Network Management in Azure: Freedoms & Nuances
Discover the flexibility and security of Azure network solutions! Azure offers a wide range of networking services designed for IaaS, PaaS, and SaaS applications. From deploying independent network stacks and securing data with Azure Firewall to setting up private endpoints that make services internally available, Azure facilitates the creation of both secure and efficient 100% cloud and hybrid infrastructures. Let us help you reduce complexity and tailor your network design to your needs.
In customer projects, we often encounter a variety of network implementations in the cloud. Some customers opt for entirely independent network stacks for delivering IaaS services in Azure, such as virtual servers. Others use traditional, network-independent PaaS and SaaS services accessible over the internet or through Microsoft’s backbone network via a public endpoint. Adapting on-premises network environments to the cloud is also common but often introduces unnecessary complexity and issues. Clearly, the approaches are diverse, and the implementation possibilities just as complex.
Careful planning is fundamentally important in Azure, yet it’s not immutable. To build a hybrid infrastructure, overlapping IP ranges between cloud and on-premises should be avoided. Beyond such fundamental decisions, a variety of solutions can be implemented at any time. Services like Azure Firewall offer excellent edge security service for outbound and inbound traffic at various performance levels. There is no need to deploy third-party NVA solutions or reroute traffic to an on-premises firewall, which can be costly. The Azure Application Gateway with WAF (Web Application Firewall) provides an excellent solution for securely deploying internet-facing web services, akin to a simplified DMZ. Recently, it has also become possible to publish and secure other ports beyond the typical web service ports like 80 and 443.
Azure also enables services that would otherwise be deployed via a purely public endpoint to be offered as internal services with private endpoints. The public endpoint can be disabled and replaced with a private endpoint that provides a network interface and thus a private IP address. The traffic does not leave your network environment and is not publicly accessible, enhancing the security of the services. However, traffic should always be carefully regulated, perhaps using an Azure Firewall or, more simply, with Network Security Groups.
Azure offers numerous options for networking on-premises data centers, branch offices, or user clients. ExpressRoute provides a fast and reliable service with low latency, although it is costly. Additionally, there are classic site-to-site connections based on VPN with various gateway sizes available. Client-to-Azure connections based on certificate-based or EntraID-based authentication are also possible.
Microsoft’s Virtual WAN service significantly simplifies the global management of the network stack and centralizes many configurations, such as global and regional routing configuration and propagation. This service also allows for the quick and easy implementation and management of services like third-party firewalls or Azure services such as Azure Firewall and Gateways.
In summary, Azure offers a wide array of network services that eliminate the need for high initial investments and significantly lower the barriers to use. However, careful examination is necessary for general network design and solution-specific adjustments to individual applications to determine which solutions are most suitable. We are eager to support you with our experience in designing the optimal network design.