Azure Virtual Network (AVN) and Subnets
Azure Virtual Network is a home for virtual machines
AVN consists of an IP address range
Subnet is a logical separation of resources that you can have in a virtual network.
Each subnet has an address range and is a subset of address range of the AVN
You can spin up VMs in each of the subnets
Each VM has an IP address which is part of the subnet address range
The VM IP addresses (10.1.1.6 & 10.1.2.10) are private IP addresses and is basically used for the internal communication between the VMs
18.104.22.168 – Public IP address – Users can access the application hosted on the VM from the internet
The other subnet does not have a public IP address. This VM could be used to host the database that should not be exposed to the public/internet
Network Security Groups
- are used to control the flow of traffic into and out of the virtual machine
- is a seperate resource defined in the azure platform
- gets attached to the network interface that is attached to the virtual machine
- can be attached to the network interface card (network security card – In this case, it just impacts that VM) to one VM or linked to the whole subnet (in this case, it affects the entire VMs on that subnet)
- NSG consists of Inbound and Outbound security roles
- When an NSG is created, some default inbound and outbound rules are already created which cannot be removed or changed
- By default, the virtual machine does not allow traffic from the outside world, therefore you need to implement inbound rules and open the port 80 (http listener).
- You have to setup rules accordingly to allow traffic on port 80. Source is IP address of your computer or the internet (for all users). Destination is your virtual machine/virtual network.
If you want to connect to VM using RDP, then add an inbound rule for RD for port 3389
Source of the Inbound traffic rules
Denying the inbound traffic from a certain is controlled by priority – Example.
A request is sent and goes through the rules, if a match is found, then that rule is executed.
Destination depends on network interface (VM specific) and subnet (group of VMs)
If the network security group is attached to the subnet, then specify the IP addresses of the virtual machines that will allow the incoming traffic