Skip to content

Commit e33a6e9

Browse files
johndownsjohndowns
committed
Update reliability guide
1 parent 5ec21ab commit e33a6e9

File tree

1 file changed

+58
-50
lines changed

1 file changed

+58
-50
lines changed

articles/reliability/reliability-virtual-network.md

Lines changed: 58 additions & 50 deletions
Original file line numberDiff line numberDiff line change
@@ -4,113 +4,121 @@ description: Find out about reliability in Azure Virtual Network, including avai
44
author: asudbring
55
ms.author: allensu
66
ms.topic: reliability-article
7-
ms.custom: subject-reliability, references_regions
7+
ms.custom: subject-reliability
88
ms.service: azure-virtual-network
99
ms.date: 05/20/2025
10-
#Customer intent: As an engineer responsible for business continuity, I want to understand who need to understand the details of how Azure Virtual Network works from a reliability perspective and plan disaster recovery strategies in alignment with the exact processes that Azure services follow during different kinds of situations.
11-
10+
#Customer intent: As an engineer responsible for business continuity, I want to understand who need to understand the details of how Azure Virtual Network works from a reliability perspective and plan disaster recovery strategies in alignment with the exact processes that Azure services follow during different kinds of situations.
1211
---
1312

1413
# Reliability in Azure Virtual Network
1514

1615
This article describes reliability support in Azure Virtual Network, covering intra-regional resiliency via [availability zones](#availability-zone-support) and [multi-region deployments](#multi-region-support).
1716

18-
Resiliency is a shared responsibility between you and Microsoft and so this article also covers ways for you to create a resilient solution that meets your needs.
17+
[!INCLUDE [Shared responsibility description](includes/reliability-shared-responsibility-include.md)]
1918

20-
A Virtual Network is a logical representation of your network in the cloud. It allows you to define your own private IP address space and segment the network into subnets. Virtual networks serve as a trust boundary to host your compute resources such as Azure Virtual Machines and load balancers. A virtual network allows direct private IP communication between the resources hosted in it. You can link a virtual network to an on-premises network through a VPN Gateway, or ExpressRoute.
19+
A virtual network is a logical representation of your network in the cloud. It allows you to define your own private IP address space and segment the network into subnets. Virtual networks serve as a trust boundary to host your compute resources such as Azure Virtual Machines and load balancers. A virtual network allows direct private IP communication between the resources hosted in it. You can link a virtual network to an on-premises network through a VPN Gateway or ExpressRoute, to enable hybrid cloud scenarios and to securely extend your datacenter into Azure.
2120

2221
## Production deployment recommendations
2322

24-
A virtual network is created within the scope of a region. You can create virtual networks with the same address space in two different regions, but because they have the same address space, you can't connect them together.
23+
As you build your virtual network in Azure, it's important to keep in mind the following universal design principles that help to improve the reliability of your solution:
24+
25+
* Ensure address spaces don't overlap. Make sure your virtual network address space (CIDR block) doesn't overlap with your organization's other network ranges.
26+
* Your subnets shouldn't cover the entire address space of the virtual network. Plan ahead and reserve some address space for the future.
27+
* Use a few large virtual networks instead of multiple small ones to reduce management overhead.
28+
* Secure your virtual networks by assigning Network Security Groups (NSGs) to the subnets beneath them.
29+
30+
To learn more about how to design your Azure virtual network with reliablity principles in mind, as well as other important best practices, see [Architecture best practices for Azure Virtual Network](/azure/well-architected/service-guides/virtual-network).
2531

26-
Use virtual networks to:
32+
## Reliability architecture overview
2733

28-
* Create a dedicated, private, cloud-only virtual network. Sometimes you don't require a cross-premises configuration for your solution. When you create a virtual network, your services and virtual machines (VMs) within your virtual network can communicate directly and securely with each other in the cloud. You can still configure endpoint connections for the VMs and services that require internet communication, as part of your solution.
34+
A virtual network is one of several core networking components in Azure. When you create virtual networks, you typically create a set of resources that collectively define your networking configuration, including:
2935

30-
* Securely extend your datacenter. With virtual networks, you can build traditional site-to-site (S2S) VPNs to securely scale your datacenter capacity. S2S VPNs use IPsec to provide a secure connection between your corporate VPN gateway and Azure.
36+
- Network security groups (NSGs) and application security groups (ASGs), which restrict communication between parts of your network.
37+
- User-defined routes, which control how traffic flows.
38+
- Load balancers, which distribute traffic within your network.
39+
- Public IP addresses, which provide connectivity to and from the internet.
40+
- Network interface cards (NICs), which provide network connectivity to Azure virtual machines.
41+
- Private endpoints, which provide private connectivity to Azure services and to resources outside of your own virtual network.
3142

