Azure Network Architecture Deployment Overview

Azure Landing Zone 
(Azure Firewall/WAF)
 
On-premises network
 
Gateway subnet
U
D
R
 
Management
subnet
 
H
u
b
V
N
e
t
 
W
e
b
 
t
i
e
r
 
B
u
s
i
n
e
s
s
 
t
i
e
r
 
D
a
t
a
 
t
i
e
r
 
A
p
p
 
S
e
r
v
i
c
e
s
 
M
a
n
a
g
e
d
 
D
a
t
a
b
a
s
e
 
Jumpbox
 
 VNet
Peering
(Bidirectional)
 
 VNet
Peering
(Bidirectional)
 
V
N
e
t
(
S
p
o
k
e
 
1
)
 
V
N
e
t
(
S
p
o
k
e
 
2
)
 
1
Azure Landing Zone (NVA)
 
On-premises network
 
Gateway subnet
U
D
R
 
Management
subnet
 
H
u
b
V
N
e
t
 
W
e
b
 
t
i
e
r
 
B
u
s
i
n
e
s
s
 
t
i
e
r
 
D
a
t
a
 
t
i
e
r
 
V
N
e
t
(
S
p
o
k
e
 
2
)
 
A
p
p
 
S
e
r
v
i
c
e
s
 
M
a
n
a
g
e
d
 
D
a
t
a
b
a
s
e
 
 VNet
Peering
(Bidirectional)
 
 Jumpbox
 
Public DMZ in
 
Public DMZ out
 
Private DMZ in
 
Private DMZ out
 
 VNet
Peering
(Bidirectional)
 
V
N
e
t
(
S
p
o
k
e
 
1
)
 
https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/dmz/secure-vnet-dmz
 
2
A
z
u
r
e
 
N
e
t
w
o
r
k
 
A
r
c
h
i
t
e
c
t
u
r
e
:
 
D
e
p
l
o
y
m
e
n
t
 
t
o
 
P
r
i
m
a
r
y
 
A
z
u
r
e
 
R
e
g
i
o
n
 
On-premises Network HQ
 
Internet
P2S VPN Tunnel
S2S VPN Tunnel
HTTP/HTTPS
 
VPN Client
 
On-premises Network Site 2
S2S VPN Tunnel
 
3
A
z
u
r
e
 
N
e
t
w
o
r
k
 
A
r
c
h
i
t
e
c
t
u
r
e
:
 
w
i
t
h
 
a
n
i
m
a
t
i
o
n
 
 VNet
Peering
(
Bidirectional
)
 
P
r
o
d
 
 
S
u
b
s
c
r
i
p
t
i
o
n
 
P
r
o
d
 
 
R
e
s
o
u
r
c
e
 
G
r
o
u
p
(
s
)
*
 
P
r
o
d
 
V
N
e
t
(
S
p
o
k
e
 
3
)
 
10.xx.xx.xx/yy
 
10.xx.xx.xx/zz
 
10.xx.xx.xx/zz
 
10.xx.xx.xx/zz
 
P
r
o
d
 
 
M
a
n
a
g
e
m
e
n
t
 
G
r
o
u
p
 
N
o
n
-
P
r
o
d
 
 
S
u
b
s
c
r
i
p
t
i
o
n
 
D
e
v
 
R
e
s
o
u
r
c
e
 
G
r
o
u
p
(
s
)
*
 
N
o
n
-
P
r
o
d
 
 
M
a
n
a
g
e
m
e
n
t
 
G
r
o
u
p
 
D
e
v
 
V
N
e
t
(
S
p
o
k
e
 
1
)
 
10.xx.xx.xx/yy
 
10.xx.xx.xx/zz
 
10.xx.xx.xx/zz
 
10.xx.xx.xx/zz
 
T
e
s
t
 
V
N
e
t
(
S
p
o
k
e
 
2
)
 
