Links        3

Networking        3

Why do we need a network?        3

After Network        3

Led to the modern Internet        3

Caveat        3

Subnet for a solution        3

How subnet can be configured - Protocols        3

OSI Model        3

1. Application        3

2. Presentation        4

3. Session        4

4. Transport        4

5. Network        4

6. Datalink        5

7. Physical        5

IP        6

IP Address        6

TASK        7

Task: convert ip address from binary to decimal(whole number)        8

Public vs Private IP        8

TASK        8

Subnet Mask        9

Network IP/Subnet Mask        9

Network        9

Type of network        10

Subnet        10

Router        10

How to subnet        10

IP Classes        10

7 Steps to subnetting        11

Ways for subnetting        11

Easy way: 6th step excluded        11

Hard way: 6 steps        11

Example        11

Easy way        11

Hard way        12

Azure Networking Concepts        13

Networking Basics        13

Scenarios        13

Architecting VNets        14

Basic Understanding        14

TODO        14

Terminologies        14

Common Questions        14

Architect Components        15

Flow        15

Delivery        16

DNS        16

Azure Traffic Manager        17

Azure Front Door        18

Content Delivery Network        18

Security        19

Network Security Group - NSG        19

Application Security Group - ASG        20

Load Balancer        20

Application Gateway        20

Firewall        21

Connectivity        23

Routing        23

Service Endpoint        24

Private Endpoint        25

VNet peering        25

VPN & VPN Gateway        26

Types        26

2 types of Gateways        27

Architecture        29

Steps        30

Express Route        31

Virtual WAN        32

VNet Strategy        33

VNet/Subnet Strategy        33

Security Strategy        33

Performance Strategy        34

CALLOUTS        34

Architecting VPC in AWS        35



Why do we need a network?
After Network
Led to the modern Internet  

Subnet for a solution

How subnet can be configured - Protocols

OSI Model

  1. Application

        What: This is where the data has meaning and is read and interpreted by something

Protocols: HTTP, FTP, DNS

  1. Presentation

What: The syntax layer

  1. Session

What: this allows a computer to open a channel with another computer and keeps that channel open for more continuous communication until it’s closed

Example: this type of connection is more common with live streams such as video conferencing well data is sent continuously from server to client(this avoids the overhead of trying to do an open handshake, authentication and close for every piece of data)

Layer: sockets level

  1. Transport

What: add services on top of the network layer. ex:

  1. same order delivery: this ensures that packets are received in the same order in which they are sent
  2. this layer also adds reliability by adding acknowledgments to the communication to let other party know that the message was successfully received
  3. this layer responsible for ports which allows multiple devices to communicate with the same destination at the same time for different purposes

Protocol: TCP and UDP happen at this layer

Ports: it allows multiple messages to be sent to the same IP address intended for different receivers

  1. Network

What: this layer includes the message forwarding feature of networks where data packets are not intended for the device is directly connected to the network, but are to be passed on to the next network in the chain - a fundamental element that makes Internet resilient(withstand and recover quickly)

IP: the concept of IP addresses we can separate them into the network and host parts. This is where we understand how to route a message intended to that address.

Protocol: IP, ICMP, and IPSEC happen at this layer

  1. How to identify a specific computer in a network with
  1. IP Address
  2. Routing
  3. Subnet
  1. Datalink





  1. Physical




IP Address


5 classes - A, B, C, D, E

Class A, B, C is for

  1. Public: public website
  2. Private: corporate or home network

Class D is for multicasting

Class E is for Government or research

IP Address

Phone Number

(647) 765 - 5678

647 = area code

Rest Digits = Phone number

IP address 

EX: =used to talk to yourself = localhost

IP Address consist

  1. Network part (area code)
  1. Represents where you at
  1. Node or Host part (Phone number)
  1. Represent you located on that network


  1. Determine what class an IP belongs to
  2. Determine other numbers that come between 0 to 255

Class A

1/126 = 1st Octact = Network ID

Last 3 octacts = Node/Host ID

Class B

128/191 = 1st & 2nd Octact = Network ID

Last 2 octacts = Node/Host ID

Class C

192/223 = 1st, 2nd & 3rd Octact = Network ID

Last 1 octacts = Node/Host ID

Task: convert ip address from binary to decimal(whole number)

Public vs Private IP

We as an individual were never meant to be on the internet.

