As mentioned in the previous section, the Internet is the easiest, least secure, and least preferred implementation to connect two Azure sites or virtual networks. In this case, you can associate public IP addresses to your jumpbox VM and web-vm, and they will be able to communicate with each other over the Internet. This process is similar to deploying a VM with public IP addresses, and you connect from a local machine. Similarly, you can connect to web-vm and initiate a connection to the public IP address of the web-vm, or vice versa.
Opening the connectivity to the Internet opens a vector for attack. You could leverage firewalls or an NSG to filter the communication. However, the traffic needs to travel over the Internet, which adds risk. Your reference architecture needs to be modified to allow communication over the Internet (refer to Figure 4.2).
FIGURE 4.2 Communication over Internet
When we discuss communication between Azure resources, this is the least preferred method. In fact, it is not even considered as an option due to the security concerns. Nevertheless, it is good to know that there is an option to connect via the Internet. Next, we will talk about peering, which is one of the most preferred methods.
Virtual Network Peering
Though the Internet is the easiest and quickest way to connect resources in two virtual networks, it is never preferred by organizations as the traffic needs to go through the Internet, and the resources should have Internet-facing IP addresses. Since the Internet is out of the preference list, you have virtual network peering. This is one of the widely adopted methods to connect virtual networks because of its simplicity and ease of implementation. Enabling virtual network peering opens a channel for flawless connectivity between virtual networks. Once you establish the peering, the resources in the connected virtual networks will be able to communicate with each other as if they are part of the same virtual network.
Before you plan to set up peering, you need to make sure that you follow the best practices covered in Chapter 3, “Virtual Networking.” To refresh your knowledge, let’s go over them again.
- Avoid overlapping address spaces. Always make sure that the address spaces are not overlapping when you peer networks.
- Reserve some IP addresses for the future.
- Deploy larger virtual networks rather than deploying smaller ones. This reduces the management overhead. Also, if you need peering, this reduces the number of peering.
- Lastly, make use of NSG and allow only the traffic that is required.
Now that we have reiterated the best practices, let’s dive deeper to understand more about peering. There are two types of peering: regional virtual network peering and global virtual network peering. Let’s understand what the differences are between these types:
- Regional virtual network peering: If you peer networks that are in the same Azure region, you call it regional virtual network peering.
- Global virtual network peering: If you peer networks that are part of different Azure regions, you call it global virtual network peering. You can establish peering from an Azure public cloud region to China cloud regions as well. However, you cannot peer Azure public cloud and government cloud regions. You can establish peering between the same regions in the government cloud.
Figure 4.3 shows regional and global virtual network peering. In the figure, you can see that two virtual networks in East US with address spaces 10.0.0.0/16 and 192.168.0.0/16 are connected to each other via regional virtual network peering, as they are part of the same region. There is a third virtual network deployed in West US with the address space 172.16.0.0/16. This virtual network is peered with a virtual network in East US via global virtual network peering. It is called global virtual network peering as the virtual networks are located in two different regions.
FIGURE 4.3 Types of peering
Now that you’re familiar with the types of peering, let’s take a moment to understand the benefits of peering.
Leave a Reply