Quartz 4

Azure Networking vs Docker

4 min read

Azure Networking: VNets, Subnets, and Docker Comparison

This note summarizes the relationship between Azure infrastructure and application-level networking (Docker/Nginx).

1. The Azure Virtual Network (VNet) as a Router

An Azure VNet is essentially your own private datacenter network. While you don’t see a physical router, Azure manages a “Virtual Router” for you.

  • Logic: Azure handles the Routing, DHCP (assigning IPs), NAT, and Switching.
  • Public vs. Private: You usually get one Public IP for the gateway/load balancer and many Private IPs (10.x.x.x) for the internal machines.
  • Traffic Flow: Internet → Public IP → Azure NAT → VM Private IP.

2. The Subnet Math (Why 251 IPs?)

When you create a /24 subnet (which mathematically has 256 addresses), Azure shows 251 available. This is because Azure reserves 5 IP addresses for its own management:

  1. x.x.x.0: Network Address
  2. x.x.x.1: Default Gateway (The Azure Router)
  3. x.x.x.2: Azure DNS Mapping
  4. x.x.x.3: Internal/Future use
  5. x.x.x.255: Broadcast Address

3. Azure VNet vs. Docker Networking

A common question is: “Why use VNets if I can just use Docker networks and Nginx?”

FeatureDocker NetworkingAzure VNet Networking
ScopeInside a single VM.Across multiple VMs/Services.
ResilienceIf the VM dies, the network dies.If one VM dies, the network stays up.
SecurityContainers talk to each other on one host.Different VMs can be isolated (e.g., Database VM has no Public IP).
ScaleGreat for microservices on one box.Necessary for multi-server production clusters.

The “Real World” Setup: In professional environments, you use both.

  • Azure VNet connects VM1 (Web) to VM2 (Database) privately.
  • Docker manages the containers inside VM1.

4. The Terraform Infrastructure Flow

To build a full VM with networking in Terraform, you follow this logical sequence:

  1. Resource Group: The container for everything.
  2. Virtual Network (VNet): The overall private network space.
  3. Subnet: A slice of the VNet for specific tasks.
  4. Public IP: The entry point from the internet.
  5. Network Interface (NIC): The “virtual network card” that attaches to the VM.
  6. Virtual Machine (VM): The actual compute power.

5. Key Takeaway

You use a VNet when you want infrastructure-level security. By putting a Database in a private subnet with no Public IP, it is physically impossible for someone on the internet to “hack” it directly, even if they have the password. They would have to go through your Nginx/Web VM first.

6. Terraform Implementation: Public IP & NIC

Now that the network foundation (Resource Group, VNet, Subnet) is built, the next step is to attach resources to it.

1️⃣ Create a Public IP

A Public IP allows the internet to reach your machine.

resource "azurerm_public_ip" "publicip" {
  name                = "terraform-public-ip"
  location            = azurerm_resource_group.test.location
  resource_group_name = azurerm_resource_group.test.name
 
  allocation_method = "Static"
  sku               = "Basic"
}
  • allocation_method = Static: Ensures Azure keeps the same IP address for the resource.
  • sku = Basic: The most cost-effective option for testing.

2️⃣ Create a Network Interface (NIC)

The NIC acts as the virtual network card for your VM, connecting it to the subnet and the Public IP.

resource "azurerm_network_interface" "nic" {
  name                = "terraform-nic"
  location            = azurerm_resource_group.test.location
  resource_group_name = azurerm_resource_group.test.name
 
  ip_configuration {
    name                          = "internal"
    subnet_id                     = azurerm_subnet.subnet1.id
    private_ip_address_allocation = "Dynamic"
    public_ip_address_id          = azurerm_public_ip.publicip.id
  }
}

What this does:

  • Assigns a private IP from your subnet.
  • Attaches the public IP created in the previous step.

3️⃣ Deployment Workflow

  1. terraform plan: Verify the creation of azurerm_public_ip.publicip and azurerm_network_interface.nic.
  2. terraform apply: Execute the changes.

7. Why This Abstraction Matters

In Azure, a VM never connects directly to a subnet. The hierarchy is: VM → Network Interface (NIC) → Subnet

This allows for:

  • Multiple NICs per VM.
  • Multiple IP addresses.
  • Granular Network Security Group (NSG) rules.

8. Next Steps

Once the NIC is ready, the final step is to create the azurerm_linux_virtual_machine. This will spin up the actual VPS, where you can then automate the installation of Docker and other services.

Graph View