32-
* Enable hybrid cloud scenarios. You can securely connect cloud-based applications to any type of on-premises system, including mainframes and Unix systems.
43+
You might also deploy *appliances*, including ExpressRoute gateways, VPN gateways, and firewalls. Appliances provide services to support your networking needs, such as connecting to on-premises environments or providing sophisticated controls on traffic flow.
3344

34-
## Reliability architecture overview
45+
Finally, you deploy your own components, like virtual machines that run applications or databases, as well as other Azure services that provide virtual network integration.
3546

36-
Virtual networks and subnets span all availability zones in a region. You don't need to divide them by availability zones to accommodate zonal resources. For example, if you configure a zonal VM, you don't have to take into consideration the virtual network when selecting the availability zone for the VM. The same is true for other zonal resources.
47+
> [!IMPORTANT]
48+
> This guide focuses on Azure virtual networks, which are just one component in your network architecture.
49+
>
50+
> From a reliability perspective, it's important that you consider each component in your solution individually as well as how they behave together. Many core Azure networking services provide high resiliency by default, but you might need to consider how other network appliances, virtual machines, and other components can support your reliability needs. Review the reliability guides for each Azure service you use to understand how that service supports reliability.
51+
52+
To learn more about networking in Azure, see [Networking architecture design](/azure/architecture/networking/).
3753

3854
## Transient faults
3955

4056
[!INCLUDE [Transient fault description](includes/reliability-transient-fault-description-include.md)]
4157

42-
When a transient fault occurs, resources within an Azure Virtual Network automatically retry communication attempts. This built-in resiliency ensures that temporary disruptions, such as brief network interruptions or service unavailability, do not result in permanent failures. By leveraging retry logic, resources can recover from transient issues without requiring manual intervention, helping to maintain connectivity and application reliability.
58+
Virtual networks themselves aren't typically affected by transient faults themselves. However, transient faults might affect resources deployed within a virtual network. Review the reliability guide for each resource you use to understand their transient fault handling behaviors.
4359

4460
## Availability zone support
4561

46-
[!INCLUDE [AZ support description](includes/reliability-availability-zone-description-include.md)]
47-
48-
A virtual network deployed in a region is spanned across availability zones within that region. User intervention isn't required to enable this support.
62+
[!INCLUDE [AZ support description](includes/reliability-availability-zone-description-include.md)]
4963

50-
### Region support
64+
A virtual network deployed in a region spans all availability zones within that region. Similarly, subnets within each virtual network span all availability zones within the region. User intervention isn't required to enable this support.
5165

52-
Azure Virtual Network is available in all Azure regions. Azure Virtual Networks are limited to a single region when deployed.
66+
You don't need to divide your virtual networks or subnets by availability zones to accommodate zonal resources. For example, if you configure a zonal VM, you don't have to take into consideration the virtual network when selecting the availability zone for the VM. The same is true for other zonal resources.
5367

54-
### Considerations
68+
### Region support
5569

56-
If an outage occurs for an entire region, the virtual network and the resources in the affected region remain inaccessible during the time of the service disruption.
70+
Zone-redundant virtual networks can be deployed in [any region that supports availability zones](./regions-list.md).
5771

5872
### Cost
5973

60-
Region zone redundancy for Azure Virtual Networks doesn't incur a charge.
61-
62-
### Configure availability zone support
74+
Zone redundancy for Azure Virtual Networks doesn't incur a charge.
6375

64-
Zone redundancy is configured automatically when a virtual network is deployed in a region.
76+
### Configure availability zone support
6577

66-
### Capacity planning and management
78+
Zone redundancy is configured automatically when a virtual network is deployed in a region that supports availability zones.
6779

68-
As you build your network in Azure, it's important to keep in mind the following universal design principles:
69-
70-
* Ensure address spaces don't overlap. Make sure your virtual network address space (CIDR block) doesn't overlap with your organization's other network ranges.
80+
### Zone-down experience
7181

72-
* Your subnets shouldn't cover the entire address space of the virtual network. Plan ahead and reserve some address space for the future.
82+
Azure virtual networks are designed to be resilient to zone failures. When a zone becomes unavailable, Azure Virtual Network automatically reroutes virtual network requests to the remaining zones. This process is seamless and doesn't require any action from you.
7383

74-
* Use a few large virtual networks instead of multiple small ones to reduce management overhead.
84+
However, any resources within the virtual network need to be considered individually, because each resource might have a different set of behaviors during the loss of an availability zone. Consult the reliability guide for each resource you use to understand their availability zone support and behavior when a zone is unavailable.
7585

76-
* Secure your virtual networks by assigning Network Security Groups (NSGs) to the subnets beneath them.
86+
### Failback
7787