IP address was designed to be for Government, Schools, and Businesses and not for individual

After 1920 Internet was created and opened to the public

And we as an individual were able to get on the internet

IP address has to be unique and since we open to the public we were running out of the IP Addresses

To avoid this, we set aside some numbers as a private number


What IP addresses have been set aside for private use?

Class A - = private address

Last 3 octacts = Node/Host ID

Class B - = private address

Last 2 octacts = Node/Host ID

Class C - = private address

Last 1 octacts = Node/Host ID

Subnet Mask

IP address

Subnet mask

Network IP/Subnet Mask

Network id =

Subnet mask = /24  = refers to the number of bits in the subnet mask


Network connects the devices(nodes)

Devices share information

To share info, they must speak the same language

This language is called protocol

Protocol: protocols are a way to format data.


Type of network

  1. LAN - devices in Local Area Network
  1. SOHO: small office work office
  1. Contains devices —> switch —> router —> internet
  2. Everything is inside 1 device
  1. WAN - Wide area network, offices in different countries  
  1. Enterprise Network



How to subnet

Idea is to subnetting your network by identifying how many networks do you want

IP Classes



Used for

Class A:  to

Private IP address

Class B: to

Private IP address

Class C: to

Private IP address

7 Steps to subnetting

  1. Identify the class - A,B,C
  2. Identify network and node Id
  3. Apply default subnet mask
  1. For class A place 255 for network ID, rest is 0 = 255.0.0.
  2. For class B repeat the above process =
  3. For class C repeat =
  1. Convert subnet mast to binary
  2. Use 2n-2 to determine custom subnet mask
  1. Your subnet mask will start with binary 1’s, and it must be continuous until they stopped
  1. Determine LSB(least significant bit)-IT, Gives you 1st subnet and range

Ways for subnetting

Easy way: 6th step excluded
  1. Has a CIDR Notation. Ex:
  1. /20 tells you how many 1’s are in your custom subnet mask
  1. The number, at last, is your custom subnet mask
  2. It represents how many binary 1’s you are going to have in your subnet mask
  3. TCP/IP Rule:
  1. Your subnet mask will start with binary 1’s, and it must be continuous until they stopped
  2. So in our example 1st 20 of the bits are binary 1’s and last 12 will be 0’s (because IP Has 32 bits)
Hard way: 6 steps


Easy way


11111111. 11111111. 11110000. 00000000 // because 1st 20 are 1’s

Convert into decimal

Example -2 Easy way

11111111. 11111111. 11111111. 00000000

Convert into decimal

Network portion = 24(255,255,255=8+8+8)

Host portion = 8 (32-24)  = 256 IP address

Take away

Hard way

TASK: 11 networks is needed


  1. Class B
  2. 172.16 | 0.0. // identify network and node Id
  3. // Apply default subnet mask
  4. 11111111. 11111111. 00000000. 00000000 // Convert subnet mast to binary

Question is we need 11 network

Rule: 2n-2 >= 11

n = 4, 16-2 = 14 >=11 // you’ll get 3 more networks to play with

Take n = 4 and place it in your host node where all the 1’s stays continues (see the rule)

  1. 11111111. 11111111. 11110000. 00000000

Customize your subnet mask

Convert binary into decimal

11110000 = calculate 1st 1’s into decimal = it’s 240

Converting binaries to decimal =

  1. Determine LSB


  1. subnet(make slices)
  1. Subnet range

In our example 11110000 = least significant number is 16 (128,64,32,16,8,4,2,1 // 11110000) // least number is 16 // 1st subnet // range of the first subnet

