Skip to content

Azure Infrastructure & Network Resources

Overview

Azure provides a comprehensive suite of infrastructure and networking services to build scalable, secure, and resilient cloud solutions. This guide covers core networking resources and their practical applications.

Core Network Resources

1. Virtual Network (VNet)

A Virtual Network is the foundational networking service in Azure that enables Azure resources to communicate securely.

Key Concepts

  • Address Space: IPv4 or IPv6 ranges for your VNet
  • Subnets: Logical divisions within the VNet
  • Network Security Groups (NSG): Firewall rules for inbound/outbound traffic

Basic Configuration

# Create a Virtual Network
az network vnet create \
  --resource-group myResourceGroup \
  --name myVNet \
  --address-prefix 10.0.0.0/16 \
  --subnet-name mySubnet \
  --subnet-prefix 10.0.1.0/24

VNet Use Cases

Use Case Description Best For
Multi-tier Applications Separate subnets for web, app, and database layers Enterprise applications
Hybrid Connectivity Connect on-premises networks via VPN/ExpressRoute Hybrid cloud environments
Microservices Multiple subnets for different services Container-based deployments
Disaster Recovery Replicate infrastructure across regions Business continuity

2. Network Security Groups (NSG)

NSGs act as virtual firewalls controlling inbound and outbound traffic.

Key Features

  • Inbound/Outbound rules
  • Priority-based rule evaluation
  • Default allow/deny rules

Example NSG Rules

# Create NSG
az network nsg create \
  --resource-group myResourceGroup \
  --name myNSG

# Add inbound rule (allow HTTP)
az network nsg rule create \
  --resource-group myResourceGroup \
  --nsg-name myNSG \
  --name AllowHTTP \
  --priority 100 \
  --direction Inbound \
  --access Allow \
  --protocol Tcp \
  --source-address-prefixes '*' \
  --source-port-ranges '*' \
  --destination-address-prefixes '*' \
  --destination-port-ranges 80

# Add inbound rule (allow SSH)
az network nsg rule create \
  --resource-group myResourceGroup \
  --nsg-name myNSG \
  --name AllowSSH \
  --priority 200 \
  --direction Inbound \
  --access Allow \
  --protocol Tcp \
  --source-address-prefixes 203.0.113.0/24 \
  --destination-port-ranges 22

NSG Rules Reference Table

Priority Protocol Port Source Action Purpose
100 TCP 80 * Allow HTTP traffic
110 TCP 443 * Allow HTTPS traffic
120 TCP 22 203.0.113.0/24 Allow SSH from admin network
200 TCP 3306 10.0.1.0/24 Allow MySQL from web subnet
65500 * * * Deny Default deny rule

3. Public IP Address

Public IPs enable resources to communicate over the internet.

Types

Type Use Case Example
Static Persistent IP for DNS records Load balancers, VPN gateways
Dynamic Changes after deallocation Temporary test VMs

Create Public IP

az network public-ip create \
  --resource-group myResourceGroup \
  --name myPublicIP \
  --sku Standard \
  --allocation-method Static \
  --version IPv4

4. Network Interface (NIC)

NICs connect virtual machines to subnets and enable IP configurations.

Create NIC

az network nic create \
  --resource-group myResourceGroup \
  --name myNIC \
  --vnet-name myVNet \
  --subnet mySubnet \
  --public-ip-address myPublicIP \
  --network-security-group myNSG

NIC Configuration Table

Property Value Purpose
Enable IP Forwarding true/false Route traffic between subnets
Accelerated Networking Enabled/Disabled High throughput, low latency
Primary IP Config myIPConfig Main IP address
DNS Settings FQDN Hostname resolution

5. Load Balancer

Distributes traffic across multiple resources.

