Available at Leanpub and Amazon
About This Book
A modern application typically comprises several modules, each assigned specific roles and responsibilities within the system. Application architecture governs the interactions and communications between these modules and users. One prevalent architecture is the three-tier architecture, encompassing the Presentation, Application, and Data tiers. This book explains how you can build a secure and scalable networking environment for your applications running in Microsoft Azure. Besides a basic introduction to Microsoft Azure, the book explains various solutions for Virtual Machines Internet Access, connectivity, security, and scalability perspectives.
Azure Basics: You will learn the hierarchy of Microsoft Azure datacenters, i.e., how a group of physical datacenters forms an Availability Zone within the Azure Region. Besides, you learn how to create a Virtual Network (VNet), divide it into subnets, and deploy Virtual Machines (VM). You will also learn how the subnet in Azure differs from the subnet in traditional networks.
Internet Access: Depending on the role of the application, VMs have different Internet access requirements. Typically, front-end VMs in the presentation tier/DMZ are visible on the Internet, allowing external hosts to initiate connections. VMs in the Application and Data tiers are rarely accessible from the Internet but might require outbound Internet connections. Additionally, VMs within a load balancer backend pool can utilize the load balancer's virtual IP/front-end IP for Internet access. This book explains various ways to enable Internet access, including NAT gateway and load balancer services.
Connectivity: The book explains how to establish bi-directional connections between Virtual Networks in Azure and remote sites using VPN Gateway (VGW) service and ExpressRoute connection. You will also learn VNet peering deployment (point-to-point and hub-and-spoke over VGW) using connection-specific configuration and deployed with a Virtual Network Manager (VNM). This book also has three chapters about Virtual WAN (vWAN), which describes regional and global S2S VPN connections and peered VNet segmentation solutions.
Security: Azure has several ways to protect your VMs from unwanted traffic. VMs are protected with Azure’s stateful firewall, Network Security Group (NSG). Besides, you can secure all VMs within a subnet using subnet-specific NSG. Application Security Group (ASG), in turn, groups VMs into a logical group that you can use as a destination in NSG. You can deploy a global security policy with a Security Admin Configuration (SAC) using Virtual Network Manager (VNM). Among the standard allow/deny rules, VNM enables you to deploy an always-allow policy that overrides NSG rules defined by local administrators. The last chapter of the book introduces Azure Firewall service. Besides using traffic NSGs and Azure FW, you will learn how to use segmentation as a security feature.
Load Balancing Service: The purpose of Azure load balancers service for inbound traffic is to distribute incoming network requests or traffic across multiple virtual machines or instances, ensuring optimal resource utilization and improved availability. Besides, the load balancing service offers outbound Internet access for backend pool members by hiding a source private IP behind the front-end Virtual IP address. The third use case for LBS is to enable active/active Virtual Network Appliance (NVA) design. This book introduces three main building blocks of LBS, an SDN controller (also known as Ananta) in the Control Plane, a load balancer pool (also known as software MUX pool) in the data plane, and a host agent running on a server. This book doesn't just explain the different use cases but introduces the control plane processes focusing on system components' interaction and responsibilities. Additionally, you will learn an LBS's data plane redundancy and packet forwarding model.
Virtual Machine Networking: Virtual Filtering Platform (VFP) is Microsoft’s cloud-scale software switch operating as a virtual forwarding extension within a Hyper-V basic vSwitch. The forwarding logic of the VFP uses a layered policy model based on policy rules on the Match-Action Table (MAT). VFP works on a data plane, while complex control plane operations are handed over to centralized control systems. Accelerated Networking, in turn, reduces the physical host’s CPU burden and provides a higher packet rate with a more predictable jitter by switching the packet using hardware NIC yet still relaying to VFP from the traffic policy perspective.
The structure of each chapter is consistent. Each chapter begins with an Introduction, which introduces the solution and presents the topology diagram. Following that, you will learn how to deploy the service using the Azure portal. Additionally, several chapters include deployment and verification examples using Azure CLI or Azure PowerShell.
Figure 1 illustrates the various resources and services introduced in the book. While the diagram doesn't explicitly cover Azure networking best practices, it does highlight the relationships between different building blocks. If you're new to Azure networking, the picture might appear complex initially. Nevertheless, by the time you complete the book, it should become thoroughly understandable.