Hello and welcome to Filtering, Routing, and Integration. In this lesson, we’ll take a look at ways you can filter network traffic in Azure and at ways you can route network traffic in Azure. We will also touch on ways you can integrate Azure services in a virtual network.

In a production environment, you’ll often find that you need to filter traffic between subnets. You’ll need to allow certain traffic while blocking other traffic. There are two key ways to accomplish this type of filtering. You can use security groups, or you can use network virtual appliances.

Security groups fall into two types: network security groups and application security groups. A network security group, when you create it in Azure, can be assigned to a specific NIC or to an entire subnet. Any rules that are defined within the network security group are then applied to that NIC or to all NICs and virtual machines on the subnet when the security group is applied to the entire subnet. This works for many, even most scenarios. However, if you need more flexibility, you can leverage an application security group.

When you deploy an application security group, you can logically group the NICs of several different virtual machines on the same virtual network and then apply a network security group rule to only those grouped NICs. This allows you to create different traffic rules for different groups of NICs on the same network without needing to assign the different rules on a one-off basis. You could essentially have a group of SQL VMs connected to the same vNet as your group of application VMs. Using a separate application security group for each group of VMs allows you to manage the network security rules for each different group of VMs – even though they all reside on the same network.

While security groups provide a great way to filter network traffic, you can also use network virtual appliances. A network virtual appliance (or NVA) is really just a virtual machine that is used to perform a specific network task. For example, you can deploy an NVA that acts as a firewall or one that provides WAN optimization.

Some available NVAs include the “Barracuda CloudGen WAF for Azure” and the “Citrix SD-WAN Center”.

While Azure automatically handles routing of network traffic between subnets, vNets, on-prem networks, and the internet by default, if you need to create your own routes, you can leverage route tables and BGP routes.

Route tables are custom tables that allow you to define custom routes that control how traffic is routed for each of your subnets.  BGP routes, or border gateway protocol routes, are typically used when you connect an Azure virtual network to an on-prem network via an ExpressRoute connection or via an Azure VPN Gateway. In these scenarios, you use BGP routes to propagate your existing on-prem BGP routes to your virtual networks in Azure.

The details of how BGP works are out of scope for this getting started course but if you want to learn more about BGP, you can visit the URL that you see on your screen: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-bgp-overview?toc=/azure/virtual-network/toc.json

Before we wrap this lesson up, let’s talk a little bit about virtual network integration. When you integrate an Azure service to an Azure virtual network, what you are really doing is enabling private access to whatever service you are integrating from VMs or other compute resources that reside on the virtual network.

You can create these integrations in a few different ways. For example, you can deploy a dedicated HDInsight instance and directly transfer data between it and SQL server that’s running on a VM on the virtual network, via a private IP address.

For more technical details on this option, visit the URL that you see on your screen: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-for-azure-services

Another way to achieve vNet integration is to use private links. A private link can be used to privately access a specific service instance from your virtual network or from your on-prem network.

To learn more about Private Link, visit the URL that you see on your screen: https://docs.microsoft.com/en-us/azure/private-link/private-link-overview

Lastly, you can use service endpoints to extend a virtual network to a specific Azure service. When you configure service endpoints to access an Azure service, you can secure that service to the virtual network. In other words, you can use service endpoints to create secure and direct connectivity to Azure resources over an optimized route across the Azure backbone network.

To learn more about service endpoints, visit the URL that you see on your screen: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview