PaaS Bicep Azure Networking

Building Resilient Networks with Azure Networking Services Part 1: Understanding Azure Virtual Networks (VNets)

Resilient Networking in Azure - VNets

Introduction

In today’s dynamic cloud environments, resilient and secure network architectures are critical to business success. Virtual Networks (VNets) form the backbone of Azure’s networking services, providing a secure, isolated space where your resources can communicate. In this first part of our five-part series, we will dive deep into the fundamentals of VNets, including subnets and IP addressing schemes, and show you how to establish a basic network topology with Network Security Groups (NSGs).

We’ll guide you through two implementation methods:

  • Azure Portal: A point-and-click approach for a visual and intuitive setup.
  • Bicep Template: An Infrastructure-as-Code (IaC) method that brings automation and repeatability to your deployment.

Understanding VNets, Subnets, and IP Addressing Schemes

What Are VNets?

An Azure Virtual Network (VNet) is a logical representation of your network in the cloud. It emulates a traditional network that you would operate in your own datacenter but brings the additional benefits of Azure’s flexibility, scalability, and robust security features.

Subnets

Within a VNet, you can carve out subnets. Subnets help you segment the network into smaller, manageable sections. This segmentation enables you to:

  • Isolate workloads,
  • Organize your resources, and
  • Enforce security boundaries with NSGs.

IP Addressing Schemes

When designing your VNets, choosing an appropriate IP address range is critical. Azure VNets require an IP address space in either IPv4 or IPv6. The commonly used private IPv4 address ranges are:

  • 10.0.0.0/8
  • 172.16.0.0/12
  • 192.168.0.0/16
ℹ️

Importance of Planning with IPAM

Extending your on-premises infrastructure to the cloud requires plenty of advanced planning, no more so than in networking. When you being the planning stages of your cloud adoption you need to allocate a IP address range that does not overlap with your internal ranges to avoid the costly re-work required to fix the problem in future.

Network Security Groups (NSGs)

Network Security Groups (NSGs) act as virtual firewalls that filter network traffic to and from Azure resources. NSGs define rules based on source/destination IP addresses, ports, and protocols. By associating an NSG with a subnet or individual network interface, you can control and secure the flow of inbound and outbound traffic.

Setting Up a Basic Network Topology

In this section, we outline a simple architecture that includes a VNet with at least one subnet and an associated NSG that contains basic security rules (for example, allowing RDP for management).

Example Network Topology

  1. Virtual Network (VNet):

    • Address Space: 10.0.0.0/16

  2. Subnet:

    • Name: MySubnet
    • Address Prefix: 10.0.1.0/24

  3. NSG:

    • Rule: Allow inbound RDP (TCP port 3389)

Implementation via Azure Portal

For those who prefer a GUI-driven approach, follow these steps:

  1. Create a Virtual Network:

    • Navigate to the Azure Portal.
    • Click Create a resource and search for Virtual Network.
    • In the Basics tab, fill in:
      • Name: e.g., MyVNet
      • Region: Select your preferred location.
      • Address Space: Enter 10.0.0.0/16.
    • Click Next: IP Addresses.

  2. Configure Subnets:

    • Under Subnet, set the Subnet Name (e.g., MySubnet) and Subnet Address Range: 10.0.1.0/24.
    • Click Next to review and then Create the VNet.

  3. Create a Network Security Group:

    • Click Create a resource and search for Network Security Group.
    • Enter a name (e.g., MySubnet-nsg), select the Resource Group, and click Review + create.

  4. Add a Security Rule:

    • Once the NSG is deployed, go to the NSG resource.
    • Under Settings, select Inbound security rules and click Add.
    • Configure a rule to allow RDP traffic:
      • Name: Allow-RDP
      • Priority: 1000
      • Source: Any
      • Destination: Any
      • Protocol: TCP
      • Destination Port: 3389
      • Click Add.

  5. Associate NSG with the Subnet:

    • Navigate to your VNet, select Subnets, and then click the subnet (MySubnet).
    • In the Network security group section, click Associate and select your NSG (MySubnet-nsg).

Implementation via Bicep

For repeatable and automated deployments, the Bicep template below creates a VNet, a subnet, and an associated NSG with a basic rule.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52

// Parameters for flexible deployment
param vnetName string = 'MyVNet'
param location string = resourceGroup().location
param addressPrefix string = '10.0.0.0/16'
param subnetName string = 'MySubnet'
param subnetPrefix string = '10.0.1.0/24'
param nsgName string = '${subnetName}-nsg'

resource vnet 'Microsoft.Network/virtualNetworks@2021-05-01' = {
  name: vnetName
  location: location
  properties: {
    addressSpace: {
      addressPrefixes: [
        addressPrefix
      ]
    }
    subnets: [
      {
        name: subnetName
        properties: {
          addressPrefix: subnetPrefix
          networkSecurityGroup: {
            id: nsg.id
          }
        }
      }
    ]
  }
}

resource nsg 'Microsoft.Network/networkSecurityGroups@2021-02-01' = {
  name: nsgName
  location: location
  properties: {
    securityRules: [
      {
        name: 'Allow-RDP'
        properties: {
          priority: 1000
          direction: 'Inbound'
          access: 'Allow'
          protocol: 'Tcp'
          sourceAddressPrefix: '*'
          destinationAddressPrefix: '*'
          sourcePortRange: '*'
          destinationPortRange: '3389'
        }
      }
    ]
  }
}

Deployment Steps Using Bicep:

  1. Save the template to a file (e.g., vnetDeployment.bicep).

  2. Open your terminal and log in using Azure CLI:

    1

    az login

  3. Deploy the template to your resource group:

    1
2
3

    az deployment group create \
  --resource-group MyResourceGroup \
  --template-file vnetDeployment.bicep

This template creates a VNet named MyVNet with an address space of 10.0.0.0/16, a subnet named MySubnet with an address range of 10.0.1.0/24, and an NSG with a rule that allows inbound RDP traffic. Adjust the parameters as needed to suit your environment.

Conclusion

Understanding and effectively deploying Azure VNets is fundamental to building resilient cloud networks. This part of our series provided an in-depth exploration of VNets, subnets, and IP addressing schemes, and demonstrated how to secure your network using NSGs. Whether you choose the Azure Portal for a visual setup or a Bicep deployment for automation, the principles remain the same—ensure that your network is well-organized, secure, and scalable.

As you continue to build out your resilient network infrastructure, these foundational skills will serve you well in creating more complex and secure environments.

Learn More