Who is this bookfor?

Microsoft Azure Networking: The Definitive Guide is for anyone interested in Azure infrastructure solutions—not just IT and cloud administrators, network professionals, security professionals, developers, and engineers, but the entire spectrum of Azure users. Whether you have basic experience using Azure or other on-premises or cloud virtualization technologies or you are an expert, you can still derive value from this book. It provides introductory, intermediate, and advanced coverage of each networking service.

The book especially targets those who work in medium to large enterprise organizations and have at least one year of experience in designing, administering, deploying, managing, monitoring, and migrating network infrastructure to services such as Azure virtual networks, Azure Firewall, Azure Web Application Firewall, and others that comprise the Azure network stack.

How is this book organized?

This book is organized into ten chapters:

• Chapter 1: Azure virtual networks

• Chapter 2: Azure Application Gateway

• Chapter 3: Azure VPN gateway

• Chapter 4: Azure Load Balancer

• Chapter 5: Azure Firewall

• Chapter 6: Azure DNS

• Chapter 7: Azure Traffic Manager

• Chapter 8: Azure Front Door

• Chapter 9: Azure Bastion

• Chapter 10: Azure Private Link

Each chapter focuses on a specific Azure networking service, covering the inner workings of each one in depth, walking you through how to build and test the service, and offering real-world best practices to help you maximize your Azure investment.

The approach adopted for this book is a unique mix of didactic, narrative, and experiential instruction:

• Didactic instruction covers the core introductions to the services.

• Narrative instruction leverages what you already understand to help you bridge that knowledge with new concepts introduced in the book.

• Experiential instruction takes into account real-world experiences and challenges facing small and large environments, as well as what factors to consider when designing and implementing workloads. Guided step-by-step walkthroughs show you how to configure each Azure networking service and its related features and options to gain all the benefits each service has to offer.

System requirements

This book is designed to be tested using an Azure subscription. Microsoft offers a 30-day, $200 USD trial subscription that you can use to test most services covered in this book. However, some services, such as dedicated hosts, cannot be used with a trial subscription. Testing and validating these services requires a paid subscription.

The following list details the minimum system requirements needed to use the content provided on the book’s companion website:

• Windows 10/11 with the latest updates from Microsoft Update Service

• Azure PowerShell (https://docs.microsoft.com/en-us/powershell/azure/install-az-ps)

• Azure CLI (https://docs.microsoft.com/en-us/cli/azure/install-azure-cli)

• Display monitor capable of 1024 x 768 resolution

• Microsoft mouse or compatible pointing device

About the companion content

The companion content for this book can be downloaded from the following pages:

MicrosoftPressStore.com/AzureNetworkingTDG/downloads

or

https://github.com/avinashvaliramani/AzureNetworkingTDG

Errata, updates, & book support

We’ve made every effort to ensure the accuracy of this book and its companion content. You can access updates to this book—in the form of a list of submitted errata and their related corrections—at:

MicrosoftPressStore.com/AzureNetworkingTDG/errata

If you discover an error that is not already listed, please submit it to us at the same page.

For additional book support and information, please visit MicrosoftPressStore.com/Support.

Please note that product support for Microsoft software and hardware is not offered through the previous addresses. For help with Microsoft software or hardware, go to http://support.microsoft.com.

Stay in touch

Let’s keep the conversation going! We’re on Twitter: http://twitter.com/MicrosoftPress.

Overview

Over the years, Microsoft has introduced various services related to the Azure networking stack alongside the Azure compute services designed to leverage them. Microsoft has enhanced these services on a regular basis, making them more robust and resilient as well as easier to deploy and manage. The first of these services was Azure virtual machines (VMs). After that came additional platform as a service (PaaS) solutions like Azure App Service, Azure Container Service, Azure Functions, and Azure Virtual Desktop.

