Azure Networking
Access Control
- When no Network Security Groups (NSGs) are assigned to a subnet/NIC the default behavior is to allow all traffic.
IP Addresses
- When a VM is not running the public IP of the machine is not available.
Azure DNS
Internet Connectivity
VPC Peering
- Gateway transit Ref is a peering property that lets one virtual network use the VPN gateway in the peered virtual network for cross-premises or VNet-to-VNet connectivity.
- The transit option can be used with all VPN Gateway SKUs except the Basic SKU.
- You can disable the automatic route propagation from the VPN gateway. Create a routing table with the “Disable BGP route propagation” option, and associate the routing table to the subnets to prevent the route distribution to those subnets.
Load Balancing
- Traffic Manager
- Front Door
- (Network) Load Balancer
- Application Gateways support autoscaling of the gateways themselves, whereas layer 4 load-balancers do not
Virtual Private Network
- Setting up a S2S VPN from on-prem to an Azure VNet requires a Virtual Network Gateway (VNG) and a Local Network Gateway (LNG). The VNG represents the Azure/VNet side of the connection, and the LNG represents the on-prem side.
- If you make a change to the topology of your network, VPN client packages must be downloaded and installed again for the changes to be applied.
- Enabling gateway transit on a VNet is necessary if peered VNets need to use the gateway to get a (on-prem) network.
Service Endpoints
- Virtual Network (VNet) service endpoint provides secure and direct connectivity to Azure services over an optimized route over the Azure backbone network. Endpoints allow you to secure your critical Azure service resources to only your virtual networks. Service Endpoints enables private IP addresses in the VNet to reach the endpoint of an Azure service without needing a public IP address on the VNet.
Private Endpoints
§§§
- Service Endpoints use public IP addresses, while Private Endpoints use private IP addresses.
- Service Endpoints keep PaaS resources outside your VNet, whereas Private Endpoints bring them directly into your VNet.
- Service Endpoints provide access control through IP restrictions, whereas Private Endpoints provide an additional layer of security through private IP addresses.
Azure Monitor Private Link
- An Azure Monitor private link connects a private endpoint to a set of Azure Monitor resources to define the boundaries of your monitoring network. That set is called an Azure Monitor Private Link Scope (AMPLS).
Gateways
- There are multiple types of virtual network gateways (VNGs). In general, VNGs enable connectivity between different networks.
- Azure VPN Gateway is a service that can be used to send encrypted traffic between an Azure virtual network and on-premises locations over the public Internet.