You can configure your virtual network in much the same way that you configure your internal on-premises network; that is, you set DNS, security policies and configure the routing. You can even divide the VNet into subnets. Your Azure VNet becomes an extension of your internal network.
You can use virtual appliances, which are virtual machines on which you have installed some sort of software firewall, intrusion detection/prevention solution or other dedicated function, on your Azure VNet. Virtual appliances can play a very important role in your cloud security strategy. However, using virtual appliances requires that you do a little extra configuration to make things work properly.
The first step is to create a virtual machine in your VNet, which is easy to do with the Azure portal. If you prefer, you can do it using the Azure Command Line Interface or Azure PowerShell. You can choose from different operating systems. For purposes of this article, we’ll assume that your VM is going to run Windows Server 2012 R2.
In the portal’s graphic interface, you select a deployment model, give the VM a name and enter the admin user name and password. Then you have to specify the size of the VM (cores, memory and support for various features). Pricing is based on the size so select what’s appropriate for your virtual appliance’s use case. Then you configure the settings and choose optional features, such as premium storage (faster SSD disks). That’s all there is to it. Now you can log onto the virtual machine and install the appliance software.
But wait: An important consideration when working with virtual appliances on Azure virtual machines is that many virtual appliances running in the cloud, just like the software based firewalls that run on your on-premises network, need to use multiple network interfaces (NICs). Microsoft announced that they would be adding support for multiple NICs in Azure VMs back in 2014.
There are, unfortunately, some limitations on using multiple NICs. The first is that they must be created in VNets. That’s not such a big deal, but you might also run into this issue: within a cloud service, either all the VMs have to be enabled for multiple NICs or all must be single-NIC VMs. You can’t mix them within the same deployment. Another quandary is that if a virtual machine has been created with no secondary interfaces, you can’t update it to add interfaces.
How many NICs can you create in a VM? That depends on the size of the VM. Extra small, small and medium VMs can only support one NIC. Large (A3) can support two and extra large (A4) can support up to four NICs. The largest number of NICs (16) is supported by DS14 and G5 VMs. For the full table showing the maximum allowed number of NICs for all VM sizes, and for more information about multiple NICs in Azure VMs, see the Microsoft Azure web site at: https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-multiple-nics/
Assuming you get past all of the constraints and caveats, using multiple NICs gives you a lot more capability for isolating traffic and managing network traffic along with running and using virtual appliances. You can create a VM with multiple NICs using the Azure PowerShell interface. You’ll need to designate the subnet and IP adderss of the default NIC first and then add additional NICs to the virtual machine’s configuration before you create the VM. The full instructions are in the web page referenced above.
Once you have your VM set up, in order for network traffic to reach your virtual appliance, you are going to have to enable IP forwarding on the VM on which it’s installed, and create a routing table to host the route. You do this using Azure PowerShell. The PowerShell command is New-AzureRouteTable.
Once you’ve created the routing table, you add a route to it using the NextHopType VirtualAppliance NextHopIpAddress command.
You’re not finished yet. You now will have to associate the route table with at least one subnet before it can be used. To do that, we use the command Set-AzureSubnetRouteTable.
Only after you’ve done all of the above are you ready to enable IP Forwarding for your virtual machine. You’ll need to first get the VM on which your virtual appliance is running, and then you’ll use the Set-AzureIPForwarding –Enable command.
You can find the detailed instructions and examples of the use of these PowerShell commands on the Microsoft Azure web site here:
Using virtual appliances on an Azure virtual network requires some planning, consideration of a number of factors, and extra configuration, but it can be done.