Following is a brief timeline of the announcement of each of these services in public preview:

• Azure Traffic Manager Nov 2013

• Azure VPN Gateways Dec 2014

• Azure Load Balancer Sept 2015

• Azure Firewall Nov 2015

• Azure Application Gateway Sept 2016

• Azure DNS Sept 2016

• Azure Front Door April 2019

• Azure Bastion Nov 2019

• Azure Private Link Feb 2020

Over the years, each service has added new capabilities to Azure’s networking stack. These have provided customers with various networking-service options for use based on their application and security requirements.

Each service helps address different requirements in an organization’s application design and architecture as well as overall security requirement. Each chapter of this book covers a single service, enabling you to dive into each one to better understand how it works and includes the associated best practices.

Each chapter initially focuses on factors to consider when selecting a particular networking service. Thereafter, it conveys in-depth concepts related to each service and the components that make up that service. This enables you to better understand how each service works. Once you have gained this understanding, you will focus on deployment considerations and strategies, with step-by-step walkthroughs of deployment methods, followed by best practices.

Cloud service categories

As in other books in this series, let us start by first presenting the various cloud-service categories. Currently, cloud services are broken down into four main categories: infrastructure as a service (IaaS), platform as a service (PaaS), function as a service (FaaS), and software as a service (SaaS). SaaS is not relevant to the content covered in this book series, so the following explanations relate to the first three categories:

• Infrastructure as a service (IaaS) Using VMs with storage and networking is generally referred to as IaaS. This is a traditional approach to using cloud services in line with on-premises workloads. Most on-premises environments use virtualization technologies such as Hyper-V to virtualize Windows and Linux workloads. Migrating to IaaS from such an environment is a much easier first step than migrating to PaaS or FaaS. Over time, as an organization’s understanding of various other types of cloud services grows, it can migrate to PaaS or FaaS.

• Platform as a service (PaaS) One of the biggest benefits of using a cloud service is the capability to offload the management of back-end infrastructure to the service provider. This model is called platform as a service (PaaS). Examples of back-end infrastructure include the various layers of an application, such as the compute layer, storage layer, networking layer, security layer, and monitoring layer. Organizations can use PaaS to free up their IT staff to focus on higher-level tasks and core organizational needs instead of on routine infrastructure monitoring, upgrade, and maintenance activities. Azure App Service and Azure Container Service are examples of Azure PaaS offerings.

• Function as a service (FaaS) These offerings go one step beyond PaaS to enable organizations to focus only on their application code, leaving the entire back-end infrastructure deployment and management to the cloud service provider. This enables developers to deploy their code without worrying about back-end infrastructure deployment, scaling, and management. It also enables the use of microservices architectures for applications. An example of an Azure FaaS offering is Azure Functions.

In the Azure networking stack, the services largely fall under the PaaS category. For example:

• Azure Firewall is a PaaS service that allows you to deploy a native firewall in Azure to protect both IaaS and PaaS workloads.

• Azure Bastion is a PaaS service that gives you the ability to securely access IaaS VM workloads in Azure using a browser without exposing them directly to the internet.

Each of these cloud service categories has various features and limitations. Limitations might relate to the application, technological know-how, and costs for redevelopment, among others. As a result, most organizations use some combination of various types of cloud services to maximize their cloud investments.

Each service provides a different level of control and ease of management. For example:

• IaaS provides maximum control and flexibility in migration and use.

• FaaS provides maximum automation for workload deployment, management, and use.

• PaaS provides a mix of both at varying levels, depending on the PaaS service used.

Each service also offers varying levels of scalability. For example:

• IaaS requires the use of additional services to achieve true scalability and load balancing—for example, using Azure Load Balancer, a PaaS service, to balance requests across multiple Azure IaaS VMs.

• PaaS and FaaS services are generally designed with built-in scalability and load-balancing features.

Cost-wise, each service provides varying levels of efficiency. For example:

• FaaS offerings charge for compute based only on the usage hours for compute services, making it extremely cost-effective.