10.xx.xx.xx/yy
 
10.xx.xx.xx/zz
 
10.xx.xx.xx/zz
 
10.xx.xx.xx/zz
 
Gateway Subnet
 
H
u
b
V
N
e
t
 
Firewall
Subnet
 
SIEM
Subnet
 
WAF
Subnet
 
Management
Subnet
 
10.xx.xx.xx/zz
 
10.xx.xx.xx/zz
 
10.xx.xx.xx/zz
 
10.xx.xx.xx/zz
 
10.xx.xx.xx/zz
 
10.xx.xx.xx/yy
 
H
u
b
 
R
e
s
o
u
r
c
e
 
G
r
o
u
p
(
s
)
*
 
H
u
b
 
 
S
u
b
s
c
r
i
p
t
i
o
n
 
H
u
b
 
 
M
a
n
a
g
e
m
e
n
t
 
G
r
o
u
p
 
T
e
s
t
 
R
e
s
o
u
r
c
e
 
G
r
o
u
p
(
s
)
*
 
 VNet
Peering
(
Bidirectional
)
 
 VNet
Peering
(
Bidirectional
)
 
Additional Resource Groups will be used for Azure resources as required for better
resource management and security control
 
*
 
On-premises Network HQ
 
Internet
P2S VPN Tunnel
S2S VPN Tunnel
HTTP/HTTPS
 
VPN Client
 
On-premises Network Site 2
S2S VPN Tunnel
4
H
u
b
 
a
n
d
 
S
p
o
k
e
 
N
e
t
w
o
r
k
 
T
o
p
o
l
o
g
y
 
VPN Client
 
On-premises
Network HQ
 
On-premises
Network Site 2
 
H
u
b
 
V
N
e
t
 
Hub Subnets
 
P2S VPN
Tunnel
 
S2S VPN
Tunnel
 
Gateway
Subnet
 
HTTP/
HTTPS
 
5
H
u
b
 
a
n
d
 
S
p
o
k
e
 
T
o
p
o
l
o
g
y
 
VPN Client
 
On-premises
Network HQ
 
On-premises
Network Site 2
 
H
u
b
 
V
N
e
t
 
Hub Subnets
 
P2S VPN
Tunnel
 
S2S VPN
Tunnel
 
Gateway
Subnet
 
HTTP/
HTTPS
 
6
 
Example Azure Network Plan: VNets & Subnets
 
7
Slide Note

© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.

The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Embed
Share

An in-depth look at Azure network architectures, including landing zone configurations with Azure Firewall and WAF, deployment to primary Azure regions, hub and spoke models, network virtual appliances (NVAs), VPN tunnels, DMZ setups, and more. This comprehensive guide covers various network components and their connections to optimize resource management and security controls.


Uploaded on Jul 17, 2024 | 3 Views


Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript


  1. Azure Landing Zone (Azure Firewall/WAF) On-premises network Gateway subnet Web tier VNet Peering (Bidirectional) Azure Firewall: NAT, Network and Application traffic filtering rules allows Inbound/Outbound access Business tier Data tier UDR L3-L7 Connectivity Policies VNet (Spoke 1) Management subnet Jumpbox App Services Managed Database VNet Peering (Bidirectional) Hub VNet VNet (Spoke 2) 1

  2. Azure Landing Zone (NVA) https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/dmz/secure-vnet-dmz On-premises network Gateway subnet Private DMZ in Private DMZ out Web tier Business tier VNet Peering (Bidirectional) Data tier UDR Availability set VNet (Spoke 1) Management subnet Jumpbox Public DMZ in Public DMZ out Availability set VNet Peering (Bidirectional) App Services Managed Database Hub VNet VNet (Spoke 2) 2

  3. Azure Network Architecture: Deployment to Primary Azure Region * Hub Management Group Additional Resource Groups will be used for Azure resources as required for better resource management and security control Hub Subscription Hub Resource Group(s)* Non-Prod Management Group On-premises Network HQ Non-Prod Subscription Dev Resource Group(s)* Gateway Subnet S2S VPN Tunnel Firewall Subnet VNet Peering (Bidirectional) 10.xx.xx.xx/yy 10.xx.xx.xx/zz On-premises Network Site 2 Dev VNet (Spoke 1) 10.xx.xx.xx/zz 10.xx.xx.xx/zz 10.xx.xx.xx/zz 10.xx.xx.xx/zz Test Resource Group(s)* S2S VPN Tunnel Management Subnet 10.xx.xx.xx/zz 10.xx.xx.xx/yy VNet Peering (Bidirectional) VPN Client Test VNet (Spoke 2) 10.xx.xx.xx/zz P2S VPN Tunnel 10.xx.xx.xx/zz 10.xx.xx.xx/zz SIEM Subnet 10.xx.xx.xx/zz Prod Management Group Prod Subscription Prod Resource Group(s)* HTTP/HTTPS WAF Subnet VNet Peering (Bidirectional) 10.xx.xx.xx/yy Internet 10.xx.xx.xx/yy Hub VNet Prod VNet (Spoke 3) 10.xx.xx.xx/zz 10.xx.xx.xx/zz 10.xx.xx.xx/zz 10.xx.xx.xx/zz 3

