[Windows Azure] Windows Azure Virtual Network Overview

Windows Azure Virtual Network Overview

18 out of 33 rated this helpful - Rate this topic

Updated: April 25, 2013

Windows Azure Virtual Network provides you with the capability to extend your network into Windows Azure and treat deployments in Windows as a natural extension to your on-premises network.

Virtual Network enables you to accomplish the following:

• Create a virtual private network in Windows Azure: You can bring your preferred private IPv4 space (10.x, 172.x, 192.x) to Windows Azure.
• Configure cross-premises connectivity over site-to-site IPsec VPNs: You can extend your on-premises network to Windows Azure and treat virtual machines and services deployed in your virtual networks as though they were on your local premises.
• Configure custom DNS servers for all services within a virtual network: You can point all virtual machines and services to a DNS server on-premises or a DNS server running in a virtual network. This capability enables you to use your domain controllers in Windows Azure.

Some key benefits of Windows Azure Virtual Network are:

• Extended trust and security boundary: The virtual network extends the trust boundary from a single service to the virtual network boundary. You can create several cloud services and virtual machines within a single virtual network and have them communicate with each other without having to go through the internet. You can also setup services that use a common backend database tier or use a shared management service.
• Persistent private IP addresses: Virtual machines within a VNet will have a stable private IP address. We assign an IP address from the address range you specify and offer an infinite DHCP lease on it. So the IP address will stay with the virtual machine for its lifetime. The exception to this is when a virtual machine is stop/deallocated.

  Important

  When a virtual machine is stop/deallocated, it does not retain its IP address.

• Enhanced security and isolation: Since each virtual network is run as an overlay, only virtual machines and services that are part of the same network can access each other. Services outside the virtual network have no way to identify or connect to services hosted within virtual networks. This provides an added layer of isolation to your services.
• Extend your on-premises network to the cloud: You can extend your on-premises network through the site-to-site VPN and treat the virtual network as though it is part of your corporate network. You can access and leverage all on-premises investments around monitoring and identity for your services hosted in Windows Azure.
• IaaS and PaaS are better together: With virtual networks, you have the ability to build services that rely on PaaS and IaaS. In most cases, the front-ends are stateless and PaaS roles offer more flexibility and scalability in such cases. While front-ends are migrated to PaaS, you can still use your favorite databases as virtual machines.
• Connectivity to the internet: You will still enjoy the ability to connect services hosted in virtual networks to the internet through the public IP address that has been assigned for your service.

Virtual Network Design Considerations

Before you configure your Windows Azure Virtual Network, you should carefully consider possible scenarios. For this release, it can be difficult to makes changes after your virtual network has been created and you have deployed role instances and virtual machines. After this stage of deployment, you cannot easily modify the baseline network configuration and many values cannot be modified without pulling back roles and virtual machines and then reconfiguring. Because of this, you should not attempt to create a virtual network and then try to adapt the scenario to fit the network.

When creating your network design, consider the following possible scenarios:

Secure Connection Type: Site-to-Site or Point-to-Site

Important

Point-to-site VPN is currently in Preview (CTP).

Scenario	Points to consider	For more information
Secure site-to-site connection between your virtual network and your on-premises network	Address space Supported VPN gateway device Internet-accessible IP address for your VPN gateway device Name resolution (DNS) design	See About Secure Cross-Premises Connectivity for more information about cross-premises connection options. See About VPN Devices for Virtual Network for VPN device requirements and configuration templates.
Secure point-to-site connections between individual computers running on your on-premises network and your virtual network	Address space Name resolution (DNS) design	See About Secure Cross-Premises Connectivity for more information about cross-premises connection options. See About VPN Devices for Virtual Network for VPN device requirements and configuration templates.

Branch Office or Dedicated Private Virtual Network in the Cloud

Using the features of Windows Azure Virtual Network, you can create dedicated private virtual networks in the cloud as well as branch-office and cross-premises solutions. In order to create a virtual branch office solution, you must obtain and configure a supported VPN router with a valid public IPv4 address that is not located behind a NAT.

Scenario	Features	Use it when	For more information
Dedicated private virtual network	You can set up secure IPv4 networks that are fully contained within Windows Azure by using persistent IP addresses. This means that the internal IP address of your virtual machines will remain persistent and will not change, even when you restart a virtual machine. Hostname resolution can be configured. You can either use the Windows Azure-provided name resolution service, or you can specify your own on-premises DNS server or a dedicated DNS server running elsewhere. Inter-service DIP-to-DIP communication is available.	You are building services requiring shared tiers You are building services where you wish to use PaaS and IaaS together You are deploying services requiring stable private IPv4 addresses	SeeWindows Azure Name Resolutionfor more information about name resolution.
Virtual branch office andcross-premises virtual network	You can create secure site-to-site network connectivity between Windows Azure and your on-premises network, effectively creating a virtual branch office or datacenter in the cloud. This is possible by using a hosted VPN gateway and a supported VPN gateway device. You can extend your enterprise networks into Windows Azure. Hostname resolution can be configured. You can specify your own on-premises DNS server or a dedicated DNS server running elsewhere. Persistent IP addresses can be configured for virtual machines. This means that the internal IP address of your virtual machines will remain persistent and will not change, even when you restart a virtual machine. You can join virtual machines running in Windows Azure to your domain running on-premises.	All or any of the reasons listed above for dedicated virtual private network You require secure IP-level connectivity between your premises and the virtual network You want to use on-premises deployments of DNS, ADDS, or System Center Operations Manager You want to expose services to your on-premises resources directly, rather than through the internet.	SeeWindows Azure Name Resolutionfor more information about name resolution.

