Virtual Network Service
Why a Virtual Network Service?
A virtual network allows resources to communicate with other resources. The other resources may be within the same virtual network, but could also be on-premise or on the internet. All cloud resources need a virtual network, which makes a virtual network service essential.
A virtual network service provides virtual networks to DevOps teams.
A virtual network service has two inputs:
a cloud tenant for the virtual network
an IP address range, often in CIDR notation
A virtual network service creates the virtual network in the cloud tenant. If necessary it registers the IP address range in the organization's IP address management tool (IPAM) thus taking the burden away from DevOps teams.
Given the security implications, networking services must be provided centrally for most Cloud Zones (see Cloud Zones ). The virtual network service forms the basis for the networking offering.
Cloud-native Service Marketplace
Implement enterprise-wide distribution of cloud infrastructure services via a service Marketplace.Learn more →
Proven Patterns When Implementing Virtual Network Services
Organizations should strive to make applications go full cloud-native on networking (L7, APIs) or provide strongly centralized services (L3 networking like on-premise).
Embrace Cloud Paradigm Shift
On-premise used L3 connectivity and often no authN/Z on the application layer. The cloud moves this to L7. Network zones are the most difficult to implement as they have a lot of shared responsibilities and interfaces.
Shift Your View on Networking
On-premise networks are mostly flat, whereas in the cloud we can do micro-segmentation and networks become very hierarchical with DevOps teams having a lot of autonomy over their subnets
Provide It as a Landing Zone Module
Virtual network services can be modules for Modular Landing Zones (see Modular Landing Zones).
Make It Compatible with Adjacent Services
Virtual networks are most useful in combination with
External IP addresses
Most applications need to connect to resources outside the virtual network than their own. The following services need a virtual network as input:
Currently no tool implementations documented. Contributions welcome!
Did this page help you?
On-Premise Network Connection
Provides managed IP (L3) connectivity to on-premises networks. This is commonly implemented using hub&spoke network architectures and a combination of VPNs or private network peerings.
Managed bastion hosts
Teams can use a managed service to access resources on private cloud networks using managed bastion hosts or gateway services. These gateways are hardened and centrally audited.
Managed Internet Egress
Cloud tenants can connect to internet egress using managed infrastructure that ensures compliance and cost efficiency (network separation, proxies etc.).
Tenant to Tenant Transit Networks
Provides managed connectivity between cloud tenants on the same cloud platform via centrally managed transit networks.