This article shared the experience of using Microsoft Azure Network Services from a product design and architecture perspective, and I hope you can learn more about these services and better design your architecture after reading this article.
Microsoft Azure's network architecture is designed specifically for enterprise private cloud and hybrid cloud, which includes three common services:
Virtual network: Connecting local networks with cloud infrastructure
Traffic Manager (traffic manager): Assigning user traffic to different data centers
Name resolution service (DNS): Using the internal hostname as a cloud service resolution
Below, I will highlight the areas that need attention when using these three services, as well as some other aspects that need to be noted when using Microsoft Azure Network services, such as site VPN security settings, use of private IP addresses and shared IP addresses, use of BGP networks, How the network latency problem is handled and so on.
Notice before reading
Microsoft Azure uses a number of unique terms, two of which require special attention:
VIP (Virtual IP address): A public IP address on an azure network that is used to connect virtual machines in Azure virtual networks from the extranet. This VIP is not a virtual IP address in a Network Load balancing NLB solution.
DIP (direct IP): The actual IP address of the DHCP assignment used for virtual machines in virtual networks. This dip is not a NLB dip.
Virtual Network (Network)
Virtual networks can be used to create and manage IPv4 address spaces. You can set up a VPN secure connection between the local intranet and virtual network, or you can connect the cloud application to the local area through the network docking way.
Virtual networks can be used to establish a connection between virtual Machine. Note that you need to create a virtual network first, and then associate it with a virtual network that has already been created when you create the virtual machine. Similarly, virtual networks can establish a connection between cloud services (Cloud service), and the benefit of this is that virtual machines under different cloud services can communicate with each other through private IPv4 addresses.
It is also important to note that you must first create a geo-group (Affinity Group) before you first create a virtual network, because a virtual network without an associated geopolitical group is not optimized. The GEO Group is a logical grouping of Microsoft Azure for locating services, such as the eastern region of China. If we were to create a storage service in the same geo-group in the future, the performance of other cloud services in the packet would be more optimized for this storage service.
When you create an azure virtual network, you need to use a private IP addressing scheme instead of using a shared IP address. In addition, you need to make sure that your private network does not occupy these IP addresses, and that you cannot have overlapping IPs.
Azure exits the data center using a BGP network, and virtual networks currently do not support internal use of Gateway NLB. If you want to achieve high availability, you can rely on other methods or hardware, such as hardware backup, to enable the backup server after the primary VPN gateway expires (such as the Windows Server 2012 Routing and Remote Access service RRAS on the cluster).
When you create an Azure virtual network, the collection of request IP addresses represents all the aggregated subnets. Although you can summarize the network, there is no routing between these subnets, and there is no way to perform access control in the middle of these subnets.
In azure virtual networks, virtual machines use DHCP to obtain IP addresses by default. You can configure a static IP for the virtual machine, but you must use PowerShell to create the VM. If you do not use DHCP, the Azure virtual network system will assume that the device is in an unknown state, causing you to be unable to connect to the virtual machine. However, although the IP addresses of virtual machines are obtained using DHCP, their IP addresses are unchanged during operation-unless you stop (unassigned) or re-create them. If you use the management portal to "shut down" the virtual machine, the billing will stop and the "unassigned" (see figure below) will be displayed and the IP in use will be released. However, if you shut down your computer by connecting to the virtual machine's operating system, the billing will not stop and the IP will not be released.
See more highlights of this column: http://www.bianceng.cnhttp://www.bianceng.cn/Servers/cloud-computing/
There are several ways to connect virtual machines in azure virtual networks. By default, each virtual machine has an RDP port and the entry port is turned on. Note that Azure does not use the default RDP port 3389. If you don't want your virtual machine to be exposed, you can also choose to disable the port or change it to another port. Another way to connect to a virtual machine is to connect to the Azure virtual network from the corporate intranet via site to site VPN, which is the same as the RDP connection between the branch office and the head office using site to site VPN, which is described later in this way.
If you are not in the office network, or if you do not want to connect to the office via VPN, you can use the "point to Site" way to connect to the virtual machine, which is equivalent to SSTP remote access VPN, more secure than directly using RDP to connect azure virtual networks.