Multitenancy and network virtualization:  

   

The previous article talked about Application Virtualization. Resources hosting the applications can also be partitioned into virtual networks. This article talks about network virtualization.

Virtual networks or vNets for short, are fundamental to locate resources such that they can securely communicate with each other, the internet, and on-premises networks. VNet is like a traditional network placed in a private datacenter but it brings additional benefits of scale, availability and isolation.

Communication between resources, communication of those resources with the internet and communication with on-premises resources, filtering network traffic, routing network traffic and integration with other cloud services are all made possible by virtual networks.

Outbound communication from resources to the internet is available by default. The inbound communication to a resource from the internet is achieved by assigning a public IP address or a public load balancer. Communication between resources can be achieved via a virtual network, a virtual network service endpoint and VNet peering. Communication with on-premises resources is achieved by Point-to-site virtual private network, Site-to-site VPN and Azure ExpressRoute. Network traffic can be filtered between subnets using either or both network security groups and network virtual appliances.

When these virtual networks are created in the cloud, the cloud providers automatically route traffic between the subnets, connected virtual networks, on-premises networks, and the internet by default. Overrides can be specified using the route tables and Border gateway protocol routes. Integrating cloud services to a virtual network enables private access to the service from virtual machines or compute resources in the virtual network by dedicating the services to a virtual network, using private link to access privately or by extending the virtual network to the service using a service endpoint. Service endpoint allows services resources to be secured to the virtual network.

There are limits to how many resources can be placed within a virtual network but there are options to increase those limits. Virtual network and subnets span all the availability zones in a region. Even if a resource is zonal, the virtual network does not need to be divided between the availability zones.

Network and storage are low-cost resources, but network administrators know that when they keep running out of IP addresses, these don’t seem to be true. The end-user might get a virtual network for free by requesting it from the cloud in a free tier but there are pricing applicable to premium tiers and SKUs.

Some of the best practices for virtual network are universal design principles. For example, the address-spaces must be ensured to be non-overlapping. The subnets should not cover the entire address space of the virtual network. There must be fewer large virtual networks rather than smaller numerous ones. The virtual networks must be secured by assigning Network security groups to the subnets underlying the vNet.

Name resolution applies to virtual networks. The name resolution to an IP address depends on whether there is a single instance or many instances of the multitenant application. For example, a CNAME for the custom domain of a tenant might have a value pointing to a multi-part subdomain of the multitenant application solution provider. Since this provider might want to set up proper routing to multiple instances, they might have a CNAME record for subdomains of their individual instance to route to that instance. They will also have an A name record for that specific instance to point to the IP address of the provider’s domain name. This chain of records resolves the requests for the custom domain to the IP address of the instance within the multiple instances deployed by the provider.

Validation of custom domains is a necessity for the tenants to be onboarded. Without validation, tenants might accidentally or maliciously park a domain name. Typos in custom domain names are encountered often. Parking leads to an error for others wanting to use their custom domain with the message that the domain name is already in use. Domain names especially within a self-service or automated process require a domain verification step. A CNAME record or a DNS TXT record might be added to reserve the domain name until the verification is completed. Private DNS domains as well as custom domain names are supported with private virtual networks. 

Reference: https://1drv.ms/w/s!Ashlm-Nw-wnWhLMfc6pdJbQZ6XiPWA?e=fBoKcN