Types

Type Layer Use Case
Public Load Balancer Layer 4 (Transport) Internet-facing applications
Internal Load Balancer Layer 4 Internal service-to-service communication
Application Gateway Layer 7 (Application) URL-based routing, SSL termination

Create Public Load Balancer

# Create Load Balancer
az network lb create \
  --resource-group myResourceGroup \
  --name myLoadBalancer \
  --sku Standard \
  --public-ip-address myPublicIP \
  --frontend-ip-name myFrontEnd \
  --backend-pool-name myBackEnd

# Create health probe
az network lb probe create \
  --resource-group myResourceGroup \
  --lb-name myLoadBalancer \
  --name myHealthProbe \
  --protocol tcp \
  --port 80 \
  --path /

# Create load balancing rule
az network lb rule create \
  --resource-group myResourceGroup \
  --lb-name myLoadBalancer \
  --name myRule \
  --protocol tcp \
  --frontend-port 80 \
  --backend-port 80 \
  --frontend-ip-name myFrontEnd \
  --backend-pool-name myBackEnd \
  --probe-name myHealthProbe

Load Balancer Configuration Table

Component Purpose Example
Frontend IP Entry point Public IP 203.0.113.1
Backend Pool Target resources VMs in availability set
Health Probe Availability check HTTP GET /health every 5s
Load Rule Traffic distribution Route 80 to backend 80
NAT Rule Port translation Port 8080 → VM port 22

6. Application Gateway

Layer 7 load balancer with advanced routing capabilities.

Key Features

  • URL-based routing
  • SSL/TLS termination
  • Web Application Firewall (WAF)
  • Session affinity

Create Application Gateway

# Create Application Gateway
az network application-gateway create \
  --name myAppGateway \
  --resource-group myResourceGroup \
  --vnet-name myVNet \
  --subnet myGatewaySubnet \
  --capacity 2 \
  --sku Standard_v2 \
  --http-settings-cookie-based-affinity Enabled \
  --frontend-port 80 \
  --http-settings-port 80 \
  --http-settings-protocol Http \
  --public-ip-address myPublicIP \
  --cert-password myPassword \
  --backends-http-settings-port 80

Application Gateway Routing Rules Table

Path Backend Pool HTTP Settings Priority
/api/* API servers HTTP 8080 100
/images/* Image servers HTTP 8000 200
/static/* CDN pool HTTP 8001 300
/* Default pool HTTP 80 1000

7. VPN Gateway

Enables secure connectivity between on-premises and Azure networks.

VPN Types

Type Purpose Encryption
Site-to-Site On-premises to Azure IPSec
Point-to-Site Individual client to Azure SSTP/OpenVPN
VNet-to-VNet Azure to Azure IPSec

Create VPN Gateway

# Create gateway subnet
az network vnet subnet create \
  --resource-group myResourceGroup \
  --vnet-name myVNet \
  --name GatewaySubnet \
  --address-prefix 10.0.255.0/27

# Create VPN Gateway
az network vnet-gateway create \
  --name myVPNGateway \
  --resource-group myResourceGroup \
  --vnet myVNet \
  --gateway-type Vpn \
  --vpn-type RouteBased \
  --sku VpnGw1 \
  --public-ip-address-allocation dynamic

8. ExpressRoute

Private, dedicated network connection to Azure without internet traversal.

Benefits

Benefit Description
Reliability 99.95% SLA uptime
Speed 50 Mbps to 100 Gbps options
Security No internet exposure
Predictability Consistent network performance

ExpressRoute Circuit Configuration

az network express-route create \
  --bandwidth 50 \
  --name myExpressRoute \
  --peering-location "Seattle" \
  --provider "Equinix" \
  --resource-group myResourceGroup \
  --sku-family MeteredData \
  --sku-tier Standard

9. Azure Firewall

Centralized, managed firewall service for VNets.

Features

  • Application-level filtering
  • Threat intelligence
  • Centralized logging
  • High availability

Create Azure Firewall

# Create firewall subnet
az network vnet subnet create \
  --resource-group myResourceGroup \
  --vnet-name myVNet \
  --name AzureFirewallSubnet \
  --address-prefix 10.0.254.0/24

# Create firewall
az network firewall create \
  --resource-group myResourceGroup \
  --name myFirewall \
  --location eastus \
  --vnet-name myVNet

# Create firewall rule
az network firewall network-rule create \
  --firewall-name myFirewall \
  --resource-group myResourceGroup \
  --collection-name AllowHTTP \
  --name AllowWeb \
  --priority 100 \
  --action Allow \
  --direction Inbound \
  --protocols TCP \
  --source-addresses "*" \
  --destination-addresses "*" \
  --destination-ports 80 443

Azure Firewall Rules Table

Rule Type Purpose Action
Network Rules Layer 4 filtering Allow/Deny by protocol
Application Rules Layer 7 filtering Allow/Deny by FQDN
NAT Rules Port translation Inbound traffic redirect

10. Network Watcher

Monitoring and diagnostic tool for network issues.

