Azure Equivalent to layer 2 port isolation

Steve Hobbs 21 Reputation points
2020-12-31T13:07:43.71+00:00

We are looking for some advice on ways to achieve our azure network design goals.

We are wondering if it would be achievable to implement Azure Virtual machines in a way similar to how we isolate desktop endpoints at Layer 2 using port isolation.
One of our goals is to prevent unsolicited Virtual machine to Virtual machine communication, and to provide a central point for traffic inspection. To achieve this we were considering forcing each VM to filter traffic through a firewall appliance, before sending to its destination.

I know this can be achieved on a subnet level, using Network security groups and User defined routing, and theoretically we could use the same concept by using a separate subnet NSG and UDR for each Virtual machine, but that seems like it may create too much complexity.
I’d be interested in hearing any other ideas to achieve this goal, or technical reasons on why this idea would be not feasible.

Thanks in advance.

Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,541 questions
{count} votes

Accepted answer
  1. GitaraniSharma-MSFT 49,626 Reputation points Microsoft Employee
    2021-01-04T07:55:54.697+00:00

    Hello @Steve Hobbs ,

    Welcome to Microsoft Q&A Platform. Thanks for posting your query.

    In order to prevent unsolicited Virtual machine to Virtual machine communication, and to provide a central point for traffic inspection, you can implement UDRs on the subnet levels as below:
    Vnet/subnet address range (depending upon your requirement of granularity) --> Next hop Virtual appliance.

    Azure creates a route with an address prefix that corresponds to each address range defined within the address space of a virtual network. Azure automatically routes traffic between subnets using the routes created for each address range. So when you create a UDR with the Vnet/subnet address prefix and point it to a NVA, the UDR overrides the default route. And this makes sure that all traffic from one machine to another machine in the same subnet or between subnets of that Vnet is routed through the configured NVA/Firewall.
    This behavior is documented here : https://learn.microsoft.com/en-us/azure/firewall/firewall-faq#can-azure-firewall-forward-and-filter-network-traffic-between-subnets-in-the-same-virtual-network-or-peered-virtual-networks

    When outbound traffic is sent from a subnet, Azure selects a route based on the destination IP address, using the longest prefix match algorithm. For example, a route table has two routes: One route specifies the 10.0.0.0/24 address prefix, while the other route specifies the 10.0.0.0/16 address prefix. Azure routes traffic destined for 10.0.0.5, to the next hop type specified in the route with the 10.0.0.0/24 address prefix, because 10.0.0.0/24 is a longer prefix than 10.0.0.0/16, even though 10.0.0.5 is within both address prefixes.

    If multiple routes contain the same address prefix, Azure selects the route type, based on the following priority:
    User-defined route
    BGP route
    System route

    Fore more inforation on Azure Routing, please refer : https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview

    In order to allow/block traffic to/from any address prefix on any port, you can configure NSGs.
    Please refer : https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview

    Kindly let us know if the above helps or you need further assistance on this issue.

    ----------------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.