Next subnet // 2nd subnet // range of the first subnet

Azure Networking Concepts

Networking Basics

  1. With TCP protocol, 2 VMs talks to each other by sending a series of messages called packets containing data over network
  2. When you try to go to any website,, your request in packets goes through different/multiple networks called Hops. And Responses also get back through multiple networks
  1. You can see your ISP and LinkedIn’s internal network provided a few times if you trace network details
  2. Connectivity is accomplished by modems, routers, hubs, and optical cables.

Firewall Types

  1.  Network security group - basic
  2.  Web application firewall (WAF)- industry standard
  1.  Application gateway(layer 7 LB) comes with WAF
  2. The azure front door comes with WAF
  1.  Azure firewall - managed service




  1. NSG: if your local device on the internet wants to communicate to an Azure VM hosted in a private virtual network, then you need to configure explicit rules in your security group to allow that kind of traffic to come in
  2. VPN: how can you securely connect your office location to the device on Azure Network?
  1. Point-to-site VPN(computer to Azure network)
  1. Site-to-Site VPN(IT office network to Azure network)

Architecting VNets

Basic Understanding


1. Determine IP CIDR

2. Subnetting requirements

3. Connectivity needs

    1. What type of connectivity is needed: internet, resources to resources, resources to service

  1. VNet
  1. DHCP server
  1. Subnet
  2. Network interface card - NIC: IP configuration  
  1. What: Decide/set whether you want public or private connectivity with your resource that is attached to NIC
  2. Ex: if you want your VM to be accessible via public internet, then you use NIC and associate Public IP in NIC, NIC is attached to VM. that’s how you can connect to your VM through public internet
  1. Caviet: you will need to attach NSG with NIC to allow inbound traffic  
  1. Network security group - NSG
  2. Peering
  3. Network gateway
  1. AZ spanned
Common Questions

What happens when you create a resource in VNet

  1.  Network interface Card(NIC) gets created/installed with your resources  
  1. What: where you can see all the resources VNet details:
  1. which subnet it belongs to, what’s it IP address
  2. Assign static IP - You can also assign a specific IP address to the resources
  1. By default intra network traffic (private: subnet to subnet inside Vnet) and outbound traffic(communicate to the internet) are allowed
  2. Private IP: By default, resources created in this VNet/Subnet gets private IP and they are able to communicate with resources with the same Vnet
  3. Public IP: resources to talk to the internet
  1. Basic SKU type: accessible by default and require NSG to restrict traffic, no Zonal supper
  2. Standard SKU: dynamically assigned IP, not accessible by default. require NSG to allow traffic