Name Resolution (DNS) for Virtual Network

Name resolution is an important consideration for virtual network design. Even though you may create a secure site-to-site VPN connection, without name resolution, communication by hostname is not possible. There are multiple ways to provide name resolution for your Windows Azure Virtual Network. You can use the name resolution provided by Windows Azure, or you may use your own DNS server. Configuring your virtual network to use Windows Azure-provided name resolution is a relatively simple option. However, you may require a more full-featured DNS solution in order to support virtual machines or complex configurations. Your choice of name resolution method should be based on the scenario that it will support. For more information about name resolution for Windows Azure, see Windows Azure Name Resolution.

Scenario	Name resolution	Points to consider	For more information
Cross-premises: Name resolution between role instances or virtual machines in Windows Azure and on-premises computers	DNS solution of your choice (Not Windows Azure-provided)	Name resolution (DNS) design Address space Supported VPN gateway device Internet-accessible IP address for your VPN gateway device	See About VPN Devices for Virtual Network for VPN device requirements and configuration templates. See Windows Azure Name Resolution for more information about name resolution.
Cross-premises: Name resolution between on-premises computers and role instances or virtual machines in Windows Azure	DNS solution of your choice (Not Windows Azure-provided)	Name resolution (DNS) design Address space Supported VPN gateway device Internet-accessible IP address for your VPN gateway device	See About VPN Devices for Virtual Network for VPN device requirements and configuration templates. See Windows Azure Name Resolution for more information about name resolution.
Name resolution between role instances located in the same cloud service	Windows Azure name resolution (internal)	Name resolution (DNS) design	See Windows Azure Name Resolution for more information about name resolution.
Name resolution between virtual machines located in the same cloud service	Windows Azure name resolution (internal)	Name resolution (DNS) design	See Windows Azure Name Resolution for more information about name resolution.
Name resolution between virtual machines and role instances located in the same Virtual Network, but different cloud services	DNS solution of your choice (Not Windows Azure-provided)	Name resolution (DNS) design Address space Supported VPN gateway device Internet-accessible IP address for your VPN gateway device	See About VPN Devices for Virtual Network for VPN device requirements and configuration templates. See Windows Azure Name Resolution for more information about name resolution.
Name resolution between virtual machines and role instances that are located in the same cloud services, not in a Windows Azure Virtual Network	Not applicable.	Virtual machines and role instances cannot be deployed in the same cloud service.	Not applicable.
Name resolution between role instances located in different cloud services, not in a Windows Azure Virtual Network	Not applicable.	Connectivity between virtual machines and/or role instances in different cloud services is not supported outside a virtual network.	Not applicable.
Name resolution between virtual machines located in the same Windows Azure Virtual Network	DNS solution of your choice (Not Windows Azure-provided)	Name resolution (DNS) design Address space Supported VPN gateway device Internet-accessible IP address for your VPN gateway device	See About VPN Devices for Virtual Network for VPN device requirements and configuration templates. See Windows Azure Name Resolution for more information about name resolution.
Use name resolution to direct traffic between datacenters	See Traffic Manager	See Traffic Manager	See Windows Azure Traffic Manager for more information about using name resolution to direct traffic between datacenters.
Control the distribution of user traffic to Windows Azure hosted services	See Traffic Manager	See Traffic Manager	See Windows Azure Traffic Manager.

Configuring Virtual Network

You can configure a virtual network by using the following methods:

• Network Configuration file (.xml)
• Management Portal wizard

All methods of configuring Virtual Network result in the configuration of a network configuration file. The network configuration file contains all of the configuration information for your virtual network. For more information about the elements contained in the network configuration file, see Windows Azure Virtual Network Configuration Schema. For information about how to configure your Virtual Network by using a network configuration file, seeConfigure a Virtual Network Using Network Configuration Files.

When you use the Management Portal wizard to configure your virtual network, the network configuration file is not readily visible. The network configuration file is created and automatically imported to Windows Azure, where the values are used to configure your virtual network. If you want to view the schema information contained in the configuration file, you can export the file by using the Management Portal and view it with any xml editor. You can also use the Management Portal to view the settings contained in the file. For information about how to use the Management Portal to create a virtual network, see About Configuring a Virtual Network in the Management Portal.

Virtual Network Configuration Tasks

If you have already created your design plan and want to know how to configure specific settings, see the Windows Azure Virtual Network Configuration Tasks.

Virtual Network Tutorials

If you’d like to walk through a tutorial to better understand how to configure your virtual network, see Windows Azure Virtual Network Tutorials.

See Also

Concepts

About Configuring a Virtual Network in the Management Portal 
Configure a Virtual Network Using Network Configuration Files 
Windows Azure Name Resolution 
About VPN Devices for Virtual Network 
Windows Azure Virtual Network Configuration Tasks

Other Resources

Windows Azure Virtual Network Configuration Schema 
Windows Azure Virtual Network Tutorials 
Windows Azure Networking Guidance 
Windows Azure Virtual Machines 
How to Create a Custom Virtual Machine