Archive

Monthly Archives: August 2024

The Crux of Networking

August 7, 2024
Uncategorized
Leave a comment

As part of my long journey in networking I’ve observed that networking has evolved to accomodate cloud and SaaS traffic. Be it Multicloud or be it SDWAN, networking has accomodated these new traffic patterns.

In this post I would like to highlight some essential items which I think to be the crux of networking.

1: IP Endpoints: Consider this to be the endpoint. Endpoint of what ? An endpoint which can be considered as a source or sink of traffic. An endpoint from which traffic is generated or where traffic is sinking into. Or it could be an endpoint where the journey of traffic translates into another journey.

2: Block of IP Endpoints: These are subnets or CIDR blocks. They are blocks or groups of IP endpoints which are used to communicate the existence of a group of IP endpoints in a certain locations. So for example x.x.x.x/24 will be in North America while y.y.y.y/24 will be a group of endpoints in Asia.

3: Routing Domain: This is an imaginary logical boundary behind which a group / block of IP endpoints are being routed. Consider a routing domain to be a domain which has a routing table. A routing table which lists the groups of IP endpoints inside the routing domain and where they further connect to at Layer 2.

This is it and I will stop at these 3 only. Why ?

This is because the classic networking in Service Providers or Enterprise WAN networks has evolved to accomodate SDWAN and Cloud so much that I think we need to stop at these 3. The (older) concepts of routing protocols are now considered solid parts of networking which are a given. A routing protocol is sprouted so as to exchange the routability of blocks of IP endpoints. The reachability information is shared ahead so that the IP endpoints and their blocks/groups are reachable from far away. They are a given now.

Why only these 3 ?

This is because I feel most of networking can be explained starting from these three concepts. For example concepts of end to end reachability, a route table, filtering at the edge of the routing domain, firewalling for IP endpoints and layer 4, etc etc can be built and explained around these three concepts.

These are the three concepts that are needed to explain the cloud networks in the form of Azure VNets, AWS VPCs and GCP networking.

I know there are other concepts to networking like Load Balancing, NAT etc etc. But I like to think that these three are the crux of networking. At least for Layer 3.

Thanks, Habib

Azure Networking

August 5, 2024
Cloud Computing, Distributed Systems, Network Design
1 Comment

Given below is a prompt I gave to ChatGPT GPT4o:

“In Azure networking what is a routing domain and what are on its boundaries. What are the inter-routing-domain routing types and what are any translations on the networking routing domain boundaries.”

and here is the answer I got from ChatGPT:

In Azure networking, a routing domain is a segment of the network where all the resources follow the same routing logic and policies. Routing domains can be used to segment traffic, apply specific routing policies, and ensure network isolation. Each routing domain typically has its own set of routing tables that determine how traffic should be forwarded within and between domains.

Boundaries of a Routing Domain

The boundaries of a routing domain in Azure are typically defined by the following components:

  1. Virtual Networks (VNets): VNets are fundamental building blocks in Azure networking, and each VNet can be considered a routing domain.
  2. Subnets: Subnets within a VNet can also be routing domains, depending on the routing policies applied.
  3. Network Security Groups (NSGs): NSGs can define boundaries by controlling inbound and outbound traffic at the subnet or network interface level.
  4. Route Tables: Route tables attached to subnets define the specific routing within that subnet.

Inter-Routing-Domain Routing Types

Inter-routing-domain routing types in Azure include:

  1. Peering:
  • VNet Peering: Allows you to connect VNets within the same Azure region or across regions. VNets can communicate as if they were on the same network, but they maintain their own routing tables and boundaries.
  • Global VNet Peering: Extends VNet peering to allow communication across different Azure regions.
  1. VPN Gateways:
  • Site-to-Site VPN: Connects an on-premises network to an Azure VNet over a secure VPN tunnel.
  • VNet-to-VNet VPN: Connects two or more VNets using VPN gateways.
  1. ExpressRoute:
  • ExpressRoute Circuits: Provides a private connection between Azure datacenters and on-premises infrastructure, bypassing the public internet.
  • ExpressRoute Direct: Offers dedicated, private connections for high-throughput and latency-sensitive applications.
  1. Azure Virtual WAN:
  • Hub-and-Spoke Architecture: Uses Virtual WAN hubs to connect VNets and on-premises networks in a centralized manner.
  • Any-to-Any Connectivity: Facilitates any-to-any connectivity through Virtual WAN.

Translations on the Networking Routing Domain Boundaries

When traffic crosses the boundaries of routing domains, certain translations and adjustments might occur to ensure proper routing and security. These include:

  1. NAT (Network Address Translation):
  • Public IP Addresses: When traffic exits an Azure VNet to the internet, it typically uses a public IP address, requiring NAT.
  • Azure Firewall and NAT Gateway: These services provide NAT capabilities for outbound traffic.
  1. Route Propagation:
  • BGP (Border Gateway Protocol): Used in ExpressRoute and VPN gateways to propagate routes between Azure and on-premises networks.
  1. Access Control:
  • NSGs and Application Security Groups (ASGs): Apply security rules to control traffic entering and exiting a routing domain.
  • Azure Firewall: Acts as a centralized security policy enforcement point, applying rules to traffic crossing routing domain boundaries.
  1. Uptime and Performance Management:
  • Traffic Manager and Front Door: These services help manage traffic routing for high availability and performance, ensuring that traffic is directed to the most appropriate endpoints.

Summary

In Azure networking, routing domains help segment and control network traffic. Their boundaries are defined by components like VNets, subnets, NSGs, and route tables. Inter-routing-domain routing can be achieved through VNet peering, VPN gateways, ExpressRoute, and Virtual WAN. Translations and adjustments such as NAT, route propagation, and access control are necessary to manage traffic crossing these boundaries.

—————————- End of ChatGPT Response ——————————–

It’s obvious that if you know the fundamentals of packet forwarding then grasping how Azure or AWS is doing it won’t be difficult. Here is how I would put it:

An IP is an endpoint. A block of IPs is a subnet and is a group of endpoints. A routing domain houses groups of IP endpoints. A routing domain can be considered as a boundary behind which one or more subnets i.e. groups of IP endpoints exist.

The rest is in the answer of the prompt. A routing domain has things inside it (endpoints and groups of endpoints) and it has a boundary. There is inter-routing-domain constructs and there are translation and/or security constructs on the boundary as well.

In Azure, a VNet is a routing domain. As always the right prompt gives a lot of good information.