Architect Components  

What happens when you have VNet

  1. VNet
  1. Security
  1. Bastion host
  2. DDoS protection standard
  3. Firewall
  1. Subnetting 
  1. 5 IPs are reserved
  2. x.x.x.0-3 and x.x.x.255(last octate)
  1. Private networking: Resources you put inside VNet(ex: VM) gets a private IP address.
  1. How: served out from DHCP server, which is built in to VNet
  1. Public networking: VNet supports public IP addressing(IPV4 IPV6) so that resources can have public connectivity
  1.  Say explicitly whether you want to assign a Public IP to your resource
  1. Peering: the connection between VNet to VNet
  1. Peering in the same region and global region
  1. Network gateway(device): Azure VNet uses Network gateway(device) in gateway subnets to make VPN connection
  2. Monitoring: view logs of VNet to see where resources are in VNet
  3. Security: through firewall
  1.  NSG at Subnet and NIC level
  2. Firewall
  1. Web application firewall with application gateway(layer 7 LB)
  2. Azure front door
  1. Managed firewall  
  1. Create Vnet with multiple subnets (depending upon your application component)
  1. Ex: Web server subnet, App server subnet, DB server, backup server
  1. Each subnet has its own NSG - security settings
  2. Create/Place resources in a subnet.
  1. Each resource you put into the subnet will get private IP within that subnet CIDR range
  2. How: resources are added to the subnet through NIC(installed in them)
  1. Resources can have multiple NICs to connect multiple subnets at the same time
  1. NIC also supports NSG - acting as a firewall(same as subnet NSG) - so you get 2 layers of NSG (1 at subnet and 1 as NIC)
  2. 2 NSG at both of these layers is not recommended because of complexity and troubleshooting reasons
  1. NSG: the starting point of security. Use advanced features along with NSG
  1. When you create VNet with a subnet, NSG has 3 default inbound traffic rules
  1. AllowVnetInBound: traffic between computers running on the same network or connected networks is allowed: Vnet peering and VPN traffic
  2. AllowAzureLoadBalancerInBound: This is traffic from the load balancer. For example, from health probe is allowed
  3. DenyAllInBound: all other traffic is denied
  1. rules are evaluated in order. From the lowest priority number to the highest. The first rule to match the traffic is the rule that wins
  2. create custom rules with high priority to override the default rule effectively. because the default rule can’t be removed but rather overridden
  3. rule example: Port80, 443, 3389, 22




  1. A web browser using a domain name wants to connect to a Web server
  1. Domain name has no clue on where this Web server is located, nor the path required to get there
  2. Task: find the domain name’s IP so that user can reach to it’s web server
  1. so the first step of connecting to the web server is to look up the domain name in the domain name system DNS
  1. The global domain name system DNS will return an IP address to the browser for that domain name
  1. from that point on the browser will use the IP address to connect to the server
  1. it will cache the address for a limited period of time so doesn’t have to look it up all the time
  1. Web brower → Domain name → DNS(will return IP of the server to web browser) → Web server

Azure DNS


What: Is a managed domain name hosting service inside Azure

Type of DNS zone

  1. Public:  accessible on your public internet
  2. Private: accessible on your private network 

Type of DNS Records

  1. A records: The IP address associated with the domain.
  1. This is the one that primarily translate a domain name into its IP address.
  2. Record set: you can assign same website map to different IPs. ex: Indian and US version of website
  3. Alias record: map Resource instead of IP. ex: Map domain name with dynamic Azure VM. so we don;t have to update IP regularly
  1. CNAME record: is used to indicate when one host or a subdomain is an alias for another
  2. MX record: The server that handles email


  1. Say you have domain name bought from AWS
  2. In Azure, create DNS zone
  1. Name:
  1. See the info on your name server(4 entries) and DNS zone with name server records and SOA record
  2. Take and add the name server(4 entries) to your AWS registrar for your domain
  3. Add record set to attach your domain to your Azure VM
  1. Name:
  2. Type: alias record
Azure Traffic Manager


  1. Avoid Region level failure
  1. If you have everything setup(LB, VMs) setup in one region, it can cause failure if the entire region is down
  1. ATM: Load balancing happens at global scale - global region
  1. Operates at DNS level
  2. Intelligent DNS server
  1. It’s not the true load balancer


  1. You have solution running on multi region with one domain name
  1. Have servers running in multi region for the same website
  1. So users will connected to server close to them with the fastest response time
  2. This is done through reverse IP lookup. It knows you are requesting answer from Asia, US. so it will tell your browser to go the solution that performance best for you


  1. Perform failover  
  1. If one region is down then another region will serve your traffic
Azure Front Door


  1. actual layer 7 load balancing between region
  1. Azure traffic manager is not load balancing solution at a global level, AFD is
  1. True load balancer:  provides more robust load, balancing service at a global level
  2. AFD is a scalable and secure entry point for fast delivery of your global applications.


