Lessons learned segmenting azure network traffic
Published By
Nikhil Patel
December 8, 2022
5 min read.

Whilst planning the move of network infrastructure from one public cloud to the other or from on-premises to public cloud, exploring the capabilities and limitations of public cloud provider services can save you time, effort, and re-works.

If you are planning to migrate your network infrastructure to Azure, please watch out for some of the limitations on Azure VNets and VMs as it may force you to redesign your network infrastructure differently from the way you normally would. You may have to make some of the critical network infrastructure design decisions to accommodate the limitations you get hit within Azure Cloud.

Azure Virtual Network (VNet) is a logical separation of your network within Azure Cloud dedicated to your subscription which purely works at Layer 3 of Open Systems Interconnect (OSI) model and does not support  Layer 2 segmentation using Virtual Local Area Networks (VLANs). You may be able to extend your on-premises subnet into Azure but that would require you to do that using Layer 3 overlay.

You cannot configure VLANs in Azure VNets. Azure VNets basically provide Layer 3 segmentation and do not support any Layer 2 semantics. If you intend to create sub-interfaces on network device and establish communication using separate VRFs then it is not possible to facilitate this via Azure cloud.

If you intend to use FortiGate firewalls requiring Layer 2 connectivity between the nodes to allow setup of high availability cluster, then you may face challenges due to the limitation within Azure where you cannot perform Layer 2 segmentation using VLANs.

Furthermore, the maximum number of Network Interface Cards (NICs) allowed per Virtual Machine (VM) in Azure is quite restrictive. To have more than two NICs per VM you may have to go with an extra-large sized VM which may often force you to over-provision other resources for that VM just for meeting the number of NIC requirement.

Since there is no VLAN support within Azure cloud, you cannot create sub-interfaces using same NIC and with the restricted number of NICs available, it further shrinks the capabilities when designing the network infrastructure within the public cloud. If you intend to use FortiGate firewall that supports Virtual Domains (VDOMs) to logically segment the firewalls, then the above limitations would restrict you from using VDOMs.

As there is no Layer 2 connectivity between Azure sites, FortiGate firewall HA cluster cannot be spanned across Azure regions. The number of available interfaces with the VM adds to the pain with HA setup. High availability between Azure availability zones in Azure has limited support but it is not possible between regions.

If you get stuck with any routing related issues within your subscription on Azure cloud, ensure you check if IP forwarding is enabled on network interface where you expect it to forward traffic beyond that virtual appliance and User Defined Routes (UDRs) are configured if you intend to override default inter-VNet routing within the network.

You Should also read

Risk, resilience and reputation: cyber in 2023

Practical security tips for young businesses