Key Capabilities

Feature Use
IP Flow Verify Check if traffic is allowed to/from VM
Next Hop Trace route to destination
Connection Monitor Monitor connectivity over time
Packet Capture Capture network traffic for analysis
Network Topology Visualize resource relationships

Enable Network Watcher

az network watcher configure \
  --resource-group myResourceGroup \
  --locations eastus westus \
  --enabled true

Common Network Architecture Patterns

Pattern 1: Simple Web Application

Internet
    ↓
Public Load Balancer
    ↓
Web Tier (Frontend Subnet)
    ↓
NSG (Allow 80, 443)
    ↓
Application Servers

Resources Needed: - 1 VNet with multiple subnets - 1 NSG for web tier - 1 Public Load Balancer - Multiple NICs for VMs

Pattern 2: N-Tier Enterprise Application

Internet
    ↓
Application Gateway
    ↓
Web Tier (10.0.1.0/24)
    ↓
App Tier (10.0.2.0/24)
    ↓
Database Tier (10.0.3.0/24)
    ↓
Azure SQL Database

Resources Needed: - 1 VNet with 3+ subnets - 3 NSGs (one per tier) - 1 Application Gateway - 1 Azure SQL Database

Pattern 3: Hybrid Cloud

On-Premises Network (192.168.0.0/16)
    ↓ (ExpressRoute or Site-to-Site VPN)
VPN Gateway
    ↓
Azure VNet (10.0.0.0/16)
    ↓
Azure Resources

Resources Needed: - 1 VNet - 1 VPN Gateway or ExpressRoute circuit - Local network gateway - VPN/ExpressRoute connection

Network Security Best Practices

1. Implement Defense-in-Depth

Layer Control Example
Perimeter DDoS Protection Standard Azure DDoS Protection
Network NSG rules Allow only necessary ports
Application Web Application Firewall Application Gateway WAF
Data Encryption in transit TLS 1.2+

2. NSG Rule Best Practices

  • ✅ Use descriptive rule names
  • ✅ Limit source/destination ranges
  • ✅ Use service tags for Azure services
  • ✅ Review rules quarterly
  • ❌ Avoid overly permissive rules (0.0.0.0/0)
  • ❌ Don't use low priority values without purpose

3. Network Segmentation

VNet (10.0.0.0/16)
├── Frontend Subnet (10.0.1.0/24) - Public access
├── Application Subnet (10.0.2.0/24) - Internal only
├── Database Subnet (10.0.3.0/24) - Highly restricted
└── Management Subnet (10.0.4.0/24) - Admin access

Pricing Considerations

Network Resource Costs

Resource Pricing Model Typical Cost
VNet Per VNet + peering $0.08/hour per peering
Public IP Per IP (static) $2.92/month per IP
NAT Gateway Per hour $0.045/hour
Load Balancer Per LB + rules $0.25/hour base
Application Gateway Per capacity unit Variable by SKU
VPN Gateway Per hour $0.36-1.61/hour
ExpressRoute Per circuit $0.30-10/day
Azure Firewall Per hour $1.25/hour

Troubleshooting Common Issues

Issue: VMs cannot communicate across subnets

Solution: 1. Check NSG rules allow communication 2. Verify routing table rules 3. Confirm network interface is attached to correct subnet

Issue: Cannot reach internet from VM

Solution: 1. Verify public IP or NAT gateway assignment 2. Check NSG outbound rules 3. Verify route table includes 0.0.0.0/0 route

Issue: Intermittent connectivity issues

Solution: 1. Use Network Watcher connection monitor 2. Capture packets during issue 3. Check load balancer health probes 4. Review Application Gateway backend health

Summary Table: When to Use Each Resource

Resource When to Use Not Suitable For
VNet All Azure resources None - always needed
NSG Layer 4 filtering Layer 7 filtering (use WAF)
Public IP Internet-facing resources Internal-only services
Load Balancer Distributing traffic Complex routing (use App Gateway)
App Gateway URL/host-based routing Simple round-robin (use LB)
VPN Gateway Hybrid connectivity Always-on private networks (use ExpressRoute)
ExpressRoute High-speed private circuits Temporary connectivity
Azure Firewall Centralized filtering Per-subnet filtering (use NSG)
Network Watcher Diagnostics Production monitoring (use Monitor)

Additional Resources