Creating and managing virtual networks in Azure

Introduction

Virtual networks (VNets) in Azure are a powerful tool for creating isolated, secure and scalable network environments for your applications. With virtual networks, you can control network traffic flow, customize IP address ranges, and connect virtual machines (VMs) and other resources securely. This tutorial will guide you through the process of creating and managing virtual networks in Azure.

Prerequisites

To follow this tutorial, you will need:

  • An Azure Subscription. If you don’t have one, you can sign up for a free account here.
  • Basic knowledge of Azure resource groups, virtual machines, and networking concepts.
  • The Azure CLI or Azure PowerShell installed on your local machine. This tutorial will use Azure CLI commands.

Step 1: Create a Virtual Network

To create a new virtual network in Azure, you need to define the IP address range and the subnet CIDR block. You can create a virtual network using the Azure Portal, Azure CLI, or Azure PowerShell. In this tutorial, we will use the Azure CLI to create the virtual network.

  1. Open the Azure CLI on your local machine and login to your Azure account by running the following command:
    az login
    

    This command will open a web page where you can enter your Azure account credentials.

  2. Create a resource group to host the virtual network. Run the following command:

    az group create --name myResourceGroup --location eastus
    

    Replace myResourceGroup with a unique name for your resource group, and eastus with your preferred Azure region.

  3. Create a virtual network with one subnet. Run the following command:

    az network vnet create --name myVnet --resource-group myResourceGroup --address-prefixes 10.0.0.0/16 --subnet-name mySubnet --subnet-prefixes 10.0.0.0/24
    

    Replace myVnet with a unique name for your virtual network and mySubnet with a unique name for your subnet.

    This command creates a virtual network with the IP address range of 10.0.0.0/16 and a subnet with the CIDR block of 10.0.0.0/24.

  4. Verify that the virtual network is created by running the following command:

    az network vnet show --name myVnet --resource-group myResourceGroup --query "id"
    

    This command will return the unique ID of your virtual network.

Step 2: Create a Network Security Group

A Network Security Group (NSG) is a layer-4 firewall that controls inbound and outbound network traffic for resources in a virtual network. An NSG consists of a set of rules that allow or deny traffic based on source or destination IP address, port, and protocol.

To create an NSG in Azure, you can use the Azure Portal, Azure CLI, or Azure PowerShell. In this tutorial, we will use the Azure CLI.

  1. Create an NSG with one inbound rule that allows traffic from the internet to the virtual network. Run the following command:
    az network nsg create --name myNsg --resource-group myResourceGroup --location eastus
    az network nsg rule create --name myInboundRule --nsg-name myNsg --resource-group myResourceGroup --direction inbound --source-address-prefix "Internet" --source-port-range "*" --destination-address-prefix "*" --destination-port-range "*" --access allow --protocol tcp --priority 1000
    

    Replace myNsg with a unique name for your NSG.

    This command creates an NSG with one inbound rule that allows all TCP traffic from the internet to the virtual network.

  2. Associate the NSG with the virtual subnet. Run the following command:

    az network vnet subnet update --name mySubnet --vnet-name myVnet --resource-group myResourceGroup --network-security-group myNsg
    

    This command associates the NSG with the subnet of the virtual network.

Step 3: Create a Virtual Machine and Connect it to the Virtual Network

Now that you have created a virtual network and an NSG, you can create a virtual machine and connect it to the virtual network.

  1. Create a virtual machine in the virtual network subnet. Run the following command:
    az vm create --resource-group myResourceGroup --name myVm --image UbuntuLTS --admin-username azureuser --generate-ssh-keys --vnet-name myVnet --subnet mySubnet --public-ip-address ""
    

    Replace myVm with a unique name for your virtual machine and azureuser with your preferred username.

    This command creates a virtual machine with the Ubuntu LTS image, no public IP address, and connects it to the virtual network subnet.

  2. Connect to the virtual machine using SSH. Run the following command:

    ssh azureuser@<public-ip-address>
    

    Replace <public-ip-address> with the public IP address of your virtual machine.

  3. Verify that the virtual machine has access to the internet by running the following command:

    curl http://ipinfo.io/ip
    

    This command should return the public IP address of the virtual machine.

  4. Verify that the virtual machine is protected by the NSG by running the following command:

    curl http://testmy.net/ip
    

    This command should fail to connect because the NSG blocks incoming traffic from the testmy.net IP address.

Step 4: Connect Two Virtual Networks

In Azure, you can connect two virtual networks together using a Virtual Network Peering. A peering allows resources in one virtual network to communicate with resources in another virtual network securely and privately, as if they were in the same virtual network.

To create a virtual network peering, both virtual networks must be in the same Azure region and must not have overlapping IP address ranges.

  1. Create a second virtual network in the same region. Run the following command:
    az network vnet create --name myVnet2 --resource-group myResourceGroup --address-prefixes 192.168.0.0/16 --subnet-name mySubnet2 --subnet-prefixes 192.168.0.0/24
    

    Replace myVnet2 with a unique name for your second virtual network and mySubnet2 with a unique name for your subnet.

    This command creates a virtual network with the IP address range of 192.168.0.0/16 and a subnet with the CIDR block of 192.168.0.0/24.

  2. Create a virtual network peering between the two virtual networks. Run the following command:

    az network vnet peering create --name myPeering --resource-group myResourceGroup --vnet-name myVnet --remote-vnet /subscriptions/<subscription-id>/resourceGroups/myResourceGroup/providers/Microsoft.Network/virtualNetworks/myVnet2 --allow-vnet-access
    

    Replace <subscription-id> with your Azure subscription ID.

    This command creates a peering between myVnet and myVnet2 and allows virtual machines in both virtual networks to communicate with each other.

  3. Connect a virtual machine in myVnet to a virtual machine in myVnet2. To do this, create two virtual machines, one in each virtual network, and configure them to allow ICMP traffic. Then ping one virtual machine from the other.

    # Create a virtual machine in myVnet
    az vm create --resource-group myResourceGroup --name myVm1 --image UbuntuLTS --admin-username azureuser --generate-ssh-keys --vnet-name myVnet --subnet mySubnet --public-ip-address ""
    
    # Create a virtual machine in myVnet2
    az vm create --resource-group myResourceGroup --name myVm2 --image UbuntuLTS --admin-username azureuser --generate-ssh-keys --vnet-name myVnet2 --subnet mySubnet2 --public-ip-address ""
    
    # Allow ICMP traffic in myVm1
    az vm open-port --port 22,80,443,icmp --resource-group myResourceGroup --name myVm1
    
    # Allow ICMP traffic in myVm2
    az vm open-port --port 22,80,443,icmp --resource-group myResourceGroup --name myVm2
    
    # Ping myVm1 from myVm2
    ping <myVm1-private-ip-address>
    

    Replace <myVm1-private-ip-address> with the private IP address of myVm1.

Conclusion

In this tutorial, you learned how to create and manage virtual networks in Azure. You learned how to create a virtual network, a network security group, and a virtual machine, and how to connect virtual networks using a virtual network peering. With these skills, you can create isolated and secure networking environments for your applications in Azure.

Related Post