  1. They provide performance benefits by having the service placed at edge locations closer to users.
  2. It provides global scale, layer 7  load, balancing similar to the application gateway. allowing you to distribute traffic to different region intelligently based on the domain name and the path information
  1. Ex: /en traffic goes to certain region, /fr traffic goes to certain region
  1. Also support caching just like CDN


  1. Provide WAF and DDoS protection

Practical Usage 

  1. Your solution hosted in multipl region. One acting as a active, other is standby
  2. If one fails, standby becomes active


Azure Traffic Manager

Azure Front Door

Avoid region failure

Avoid region failure

Requires your solution to run in multiple region at the same time

Requires your solution run in one region. If that region fails, it failover to another region

Operates at DNS level

Layer 7 LB

Content Delivery Network



  1. is a service that can reduce the number of files that your Web server needs to serve to any client and can also improve the performance perceived by your end user


  1. Akamai
  2. Verizon
  3. Microsoft CDN


  1. It has edge location servers all around the globe
  2. store your static files on dozens of edge servers around the world
  3. when end-user request to file, the file is served from those servers and not actual server
  4. The actual server will see drastically fewer request overall

Azure Front Door

Content Delivery Network

Requires your solution run in one region. If that region fails, it failover to another region

It doesn’t require you to have solution deployed in multi-region

Layer 7 LB

Its a caching mechanism using edge servers


Network Security Group - NSG


  1. The starting point of security. Use advanced features along with NSG
  2. Controls traffic flowing through a VNet/Subnet, secure the routing pathways
  3. Create rules that’d define what is allowed/denied
  1. When you create VNet with a subnet, NSG has 3 default inbound traffic rules
  1. AllowVnetInBound: traffic between computers running on the same network or connected networks is allowed: Vnet peering and VPN traffic
  2. AllowAzureLoadBalancerInBound: This is traffic from the load balancer. For example, from health probe is allowed
  3. DenyAllInBound: all other traffic is denied
  1. Rules are evaluated in order. From the lowest priority number to the highest. The first rule to match the traffic is the rule that wins
  2. Create custom rules with high priority to override the default rule effectively. Because the default rule can’t be removed but rather overridden
  3. Rule example: Port80, 443, 3389, 22
  1. NSG is stateful, if you create an inbound rule for traffic, the outbound rule gets created automatically.

How: associate with a subnet or NIC


Application Security Group - ASG

What: Allows you to define certain ranges of IP addresses into certain categories in labels so you can group related resources together


Load Balancer

What: layer 4 LB(transport layer) - so it only understands IP, ports, and networking at the level. It doesn’t understand internet URL


Application Gateway

What: Layer 7 LB(application layer)


AG integrates with Azure monitor


What: create a firewall with routing rules.

Diagram: request comes to the firewall and then redirects to the respective server based on the routing rule you setup



Task: route traffic to VM using firewall  



  1.  Create VNet with default subnet
  2.  Create firewall subnet
  3.  Create firewall into its subnet: this will create firewall IP
  4.  Create a route table: to define route rules
  5.  Create a route: route all traffic to firewall IP
  1. Route name and address:, next hope type, hope add: firewall private IP
  1.  Associate route table with subnet
  2.  In firewall configure firewall rule
  1.  rules: NAT rules
  1. Configure it route traffic to VM
  2. Rule ex: allow RDP to firewall, which then translated to VM public IP // access RDP to VM via firewall



What: path for connectivity(for traffic)

  1. Traffic scenarios  
  1. Resources to Resources within same Vnet
  2. Resources to Resources with peer VNet
  3. Traffic with Internet
  4. Traffic with on-prem Network
  1.  Type of route
  1. System route: default route built in to VNet, can’t modify
  2. Custom route: override system route,  
  1. User defined route: firewall  
  2. Broader gateway protocol(BGP): hybrid and Vnet peering
  3. Flow of overriding: Custom > BGP > System


