azure:qnd:azure_networking

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
azure:qnd:azure_networking [2022/08/17 19:59] – [Routing] mguptonazure:qnd:azure_networking [2022/08/26 20:43] (current) – [Firewall] mgupton
Line 5: Line 5:
  
 ====== Routing ====== ====== Routing ======
-  * By default a virtual network gets a route for 0.0.0.0/0 that goes to the Internet and route for each address range for the VNet that goes to the VNet (to allow inter-subnet routing by default).+  * By [[https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview#default|default]] a virtual network gets a route for 0.0.0.0/0 that goes to the Internet and route for each address range for the VNet that goes to the VNet (to allow inter-subnet routing by default)
 +      * If the destination is for a public IP for an Azure service it is routed over the Azure private backbone, not the public Internet. [[https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview#default|Ref]]. I'm not sure I understanding this because I thought a Service Endpoint was required to make the traffic to a public endpoint go over the Azure backbone. 
 + 
 +> The system default route specifies the 0.0.0.0/0 address prefix. If you don't override Azure's default routes, Azure routes traffic for any address not specified by an address range within a virtual network, to the Internet, with one exception. If the destination address is for one of Azure's services, Azure routes the traffic directly to the service over Azure's backbone network, rather than routing the traffic to the Internet. Traffic between Azure services doesn't traverse the Internet, regardless of which Azure region the virtual network exists in, or which Azure region an instance of the Azure service is deployed in. You can override Azure's default system route for the 0.0.0.0/0 address prefix with a custom route.
  
   * The first NIC in a VM gets a default gateway automatically, but additional NICs must be explicitly configured with a default route, see this [[https://docs.microsoft.com/en-us/azure/virtual-machines/windows/multiple-nics#configure-guest-os-for-multiple-nics|documentation]]. #gotcha   * The first NIC in a VM gets a default gateway automatically, but additional NICs must be explicitly configured with a default route, see this [[https://docs.microsoft.com/en-us/azure/virtual-machines/windows/multiple-nics#configure-guest-os-for-multiple-nics|documentation]]. #gotcha
Line 18: Line 21:
   * [[https://docs.microsoft.com/en-us/azure/firewall/protect-windows-virtual-desktop]]   * [[https://docs.microsoft.com/en-us/azure/firewall/protect-windows-virtual-desktop]]
   * The default rules in a //Network Security Group// allow intra-subnet and intra-VNet traffic. It is generally recommended to add a higher priority rule to deny this traffic and then add specific rules for certain ports and protocols to allow access as needed.   * The default rules in a //Network Security Group// allow intra-subnet and intra-VNet traffic. It is generally recommended to add a higher priority rule to deny this traffic and then add specific rules for certain ports and protocols to allow access as needed.
-  * One option for network architecture is to make the default route for all subnets point to an Azure Firewall. This make the firewall the router for all intra-VNet and inter-VNet traffic.+  * One option for network architecture is to make the default route for all subnets point to an Azure Firewall. This makes the firewall the router/firewall for all intra-VNet and inter-VNet traffic. This can be accomplished by using the VNet supernet as the prefix for the route. This implements a form of micro-segmentation.
  
 ====== Application Gateway ====== ====== Application Gateway ======
  • azure/qnd/azure_networking.1660766377.txt.gz
  • Last modified: 2022/08/17 19:59
  • by mgupton