• IaaS products charge for compute services regardless of usage once the compute service (for example, a VM) is online.

• PaaS offerings are a mixed bag depending on how the service is configured. Some PaaS products charge for the service regardless of usage, while others, if configured correctly, charge based on usage. For example, Azure Bastion has a fixed monthly cost for the service whereas Azure DNS is charged based on number of domains and number of queries per month.

Service selection factors and strategies

There are certain factors to consider when selecting which Azure networking service would be ideal for a given environment based on the application architecture, connectivity requirements, application security requirements, application delivery requirements, and other business needs. Some of these key factors, and the Azure networking services that best addresses them, are as follows:

• Deliver applications securely The networking stack provides multiple services that you can leverage to securely deliver applications to your end users. These include Azure Front Door, Azure Traffic Manager, and Azure Load Balancer.

• Protect application connectivity You can protect connectivity to the applications using services such as Azure Firewall, Azure Private Link, Azure Web Application Firewall, and Azure Load Balancer. You can use these services individually or in combination to provide higher levels of protection.

• Provide connectivity to Azure and on-premise resources Services such as Azure virtual networks, Azure VPN Gateway, Azure vNET Peering, ExpressRoute, Azure Bastion, and Azure DNS provide you with different connectivity options to securely connect your Azure services to each other and to on-premise hosted services.

As you can see, there are multiple services for each factor. As you get more clarity on your requirements and a better understanding of each of these services, it will become clearer to you when each of these services should be used in your environment, as each one provides distinct capabilities.

Selecting the right load-balancing service

Certain network load-balancing services provide functionality that is similar or overlapping in nature, such as Azure Front Door, Azure Traffic Manager, Azure Load Balancer, and Azure Web Application Gateway. Let us take a moment to narrow down which of these load-balancing services might be best suited for your application. Figure I-1 offers a good starting point for identifying which service might best serve your requirements. While the diagram shown in the figure is not exhaustive, it can help you narrow down which services to focus on before making your final decision.

Let us examine the flowchart shown in Figure I-1 in more detail.

• Non-web application workloads The first factor you should consider is whether your workload is web application–published using HTTP/HTTPS. If not, then the Azure Load Balancer service might be best suited to handle your needs. If your application is hosted in multiple Azure regions with local redundancy in each region, a combination of Azure Traffic Manager and the Azure Load Balancer might be best suited to meet those needs.

• Web application workloads When it comes to web application workloads, you need to consider a few factors before you can identify the appropriate service:

• Will the web app be accessible only internally? If it will only be accessible internally, then you can use the Azure Application Gateway service. If, however, the web app will be publicly accessible, then you’ll need to consider the following factors as well.

• Will the web application be hosted in multiple Azure regions? If you plan to host the application in a single Azure region, then Azure Application Gateway might suffice (unless you need to accelerate application performance). If you will be hosting the web app in multiple Azure regions, then there are multiple Azure networking services that you can choose from, including Azure Front Door, Azure Application Gateway, Azure Load Balancer, or a combination of these. To better narrow down the appropriate option, let us continue further down the chain.

• Will the multi-region public web application require SSL offloading or application request processing? If this is a requirement, then the Azure Front Door service might be most appropriate for your needs. If, however, you do not require SSL offloading or application request processing, then depending on the application hosting model (such as Azure Kubernetes Service, Azure App Service, Azure Functions, or Azure VMs), you can work with a combination of the Azure Front Door, Azure Application Gateway, and Azure Load Balancer services.

As you can see, different factors can affect your decision-making process. Moreover, these may evolve over time, as your application requirements evolve. You might start with an application hosted in a single region and over time move it to multiple regions for global scalability.

As you read this book, you will better understand how you can leverage these networking services as needed over time to meet your ongoing needs and business demands.

Conclusion

Now that you have an overview of the various Azure networking cloud offerings, let us dive deeper into each of the networking services. We’ll start with the network service that forms the backbone of most Azure deployments: Azure virtual networks.