====== Azure Networking ======
====== Architecture ======
  * [[https://blog.ine.com/azure-practical-peer-to-peer-transitive-routing]]
  * [[https://www.itinsights.org/Azure-Networking-Hub-Spoke-with-NVA-and-Azure-Firewall/]]

====== Routing ======
  * By [[https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview#default|default]] a virtual network gets a route for 0.0.0.0/0 that goes to the Internet and route for each address range for the VNet that goes to the VNet (to allow inter-subnet routing by default).
      * If the destination is for a public IP for an Azure service it is routed over the Azure private backbone, not the public Internet. [[https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview#default|Ref]]. I'm not sure I understanding this because I thought a Service Endpoint was required to make the traffic to a public endpoint go over the Azure backbone.

> The system default route specifies the 0.0.0.0/0 address prefix. If you don't override Azure's default routes, Azure routes traffic for any address not specified by an address range within a virtual network, to the Internet, with one exception. If the destination address is for one of Azure's services, Azure routes the traffic directly to the service over Azure's backbone network, rather than routing the traffic to the Internet. Traffic between Azure services doesn't traverse the Internet, regardless of which Azure region the virtual network exists in, or which Azure region an instance of the Azure service is deployed in. You can override Azure's default system route for the 0.0.0.0/0 address prefix with a custom route.

  * The first NIC in a VM gets a default gateway automatically, but additional NICs must be explicitly configured with a default route, see this [[https://docs.microsoft.com/en-us/azure/virtual-machines/windows/multiple-nics#configure-guest-os-for-multiple-nics|documentation]]. #gotcha

====== Private Link ======
  * By default Azure PaaS services are accessed by a public endpoint over the internet. The //Private Link// functionality provides a way to access these services over the Azure network.
  * [[https://samcogan.com/service-endpoints-and-private-link-whats-the-difference/]]
  * [[https://docs.microsoft.com/en-us/azure/azure-sql/database/private-endpoint-overview]]
  * [[https://www.ciraltos.com/private-endpoints-and-dns-part-deux-azure-private-dns-zones/]], handling DNS with Private Link

====== Firewall ======
  * [[https://docs.microsoft.com/en-us/azure/firewall/protect-windows-virtual-desktop]]
  * The default rules in a //Network Security Group// allow intra-subnet and intra-VNet traffic. It is generally recommended to add a higher priority rule to deny this traffic and then add specific rules for certain ports and protocols to allow access as needed.
  * One option for network architecture is to make the default route for all subnets point to an Azure Firewall. This makes the firewall the router/firewall for all intra-VNet and inter-VNet traffic. This can be accomplished by using the VNet supernet as the prefix for the route. This implements a form of micro-segmentation.

====== Application Gateway ======
  * [[https://docs.microsoft.com/en-us/azure/application-gateway/how-application-gateway-works]]


====== How-to ======

==== Copy Network Security Group ====
  * [[https://kpatnayakuni.com/2020/07/24/copy-nsg-security-rules-from-one-nsg-to-another/]]