  1. You want to direct specific traffic to specific endpoints instead of default through route table


  1. Block outbound internet traffic
  1. Why: because by-default in NIC’s effective route for system routes allows public connectivity via outbound traffic to internet - so there’s a need to block outbound internet traffic via route table
  2. With system round you have outbound internet access via a route, but with custom route block ththe outbound traffic
  3. How: give outbound traffic, next hop to none // cancel out that route
  1. User define route - firewall example
  1. If we want to route outbound internet traffic through firewall only
  2. How: give outbound traffic, next hop to firewall
  1. BGP route for integrated network - peering, VPN
  1. In VNet peering or hybrid scenario(on-prem to vnet), set up route between these network, override system route we have in VNet

Example Demo

  1. Block outbound internet connection
  1. Create route table
  2. Inside routes, add route
  1. Name
  2. Address prefix: destine traffic:
  3. Next hop type: None - kill the traffic
  1. Inside subnet, associate this route to your subnet  


  1. Rule: Any traffic destines to range of IP address(can use any IP address) send them to followings
  1. VNet gateway
  2. VNet
  3. Internet
  4. Virtual appliances // firewall
  5. None: kill the traffic  
  1. Associate rule to your NSG/subnet       

Example - block internet access

Service Endpoint




  1. When you want to access service privately. Ex: Storage account file share


  1. Inside your subnet, create service endpoint(can also create service endpoint policy - for specific storage account) specifically for this subnet -
  2. See the service endpoint blade under subnet setting.
  3. So any connected devices connected to subnet has a route that allows private connectivity from subnet to storage through microsoft backbone


  1. Secure storage account access from internet traffic

Private Endpoint

What: using Azure private link, you can connect your services as connected resources in your network with a private IP known as a private and point


  1. NIC inside your VNet, act as the private IP that is going to provide the connection for private connectivity over an IP to that service so that we can access that service inside of a virtual network via that private IP


Task: Create private endpoint for Azure file inside VNet

  1. In Azure, create private link
  1. Resource type:
  2. Resource: your storage account
  3. Target sub resource: azure file on your storage account


  1.  if you have a NSG enabled for the subnet above it, it will be disabled for private and points on this subnet only. other resources on the subnet will still have NSG enforcement
VNet peering


  1. Say you have multiple VNets and resources inside these VNets need to be able to communicate.
  2. By-default these VNets are isolated and thus can’t communicate

What: Connection bw VNet to VNent in Azure


  1. Under Vnet1, settings → peering
  2. Add peering
  1. Link name: VNet1toVNet2
  2. Peering link name: VNet2toVnet1
  3. VNet: VNet2
  1. Repeat step 1,2 in the VNe3 (conneting to VNet2)

Design: Hub and Spoke Topology

How: This has 1 VNet in the middle and all of the satellite VNet connect to it

VPN & VPN Gateway

What: Connection bw Azure VNet to On-prem network over public internet

Practical Example: connect your home device/entire office network to Azure network so that you can have access to Azure resources  

How in Practical:

  1. It creates the encrypted channel between single machine/network and another network
  2. Access resources protected behind the firewall
  3. You have to install special software on your home computer or use reconfigured work laptop to connect to your office files from home. This happens over a VPN.


  1. Create Gateway subnet required in VNet // small subnet that only contains the gateway device
  2. Add VNet Gateway device(in Azure, in Gateway Subnet) for VPN gateway // VNet gateway establish VPN gateway
  1. VNet gateway is the device that connects to the network on the Azure side and also performs the encryption and decryption of the traffic between it and the device connected to it on the other side
  1.  Public IP per VNet gateway // because it’s internet connection
  2.  IPSec tunnel for encryption
  1. Point-to-site VPN(computer to Azure network)

  1. Site-to-Site VPN(IT office network to Azure network)

2 types of Gateways
  1. Static routing - policy based
  1. old style of VPN routing: fixed routing table
  2. you have a router table that has hard-to-find IP addresses that tell traffic where to go.
  3. so for a particular range of IP addresses, send traffic over this VPN connection to the other side
  1. Dynamic routing - route based
  1. BGP: It allows 2 gateway devices to exchange information with each other
  2. each device tells the other what network ranges it supports. So device A tells device B that it wants traffic from this range so that device B Will send it that traffic.
  3. no table contains a static list of addresses.

