Azure VNet Connectivity

In modern IT environments, it is common to have multiple virtual networks, and workloads in different VNets often need to communicate with each other. Azure provides several methods to enable this connectivity.

Connectivity Scenarios

1. VNet Peering

Virtual Network Peering allows you to connect two VNets either within the same region or across different regions.

• Direct Communication: Once peered, the traffic between virtual machines (VMs) in the peered VNets is routed directly through Microsoft’s backbone infrastructure, avoiding the public Internet.
• Hub-and-Spoke Model: You can design your network topology using a hub-and-spoke model where a central hub VNet (containing network appliances or VPN gateways) connects to multiple spoke VNets. This setup allows for efficient traffic flow through the hub.
• Gateway Transit: When VNets are peered, you can configure a gateway in one VNet to act as a transit point for on-premises networks.

2. Global Peering

Global VNet Peering enables connectivity between VNets in different Azure regions.

• Gateway Transit Support: Similar to regular VNet peering, global peering supports gateway transit, allowing you to route traffic through gateways in either VNet.

3. Site-to-Site VPN

If you need to connect an on-premises virtual network with your Azure VNet or other cloud providers, you can use a Site-to-Site VPN.

• Encrypted Communication: This method creates a secure, encrypted tunnel over the public Internet for communication between your Azure VNet and the on-premises data center.

4. ExpressRoute

For business scenarios requiring a private connection between your on-premises data center and Azure VNet, ExpressRoute is the solution.

• Private Channel: ExpressRoute establishes a private, dedicated connection that bypasses the public Internet, enhancing security and reliability.

Points to Remember While Peering

• Peering is allowed between VNets in the same subscription only.
• Peering is permitted between VNets in different subscriptions under the same Azure Active Directory (AD) tenant.
• Peering can also occur between VNets in different subscriptions located in different AD tenants.

VPN Gateway

A VPN Gateway is a specific type of virtual network gateway used to send encrypted traffic between an Azure VNet and an on-premises location over the Internet. It acts as an intermediary for workloads in both networks.

Key Configurations for VPN Gateway

1. Gateway SKUs: Select a SKU based on workload requirements, throughput, features, and SLAs.
2. Zone-Redundant Gateways: These provide resiliency and availability for mission-critical services by distributing the gateway across different zones.
3. Connection Types: Connection types can be IPsec, VNet-to-VNet, ExpressRoute, or VPN Client.
4. VPN Types: Depending on the connection topology and device, choose between:
   • Policy-based VPN: Uses access policies to define traffic flows.
   • Route-based VPN: Uses routing tables to manage traffic.
5. Gateway Subnet: Before creating a VPN gateway, create a dedicated subnet named GatewaySubnet. No other resources should be deployed in this subnet.
6. Local Network Gateway: This represents your on-premises location, including VPN devices and address prefixes.
7. Connection Topologies: Options include:
   • Site-to-Site
   • Multi-Site
   • Point-to-Site
   • VNet-to-VNet
   • ExpressRoute
8. Monitoring and Alerts: Use Azure monitoring tools to track key metrics and configure alerts for the VPN gateway.