Forum Discussion
VM with two NICs
Hi,
I have a use case for Azure VMs to separate management and application traffic. So in effect, one NIC for management and another for application. The application VMs would reside on VNET-A and the management network would reside on VNet-B.
My understanding is that Azure VMs can have multiple NICs but they need to belong to the same VNet. The rational behind this is most likely how the existing application is implemented in a traditional data center, however my understanding is that in public cloud there is no IP layer 2 functionality. Therefore I was wondering how we overcome such a requirement in respect to security?
1 Reply
You can still separate management and application traffic securely using these approaches:
- Use Subnets Within the Same VNet
- Create VNet-A with:
- Subnet-1 for application traffic
- Subnet-2 for management traffic
- Attach each NIC to a different subnet
- Apply Network Security Groups (NSGs) to isolate traffic
- Use VNet Peering
- Keep VNet-A and VNet-B separate
- Peer them together
- Deploy a network virtual appliance (NVA) or firewall to route and inspect traffic between NICs
- Use Azure Firewall or NVA
- Insert a firewall between subnets or VNets
- Control traffic flow with rules and route tables
- This gives you granular control over what management traffic can reach application VMs
- Use Private Endpoints or Bastion
- For management access, use Azure Bastion or Private Endpoints
- Avoid direct NIC exposure and reduce attack surface