  4. Azure Network Architecture: with animation * Hub Management Group Additional Resource Groups will be used for Azure resources as required for better resource management and security control Hub Subscription Hub Resource Group(s)* Non-Prod Management Group On-premises Network HQ Non-Prod Subscription Dev Resource Group(s)* Gateway Subnet Firewall Subnet S2S VPN Tunnel VNet Peering (Bidirectional) 10.xx.xx.xx/yy 10.xx.xx.xx/zz Dev VNet (Spoke 1) 10.xx.xx.xx/zz On-premises Network Site 2 10.xx.xx.xx/zz 10.xx.xx.xx/zz 10.xx.xx.xx/zz Test Resource Group(s)* Management Subnet S2S VPN Tunnel 10.xx.xx.xx/zz 10.xx.xx.xx/yy VNet Peering (Bidirectional) Test VNet (Spoke 2) VPN Client 10.xx.xx.xx/zz SIEM Subnet 10.xx.xx.xx/zz 10.xx.xx.xx/zz P2S VPN Tunnel 10.xx.xx.xx/zz Prod Management Group Prod Subscription Prod Resource Group(s)* WAF Subnet HTTP/HTTPS VNet Peering (Bidirectional) 10.xx.xx.xx/yy 10.xx.xx.xx/yy Hub VNet Internet Prod VNet (Spoke 3) 10.xx.xx.xx/zz 10.xx.xx.xx/zz 10.xx.xx.xx/zz 10.xx.xx.xx/zz 4

  5. Hub and Spoke Network Topology HTTP/ HTTPS Spoke 3 Subnets Spoke 1 Subnets Spoke 3 VNet Spoke 2 VNet Hub Subnets Gateway Subnet Spoke 4 Subnets Spoke 2 Subnets Spoke 4 VNet Spoke 2 VNet Hub VNet P2S VPN Tunnel S2S VPN Tunnel On-premises Network HQ On-premises Network Site 2 VPN Client 5

  6. Hub and Spoke Topology Hub and Spoke Topology HTTP/ HTTPS Spoke 3 Subnets Spoke 1 Subnets Spoke 3 VNet Spoke 2 VNet Hub Subnets Gateway Subnet Spoke 4 Subnets Spoke 2 Subnets Spoke 4 VNet Spoke 2 VNet Hub VNet P2S VPN Tunnel S2S VPN Tunnel On-premises Network HQ On-premises Network Site 2 VPN Client Benefits Drawbacks Hub & Spoke Easier to manage shared services Lower licensing costs Improved segregation Easy to scale Single point of failure Overhead of managing UDRs Simplified No single point of failure Duplication of shared services (Firewall, SIEM) Higher licensing costs Challenging to scale 6

  7. Example Azure Network Plan: VNets & Subnets # Of hosts vNET HUB HUB HUB HUB PROD DEV STAGING Subnet Netmask CIDR 10.151.98.0/26 10.151.96.0/26 10.151.97.0/24 10.151.98.64/26 10.151.0.0/19 10.151.32.0/19 10.151.64.0/19 Subscription Hub Hub Hub Hub Prod Non-Prod Non-Prod Security zone HUB_SZ_MSS HUB_SZ_PRIVATE_DMZ HUB_SZ_PUBLIC_DMZ HUB_SZ_JUMP_BOX PROD_SZ_WORKLOAD1 DEV_SZ_NON_PROD STAGING_SZ_NON_PROD Gateway unit Microsoft Azure Firewall 1(Internal) Firewall 0 (External) Microsoft Azure Microsoft Azure Microsoft Azure Microsoft Azure Gateway address 10.151.98.1 10.151.96.1 10.151.97.1 10.151.98.65 10.151.0.1 10.151.32.1 10.151.64.1 ID 1 2 3 4 5 6 7 10.151.98.0 10.151.96.0 10.151.97.0 10.151.98.64 10.151.0.0 10.151.32.0 10.151.64.0 26 26 24 26 19 19 19 62 62 254 62 8190 8190 8190 7

Related


More Related Content

giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#