VPN Availability

  1. Redundant connection: if the connection between your office network, and Azure network fails, this will act as a single point of failure. So networks can’t talk to each other
  1. Azure gives two connections between the two devices. So if one connection fails, you could have it fall over to the other. few seconds of downtime at the time of failover happens
  1. Multiple Device support: if the gateway device itself failed in your office network
  1. you can have multiple VPN gateway device at your office network connecting to the same VNet gateway in Azure

  1. Active-Active configuration: 

  1. Dual redundancy Active-Active

  1.  Setup VPN gateway

  1. Create a gateway subnet in Azure
  2. Create HQ local network gateway in Azure
  1. Create with the configuration details of the connection we have with on-prem network
  1. Setup VNet gateway in gateway subnet
  1. This will allows to communicate
  1. Create a connection from VNet gateway to HQ local network gateway 

  1. Create gateway subnet in on-prem
  2. Create azure side local network gateway in on-prem
  3. HQ side VNet gateway
  4. Create connection from VNet gateway to Azure local network gateway


Both the steps must be performed for both network

  1.  Create VNet gateway on Azure
  1. Gteway Type: VPN
  2. VPN Type: route-based // dynamic incase your VM increases
  1.  Create gateway subnet
  1.  Create public IP address
  1. Create local network gateway
  1. Need public IP of VNet gateway created in the above step
  2. Create local network gateway
  1. IP address: provide VNG IP
  2. Address space: Azure VNet IP CIDR
  1.  Create connection bw local network gateway and VNet gateway
  1.  In the VNet gateway, create connection
  2.  setting —> Connection
  3. Add connection
  1. type: site to site  
  2. Shared key: key has to be the same on both side

Test: ping VM from VNet 1 to VNet 2 as a part of VPN

Express Route

What: make direct physical connectoon into Azure resources



Virtual WAN

What: allows single operational interface to be able to manage hub and spoke style network



  1. Basic
  1. Transitive connection not allowed
  2. S2S VPN connection only
  1. Standard 
  1. Transitive connection allowed
  2. S2S,P2S, ExpressRoute, VNet to Vnet connection

Task: Create Virtual WAN, Virtual Hub to configure S2S,P2S, ExpressRoute, VNet to Vnet connection for that Virtual WAN through single operational interface

  1. Create virtual WAN // single operational interface to manage fully mash network(manage hubs that manages VNets inside region, for this region you can configure S2S,P2S, ExpressRoute)
  1. Type: standard
  1. Create hub // for specific region
  1. Basics
  1. Name
  2. Private address
  1. S2S
  2. P2S
  3. ExpressRoute
  4. Create hub


