Azure Virtual Network concepts and best practices

This article describes key concepts and best practices for Azure Virtual Network (VNet) .

VNet concepts

  • Address space: When creating a VNet, you must specify a custom private IP address space using public and private (RFC 1918) addresses. Azure assigns resources in a virtual network a private IP address from the address space that you assign. For example, if you deploy a VM in a VNet with address space, 10.0.0.0/16, the VM will be assigned a private IP like 10.0.0.4.
  • Subnets: Subnets enable you to segment the virtual network into one or more sub-networks and allocate a portion of the virtual network’s address space to each subnet. You can then deploy Azure resources in a specific subnet. Just like in a traditional network, subnets allow you to segment your VNet address space into segments that are appropriate for the organization’s internal network. This also improves address allocation efficiency. You can secure resources within subnets using Network Security Groups. For more information, see Network security groups.
  • Regions: VNet is scoped to a single region/location; however, multiple virtual networks from different regions can be connected together using Virtual Network Peering.
  • Subscription: VNet is scoped to a subscription. You can implement multiple virtual networks within each Azure subscription and Azure region.

Best practices

As you build your network in Azure, it is important to keep in mind the following universal design principles:

  • Ensure non-overlapping address spaces. Make sure your VNet address space (CIDR block) does not overlap with your organization’s other network ranges.
  • Your subnets should not cover the entire address space of the VNet. Plan ahead and reserve some address space for the future.
  • It is recommended you have fewer large VNets rather than multiple small VNets. This will prevent management overhead.
  • Secure your VNet’s by assigning Network Security Groups (NSGs) to the subnets beneath them.

Next steps

To get started using a virtual network, create one, deploy a few VMs to it, and communicate between the VMs. To learn how, see the Create a virtual network quickstart.

Resources;

https://docs.microsoft.com/en-us/azure/virtual-network/concepts-and-best-practices

Azure example of tagging

A resource tag consists of a name and a value. You can assign one or more tags to each Azure resource.

NameValue
AppNameThe name of the application that the resource is part of.
CostCenterThe internal cost center code.
OwnerThe name of the business owner who’s responsible for the resource.
EnvironmentAn environment name, such as “Prod,” “Dev,” or “Test.”
ImpactHow important the resource is to business operations, such as “Mission-critical,” “High-impact,” or “Low-impact.”

Here’s an example that shows these tags as they’re applied to a virtual machine during provisioning.

You can run queries, for example, from PowerShell or the Azure CLI, to list all resources that contain these tags.

Azure Policy is a service in Azure that enables you to create, assign, and manage policies that control or audit your resources. These policies enforce different rules and effects over your resource configurations so that those configurations stay compliant with corporate standards.

Read more about it here;

https://docs.microsoft.com/en-us/learn/modules/build-cloud-governance-strategy-azure/8-control-audit-resources-azure-policy

Reference;

https://docs.microsoft.com/en-us/learn/modules/build-cloud-governance-strategy-azure/7-organize-resource-tags

Prevent accidental changes by using resource locks

resource lock prevents resources from being accidentally deleted or changed.

You can manage resource locks from the Azure portal, PowerShell, the Azure CLI, or from an Azure Resource Manager template.

To view, add, or delete locks in the Azure portal, go to the Settings section of any resource’s Settings pane in the Azure portal.

Here’s an example that shows how to add a resource lock from the Azure portal. You’ll apply a similar resource lock in the next part.

You can apply locks to a subscription, a resource group, or an individual resource. You can set the lock level to CanNotDelete or ReadOnly

Resource locks apply regardless of RBAC permissions

To make the protection process more robust, you can combine resource locks with Azure Blueprints. Azure Blueprints enables you to define the set of standard Azure resources that your organization requires. For example, you can define a blueprint that specifies that a certain resource lock must exist. Azure Blueprints can automatically replace the resource lock if that lock is removed.

Follow this for an example;

https://docs.microsoft.com/en-us/learn/modules/build-cloud-governance-strategy-azure/6-protect-storage-account-resource-lock

Reference

https://docs.microsoft.com/en-us/learn/modules/build-cloud-governance-strategy-azure/5-prevent-changes-resource-locks

Control Access to cloud resource using RBAC

Control access to cloud resources;

Use Azure RBAC when you need to:

  • Allow one user to manage VMs in a subscription and another user to manage virtual networks.
  • Allow a database administrator group to manage SQL databases in a subscription.
  • Allow a user to manage all resources in a resource group, such as virtual machines, websites, and subnets.
  • Allow an application to access all resources in a resource group.

Azure RBAC is enforced on any action that’s initiated against an Azure resource that passes through Azure Resource Manager. Resource Manager is a management service that provides a way to organize and secure your cloud resources.

You typically access Resource Manager from the Azure portal, Azure Cloud Shell, Azure PowerShell, and the Azure CLI. Azure RBAC doesn’t enforce access permissions at the application or data level. Application security must be handled by your application.

RBAC uses an allow model. When you’re assigned a role, RBAC allows you to perform certain actions, such as read, write, or delete. If one role assignment grants you read permissions to a resource group and a different role assignment grants you write permissions to the same resource group, you have both read and write permissions on that resource group.

You manage access permissions on the Access control (IAM) pane in the Azure portal. This pane shows who has access to what scope and what roles apply. You can also grant or remove access from this pane.

The following screenshot shows an example of the Access control (IAM) pane for a resource group. In this example, Alain Charon has been assigned the Backup Operator role for this resource group.

Reference

https://docs.microsoft.com/en-us/learn/modules/build-cloud-governance-strategy-azure/4-control-access-azure-rbac

Hosting multiple domains under one app service

I am looking at taking our product page gallery and hosting it under multiple domains but keeping it with one app service so it is easy to deploy updates across these multiple domains. The code for this site would handle the UI change based on the domain.

Would hosting a simple app service and just adding multiple CNAME records be the best option for this? How many CNAME records can you have for one app service and how many SSL certificates?

https://docs.microsoft.com/en-us/answers/questions/117338/hosting-multiple-domains-under-one-app-service.html

I understand how to add multiple domains to a web app. What if I have say 100+ other company domains that I want to reference to the same webapp. These companies would create their own subdomains to point to this website the example is.

https://discovery.company1.com
https://discovery.company2.com
https://discovery.company3.com
….

I would assume I would need to host a separate SSL for each company and connect each CNAME. I am more just concerned I would hit a block after so many of these added to the same web app or wondering if there is a better option I should use in Azure if anyone knows of.

Azure App service allows 500 Custom domains per app that will be over this limit.

Read about X.509 certificates