Azure - Networking

1. Foundational Virtual Networking

These are the core components for creating your own isolated, private network space within the Azure cloud.

Azure Virtual Network (VNet): This is the fundamental building block for your private network in Azure. It allows you to provision a logically isolated section of the Azure cloud where you can launch your resources. You have full control over the IP address space, subnets, DNS settings, and route tables.
Subnets, Route Tables, and Gateways:
- Subnets: Allow you to segment your VNet into smaller, manageable address ranges, which you can then use to isolate resources (e.g., a public-facing web tier and a private database tier).
- Route Tables: Define rules for how traffic is directed between your subnets, the internet, and your on-premises network.
- NAT Gateway: Enables instances in a private subnet to connect to the internet for outbound traffic without being directly exposed to inbound connections.

These services are designed to connect your VNets to each other and to your on-premises data centers.

Azure VPN Gateway: A service that allows you to create a secure, encrypted connection (a VPN tunnel) from your on-premises network to your Azure VNet over the public internet. It's a quick and cost-effective way to establish a hybrid cloud environment.
Azure ExpressRoute: Establishes a private, dedicated, high-throughput network connection between your on-premises data center and the Azure cloud. Unlike a VPN, this connection does not go over the public internet, offering higher reliability, lower latency, and greater security.
Azure Virtual WAN: A managed networking service that simplifies large-scale network connectivity. It acts as a central "hub" that brings together your VPN connections, ExpressRoute circuits, and VNet-to-VNet connectivity, providing a unified and scalable hub-and-spoke architecture.

These services focus on routing users to your applications and delivering content with high performance and reliability.

Azure DNS: A hosting service for DNS domains that provides name resolution using Microsoft's global infrastructure. It allows you to manage your DNS records for your Azure services and external resources.
Azure Traffic Manager: A DNS-based traffic load balancer that distributes traffic to your public-facing applications across different global Azure regions. It uses DNS to direct clients to the most appropriate endpoint based on routing methods like performance (lowest latency), geographic location, or failover.
Azure Front Door: A modern cloud Content Delivery Network (CDN) that provides a global, scalable entry-point for your web applications. It combines Layer 7 (HTTP/S) global load balancing, CDN capabilities for caching content at the edge, and web application firewall (WAF) protection into a single, powerful service.

These services distribute incoming traffic across multiple backend resources to ensure high availability and scalability.

Azure Load Balancer: A high-performance, ultra-low-latency load balancer that operates at the transport layer (Layer 4). It distributes TCP and UDP traffic within a virtual network to your VMs or Virtual Machine Scale Sets. It's ideal for non-HTTP traffic.
Azure Application Gateway: A managed web traffic load balancer that operates at the application layer (Layer 7). Because it understands the HTTP protocol, it can make intelligent routing decisions based on attributes of the HTTP request, such as the URL path or host headers. It also includes an integrated Web Application Firewall (WAF) to protect against common web exploits.

These services are dedicated to protecting your Azure network and the resources within it.

Network Security Groups (NSGs): The most fundamental network security tool. An NSG is a stateful firewall that allows you to filter network traffic to and from Azure resources in your VNet. You can create inbound and outbound rules based on source/destination IP, port, and protocol.
Azure Firewall: A fully managed, cloud-native network firewall service. It provides more advanced threat protection than NSGs, including centralized policy creation, built-in high availability, and threat intelligence-based filtering. It's designed to protect all traffic flowing in and out of your virtual network.
Azure DDoS Protection: A service that protects your Azure resources from Distributed Denial of Service (DDoS) attacks. The Basic tier is enabled by default for all Azure customers, while the Standard tier provides advanced mitigation capabilities, detailed attack analytics, and cost protection.
Azure Private Link: Provides secure and private connectivity from your VNet to Azure PaaS services (like Azure Storage and SQL Database) or to your own services. It maps the service to a private endpoint in your VNet, ensuring that traffic never traverses the public internet.