Azure Networking – Gaining the Azure Data Engineer Associate Certification
The networking capabilities in Azure are in most cases abstracted away from customers. The Azure network capabilities that link the Azure resources within a datacenter and between datacenters is owned, operated, and administrated by Microsoft. However, there are some networking products and features that let customers use and configure virtual aspects of the Azure infrastructure to meet their specific requirements.
Virtual Networks
There are two scenarios you should visualize when you attempt to understand how VNets work on Azure. The first concerns IaaS, aka Azure VMs, which cannot be created without a VNet. In that case, consider that an Azure VM exists within the VNet. There are other products like Azure Data Lake Storage, Azure SQL, and Azure Cosmos DBs that can be created without a VNet and then integrated with a VNet later. This means that the product is not created within the VNet; rather it can be bound to it and use some of its features. When you create a product without connecting it to a VNet, in most cases it means the product has a globally discoverable endpoint—that is, a public IP. That is not a security issue because the endpoint is protected, but some companies simply want to have that endpoint private. Changing an endpoint from public to private can be accomplished by binding the product to a VNet, then using the features of the VNet to control access. The most important features are as follows:
- Routing
- Network security group
- Peering
- Azure private link/endpoint
- Service endpoints
- Service tags
Routing
Once a product is connected to a VNet, you can force all outbound traffic into the VNet. Then you can use a user‐defined route (UDR) to force that traffic wherever you would like. This is often referred to as tunneling. For example, many companies have on‐premises software that tracks all outbound connections coming from within their networks. You can use a forced tunneling via UDRs to force the touring of traffic from Azure into your local networks and then out to the Internet via your company’s network devices. Terms such as address prefix and next hop type are common in this context.
Network Security Group
A network security group (NSG) consists of numerous properties like protocol, action, direction, and port number. For example, if you wanted to allow only secured outbound Internet connectivity from machines within your VNet, you would create a rule that contains the properties shown in Table 1.8.
TABLE 1.8 NSG example
| Property | Value | Possible values |
| Action | Allows | Allow or deny |
| Port | 443 | 1 ‐ 216 |
| Direction | Outbound | Inbound or Outbound |
| Protocol | HTTPS | TCP, UDP, HTTP, or Any |
It is also possible to allow or deny access based on the IP address of the machines. Classless Inter‐Domain Routing (CIDR) is used to identify a group of allowed or denied IP address ranges. CIDR looks something like 10.0.0.0/24.
The networking capabilities in Azure are in most cases abstracted away from customers. The Azure network capabilities that link the Azure resources within a datacenter and between datacenters is owned, operated, and administrated by Microsoft. However, there are some networking products and features that let customers use and configure virtual aspects of the Azure infrastructure…
