virtual Network (VPN) Gateway.
Virtual Network (VPN) Gateway
A Virtual Network Gateway, also called a VPN Gateway, allows you to connect to your on-premise environments, enabling your Virtual Network to talk to the network within your on-premise environments. This communication is done over the public internet, but it is entirely encrypted. Additionally, a VPN Gateway can also be used to connect Virtual Networks to each other. Although this is a less common case, it is still able to do that. Just remember to use a VPN Gateway whenever you need to connect on-premise environments to Azure over the public internet or if you need to implement cross-regional communications between Virtual Networks.
In the end, it will be your decision to decide whether you will want to use VNet Peering or VPN Gateway to do so, but there will be a few details that you will need to read about before deciding which one to use because each is designed for a specific use case. For today, we don’t have to deep dive into those topics.
Azure Load Balancer
Next on our list is Azure Load Balancer. Load balancing simply means the distribution of the traffic across multiple resources. So, if you have two virtual machines, you can create a load balancer in front and evenly distribute the traffic across those two virtual machines. There are many reasons to do that. One of them is to increase the availability of your solution. Another reason is to allow horizontal scalability, where you simply add a new virtual machine and a load balancer will automatically start distributing the traffic between them.
One important feature of the Azure Load Balancer is that it allows you to monitor the health of your virtual machines. If your load balancer detects that a virtual machine is down, it will automatically remove it from the pool of the machines receiving traffic and send the traffic only to healthy machines.
There are two types of load balancers. The public load balancer, which is used to allow internet traffic to pass through it, and the internal load balancer, which is used to allow internal traffic to pass through it.
This one would be called an internal load balancer. In general, those load balancers look and behave the same, but the naming is what matters because it allows you to distinguish between which load balancer allows internet traffic and which one allows internal-only traffic. Additionally, those load balancers will allow you to define multiple pools and manage the traffic based on the IP or port ranges. That’s why you can have a web tier and a database tier, for instance, handled by the same load balancer.
Finally, Azure Load Balancer can operate in two modes. There is a Layer 4 load balancer, which will allow you to pass the traffic without really looking inside the packets, and Layer 7 load balancer, which will allow you to inspect the traffic. You can inspect, for instance, the header of the HTTP packet and route it to the correct instance based on the location of the source of the traffic. So, let me summarize.
Summary
Azure Load Balancer allows customers to distribute traffic across multiple virtual machines. You can increase the availability of your solution by simply adding an Azure Load Balancer in front of those virtual machines. There are two types of load balancers—public, which allows internet traffic, and internal, which only allows private traffic. Finally, you can use a Layer 4 load balancer, which is the default and fastest option, or a Layer 7 load balancer, which inspects the traffic on the application layer and decides which instance to direct it to. So, this is Azure Load Balancer in a nutshell. Let’s move on to Azure VPN Gateway.
Azure VPN Gateway
As I already mentioned, Azure VPN Gateway is a specialized Virtual Network Gateway that allows you to connect your on-premise infrastructure to your Azure Virtual Network using VPN, Virtual Private Network, technology. When setting up the connection, customers have three options.
First, they can use a site-to-site VPN, in which case you have a site-to-site VPN appliance on your on-premise environment and a VPN gateway on the Azure side, allowing those two to communicate over an encrypted tunnel. The second option is a point-to-site VPN. In this case, you don’t need any appliance on the on-premise side. This option allows you to connect specific devices directly to the Virtual Network. The third option is the ExpressRoute. The ExpressRoute is a dedicated connection provided by Microsoft, which means you don’t need to go through the public internet and can be connected directly. ExpressRoute is the most expensive option, but it is also the safest and fastest. Finally, Azure VPN Gateway can also be used to connect multiple Azure regions. So, if you have multiple Virtual Networks spread across different regions, you can use a VPN Gateway to connect them, allowing for cross-region communication between those two.
To summarize, the VPN Gateway allows you to connect Azure Virtual Networks to your on-premise infrastructure, but it can also be used to connect Virtual Networks in different regions. The main use case is to provide secure connectivity between on-premise and cloud environments, and for this, you can use one of the three options: site-to-site, point-to-site, or ExpressRoute.
Azure Application Gateway
Moving on to Azure Application Gateway, this is another specialized type of load balancer that operates on Layer 7. What makes the Application Gateway different from a standard load balancer is that it provides additional services for HTTP traffic, like SSL termination and URL-based routing. SSL termination allows the Gateway to offload the process of encrypting and decrypting the traffic from your virtual machines. The traffic from the end user to the Application Gateway will be encrypted, but from the Application Gateway to your virtual machine, it will be unencrypted. This not only reduces the load on your virtual machines, but it also simplifies the management of your SSL certificates, as you only need to manage them on the Application Gateway.
URL-based routing is another feature that allows you to route traffic based on the URL path. For example, you can route all traffic from “/images” to one set of virtual machines and traffic from “/videos” to another. This is especially useful for applications that have multiple components, such as a web app with a backend API. You can separate the traffic and route it to the appropriate component.
In addition to these features, Application Gateway also provides Web Application Firewall (WAF) capabilities, which protect your applications from common web vulnerabilities, such as SQL injection and cross-site scripting. WAF can be enabled on the Application Gateway to inspect incoming traffic and block malicious requests before they reach your application.
To summarize, Azure Application Gateway is a specialized load balancer for HTTP traffic that provides additional features like SSL termination, URL-based routing, and Web Application Firewall capabilities. It is designed to handle complex web applications and protect them from common web vulnerabilities.
Content Delivery Network (CDN)
Finally, let’s talk about Azure Content Delivery Network, or CDN. A CDN is a global network of servers that delivers content to users based on their geographic location. The main purpose of a CDN is to reduce latency and improve the performance of your applications by caching content at strategic locations around the world.
When a user requests content from your application, the CDN will deliver it from the closest server in the network, reducing the time it takes for the content to reach the user. This is especially important for applications with a global audience, as it ensures that users in different regions experience the same level of performance.
Azure CDN can be used to deliver various types of content, including static files like images, videos, and documents, as well as dynamic content generated by your application. It also provides features like custom domains, SSL support, and analytics to help you monitor the performance of your content delivery.
In summary, Azure Content Delivery Network is a global network of servers that improves the performance and scalability of your applications by delivering content from the closest server to the user. It is an essential service for applications with a global audience and can be used to deliver both static and dynamic content.
Episode Conclusion
That brings us to the end of this episode on Azure Networking Services. We’ve covered a lot of ground today, including Virtual Networks, Load Balancers, VPN Gateways, Application Gateways, and Content Delivery Networks. I hope this episode has given you a good understanding of how these services work and how they can be used to build scalable and secure applications in Azure.
In the next episode, we’ll be diving into Azure Storage Services, where we’ll explore different storage options available in Azure and how to use them effectively in your applications. Thanks for joining me today, and I look forward to seeing you in the next episode!