78-
### Zone-down experience
88+
When the zone recovers, Microsoft initiates a failback process to ensure that virtual networks continue to work in the recovered zone. The failback process is automatic and doesn't require any action from you.
7989

80-
Azure virtual networks are designed to be resilient to zone failures. When a zone becomes unavailable, Azure Virtual Network automatically reroutes traffic to the remaining zones. This process is seamless and doesn't require any action from you.
90+
However, you should verify the failback behaviors of any resources you deploy within the virtual network.
8191

82-
* Any active requests are dropped and should be retried by the client.
92+
### Testing for zone failures
8393

84-
* A zone failure isn't expected to cause any data loss.
94+
The Azure Virtual Network platform manages traffic routing, failover, and failback for virtual networks across availability zones. You don't need to initiate anything. Because this feature is fully managed, you don't need to validate availability zone failure processes.
8595

86-
* A zone failure isn't expected to cause downtime to your resources.
96+
## Multi-region support
8797

88-
### Failback
98+
Azure Virtual Network is a single-region service. If the region becomes unavailable, your virtual network is also unavailable.
8999

90-
When the zone recovers, Microsoft initiates a failback process. The failback process is automatic and doesn't require any action from you.
100+
### Alternative multi-region approaches
91101

92-
### Testing for zone failures
102+
You can create virtual networks in multiple regions, and you can optionally *peer* them together to connect them.
93103

94-
The Azure Virtual Network platform manages traffic routing, failover, and failback for the virtual network. You don't need to initiate anything. Because this feature is fully managed, you don't need to validate availability zone failure processes.
104+
By creating virtual networks and other resources in multiple regions, you can be resilient to regional outages. However, you need to consider many factors, including:
95105

96-
## Multi-region support
106+
- **Traffic routing:** If you host internet-facing services in the virtual network, you need to decide how to route incoming traffic among your regions and components. Services like Azure Traffic Manager and Azure Front Door enable you to route internet traffic based on rules you specify.
97107

98-
Azure Virtual Network is a single-region service. You can create virtual networks in multiple regions, but they are separate resources.
108+
- **Failover:** If an Azure region is unavailable, you typically need to *fail over* by processing traffic in healthy regions. Azure Traffic Manager and Azure Front Door provide failover capabilities for internet applications.
99109

100-
### Region-down experience
101-
102-
The virtual network and the resources in the affected region remains inaccessible during the time of the service disruption.
110+
- **Management:** Each virtual network is a separate resource and needs to be configured and managed independently from other virtual networks.
103111

104-
### Alternative multi-region approaches
112+
- **IP address space:** You need to decide how to allocate IP addresses when you create multiple virtual networks. You can create multiple virtual networks using the same private IP address space in different regions. However, you can't peer (connect) two virtual networks with the same address space to your on-premises network, as it would cause routing issues. If you plan to create a multi-network design, IP address planning is an important consideration.
105113

106-
You can create two virtual networks using the same private IP address space and resources in two different regions ahead of time. If you're hosting internet-facing services in the virtual network, you could have set up Traffic Manager to geo-route traffic to the region that is active. However, you can't connect two virtual networks with the same address space to your on-premises network, as it would cause routing issues. At the time of a disaster and loss of a virtual network in one region, you can connect the other virtual network in the available region, with the matching address space to your on-premises network.
114+
Virtual networks are fairly lightweight resources. You can invoke Azure APIs to create a virtual network with the same address space in a different region. However, to recreate the same environment that was present in the affected region, you must redeploy the virtual machines and other resources. If you have on-premises connectivity, such as in a hybrid deployment, you have to deploy a new VPN Gateway, and connect to your on-premises network.
107115

108-
Virtual networks are fairly lightweight resources. You can invoke Azure APIs to create a virtual network with the same address space in a different region. To recreate the same environment that was present in the affected region, redeploy the virtual machines and other resources. If you have on-premises connectivity, such as in a hybrid deployment, you have to deploy a new VPN Gateway, and connect to your on-premises network.
116+
For an example of a multi-region networking architecture for web applications, see [Multi-region load balancing with Traffic Manager, Azure Firewall, and Application Gateway](/azure/architecture/high-availability/reference-architecture-traffic-manager-application-gateway).
109117

110118
## Service-level agreement
111119

112-
There isn't a defined SLA for Azure Virtual Network due to the nature of the service. However, the SLA for the resources that are deployed in a virtual network is defined in the SLA for that resource.
120+
There isn't a defined SLA for Azure Virtual Network due to the nature of the service.
113121

114122
## Related content
115123

116-
[What are availability zones?](/azure/reliability/availability-zones-overview)
124+
[What are availability zones?](/azure/reliability/availability-zones-overview)

0 commit comments

Comments
 (0)