Skip to content

Network Segregation

Network Segregation is the configuration of a network into separate parts, usually into separate Virtual Networks (VNets). Some of these parts may be designated demilitarized zones, which accept public internet traffic. Others may only accept traffic from trusted network zones - private networks. Each of these VNets is independent of each other and can duplicate or overlap address spaces. Traffic from one VNet can't reach another VNet without introducing some kind of routing controller.



Traffic to and from services in private networks can be blocked at the transport layer. You can use characteristics of the traffic such as origin IPs to selectively block or allow traffic to networks. You can filter network traffic in an Azure VNet using Network Security Groups, or by manipulating DNS entries and routing tables. Azure services also support the use of Virtual network service tags, which represents groups of IP addresses associated with particular services.


Third parties such as cloud vendors or ISVs usually host PaaS and SaaS services outside of a customer's network. Workloads that are isolated to a private network need some mechanism to be able to route traffic to these services. Mechanisms in Azure such as Private Link can enable routing traffic these services. Many of these services can also address services in the private network using features such as Azure App Service's VNet Integration.


A common way to connect VNets to each other is to use VPN tunnels. Different configurations are possible, such as site-to-site or point-to-site, with varying levels of capability, complexity and cost. If you are using Azure Virtual Network, you can use features such as Express Route or VNet Peering to enable cross-network connectivity. It's also possible to use these features to connect different pods or containers in a Kubernetes cluster to a VNet, by using the Azure Virtual Network container network interface (CNI).


Isolation and Integration

  • The "Reduce attack surface by restricting network access to PaaS services" solution provides implementations that show how to restrict PaaS service network traffic to a virtual network. The implementations show how typically public PaaS service endpoints can be isolated to ensure all inbound network traffic has to originate from the virtual network. The implementations also show how PaaS services can be integrated with a virtual network to restrict all outbound traffic to services within the virtual network.