VNet Strategy

VNet/Subnet Strategy
  1. Good naming policy
  1. Ex: ProjectName-Env-Component-Resource = tiffintouch-dev-root-vnet
  1. Tag your resources
  1. Useful for internal reports and billing
  1. In what region you’re going to deploy VNet
  1. Resources should be place inside Vnet region
  1. Design VNet and Subnet
  1. Don’t overlap VNet/subnet address with any other VNet/subnet in the same/diffrent subscription
  1. Separate layer of your application within subnet
  1. Web server can live on their own subnet
  2. Mid tier and Application tier has their won subnet
  3. Database tier has their own
  1. Leave room for IP address for the future
  1. Ex: VPN, virtual node, express route need their own subnet
  1. Which device need public address
  1. Ex: if the internet traffic to your azure resources(VMs) would only go for administrative purposes, Use Bastion or VPN to protect access
  1. Does this network need to directly communicate with any other network using peering
  1. They can’t communicate when you have overlapping IP addresses - this is non-issue if the both the VNet is under the same subscription - because azure deosn’t allow creating 2 VNet with overlapping IP address
  2. If the networks with same IP address in separate subscription can’t talk to each other
Security Strategy
  1. Create small set of NSGs
  1. Reuse the same NSG instead of creating new one for every network
  2. Use application security group - ASG as simplifying your NSG
  1. Limit the people who can create VNet resources - principal of least previlege
  2. Use subnet to separate your application into logical security zones
  1. Subnet for web server and sql kept separately along with their own NSGs
  1. Use Azure AD conditional access to add additional layer of security
  2. Just in time access
  1. So that ports are closed, except when someone is actively using for legit purpose
  2. Disable RDP and SSH access to resources, except for specific purposes
  1. Use temporary permission tool instead of admin privilege, when people need elevated privileges to perform authorized task
  1. Use Azure AD conditional access and PIM(privileg idenityt mananegment) so that those permission are removed after a short time
  1. Use tool for the job
  1. Load balancer
  2. application gateway for WAF
  3. Azure firewall
  4. Third party azure appliances
  1. Reduce the size of the attack surface
  1. Don’t leave ports open
  2. Disable program and services from running that you don’t need
  3. remove executable code from your web service like disabled WordPress plug-ins
  4. use virtual network, service endpoints to cut off public access to App service, storage and SQL databases
  5. use network routing to ensure traffic can only travel to, and from your corporate network, or a VPN and block direct access to the Internet
  1. consider DDoS protection if you are a potential target
  1. if your user can’t access your application because it’s too busy, that might not be a direct security threat but it’s a form of an attack - basic DDoS protection is provided free by Azure to protect against Denial of service attack
Performance Strategy
  1. Choose the VM with the right configuration you need
  1. Depending on the instance type you choose, more NIC cards generally correlates with an increase in the upper limits of performance speed.


  1.  VNet with private IP Address
  1. Span within region and RG
  1.  Subnet with segregation of VNet
  1. Span within region and RG
  1.  VM NIC - Network Interface card
  1. VM is connected to NIC —> NIC is then connected to subnet
  1. Place/connect NIC in the subnet —> subnet pass IP to NIC —> which is then attached to VM
  1. flow: Subnet —> NIC —> VM
  2. VM can have multiple NIC. These NIC’s can connect to different subnet // both subnet can be part of the same VNet

  1.  Private IP: gets from subnet private IP. Can assign static IP if you want, by default it’s dynamic.  
  1. why: Used to communicate bw resources privately over VNet
  1. Public IP: you don’t need Public IP for NIC. But you can get/create one and attach to
  1.  Why: used to communicate bw internet traffic to your Azure resources(VM)
  2. ow: modify IP config in NIC for VM so that it has public IP
  1. 2 types are public IP.
  1. Basic: insecure and accessible by default, and allow traffic. Require NSG to deny traffic
  2. Standard:  secure by default and not accessible by default. Require NSG to allow traffic
  1.  what: Provides public connectivity for resources. Can connect to resource via internet  
  2.  Example flow: create standard public IP —> Create NIC —> configure Public IP in NIC —> Create VM with NIC —> SSH to VM with public IP // can’t make connection  

Architecting VPC in AWS

  1. Decide how many IP address do you want
  2. Choose your CIDR
  3. Choose how many subnets do you want and allocate your network IP address into Subnet
  1. You may want your Database, Application, Web servers into different subnets and want the to have different access level

Technical Key Points

  1. You have your network, breaking down into subnets, and you place your resources into subnet
  2. Router allows all the traffic routing between all of your different subnets

Important things

  1. Connect your home network to VPC with Private IP (No internet involved)
  1. How?: via a virtual private gateway 
  1. Connect your VPC networks with one another with VPC Peering (No internet involved)