for inbound traffic. For outbound traffic, vmNIC policies are applied first, and then the
subnet policies.
Figure 3.36 Example use of the datacenter firewall restricting traffic flow
I mentioned earlier special tags that can be used in place of a source or destination IP
range. These are listed next and are the same as those used with Azure Network
Security Groups, which ensures consistency of application when in a hybrid
environment:
VIRTUALNETWORK The virtual network’s address space and all other known
address spaces that are connected to via a gateway. For example, if your virtual
network is connected to another location via a gateway, the IP space encompassed
by VIRTUALNETWORK is that of your virtual network IP space and the entire IP space
of that connected location.
INTERNET Every address that is not part of VIRTUALNETWORK; for example,
0.0.0.0/0— VIRTUALNETWORK.
AZURELOADBALANCER This represents the SLB health probe IP address that
is implemented in the VMSwitch. This is used by a default inbound rule, and it is
required to make sure that the SLB can probe VMs to ensure that they are
available. If you add any blocking custom policies, make sure that you also add and
allow for the AZURELOADBALANCER, or the SLB will not function.UDR, Port Mirroring, and Virtual Appliances
In addition to the in-box capabilities of SDNv2, many virtual appliances are available
from third-party vendors that offer network functionality. Because SDNv2 is
implemented in the same manner as the Azure SDN solution, any virtual appliance
available in Azure should also work on premises with SDNv2. These virtual appliances
could perform traffic inspection, trend analysis, firewall activities, WAN optimization,
or anything else. The appliances do not need to be virtual network aware; they simply