Azure Network Architecture Deployment Overview
An in-depth look at Azure network architectures, including landing zone configurations with Azure Firewall and WAF, deployment to primary Azure regions, hub and spoke models, network virtual appliances (NVAs), VPN tunnels, DMZ setups, and more. This comprehensive guide covers various network components and their connections to optimize resource management and security controls.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
E N D
Presentation Transcript
Azure Landing Zone (Azure Firewall/WAF) On-premises network Gateway subnet Web tier VNet Peering (Bidirectional) Azure Firewall: NAT, Network and Application traffic filtering rules allows Inbound/Outbound access Business tier Data tier UDR L3-L7 Connectivity Policies VNet (Spoke 1) Management subnet Jumpbox App Services Managed Database VNet Peering (Bidirectional) Hub VNet VNet (Spoke 2) 1
Azure Landing Zone (NVA) https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/dmz/secure-vnet-dmz On-premises network Gateway subnet Private DMZ in Private DMZ out Web tier Business tier VNet Peering (Bidirectional) Data tier UDR Availability set VNet (Spoke 1) Management subnet Jumpbox Public DMZ in Public DMZ out Availability set VNet Peering (Bidirectional) App Services Managed Database Hub VNet VNet (Spoke 2) 2
Azure Network Architecture: Deployment to Primary Azure Region * Hub Management Group Additional Resource Groups will be used for Azure resources as required for better resource management and security control Hub Subscription Hub Resource Group(s)* Non-Prod Management Group On-premises Network HQ Non-Prod Subscription Dev Resource Group(s)* Gateway Subnet S2S VPN Tunnel Firewall Subnet VNet Peering (Bidirectional) 10.xx.xx.xx/yy 10.xx.xx.xx/zz On-premises Network Site 2 Dev VNet (Spoke 1) 10.xx.xx.xx/zz 10.xx.xx.xx/zz 10.xx.xx.xx/zz 10.xx.xx.xx/zz Test Resource Group(s)* S2S VPN Tunnel Management Subnet 10.xx.xx.xx/zz 10.xx.xx.xx/yy VNet Peering (Bidirectional) VPN Client Test VNet (Spoke 2) 10.xx.xx.xx/zz P2S VPN Tunnel 10.xx.xx.xx/zz 10.xx.xx.xx/zz SIEM Subnet 10.xx.xx.xx/zz Prod Management Group Prod Subscription Prod Resource Group(s)* HTTP/HTTPS WAF Subnet VNet Peering (Bidirectional) 10.xx.xx.xx/yy Internet 10.xx.xx.xx/yy Hub VNet Prod VNet (Spoke 3) 10.xx.xx.xx/zz 10.xx.xx.xx/zz 10.xx.xx.xx/zz 10.xx.xx.xx/zz 3
Azure Network Architecture: with animation * Hub Management Group Additional Resource Groups will be used for Azure resources as required for better resource management and security control Hub Subscription Hub Resource Group(s)* Non-Prod Management Group On-premises Network HQ Non-Prod Subscription Dev Resource Group(s)* Gateway Subnet Firewall Subnet S2S VPN Tunnel VNet Peering (Bidirectional) 10.xx.xx.xx/yy 10.xx.xx.xx/zz Dev VNet (Spoke 1) 10.xx.xx.xx/zz On-premises Network Site 2 10.xx.xx.xx/zz 10.xx.xx.xx/zz 10.xx.xx.xx/zz Test Resource Group(s)* Management Subnet S2S VPN Tunnel 10.xx.xx.xx/zz 10.xx.xx.xx/yy VNet Peering (Bidirectional) Test VNet (Spoke 2) VPN Client 10.xx.xx.xx/zz SIEM Subnet 10.xx.xx.xx/zz 10.xx.xx.xx/zz P2S VPN Tunnel 10.xx.xx.xx/zz Prod Management Group Prod Subscription Prod Resource Group(s)* WAF Subnet HTTP/HTTPS VNet Peering (Bidirectional) 10.xx.xx.xx/yy 10.xx.xx.xx/yy Hub VNet Internet Prod VNet (Spoke 3) 10.xx.xx.xx/zz 10.xx.xx.xx/zz 10.xx.xx.xx/zz 10.xx.xx.xx/zz 4
Hub and Spoke Network Topology HTTP/ HTTPS Spoke 3 Subnets Spoke 1 Subnets Spoke 3 VNet Spoke 2 VNet Hub Subnets Gateway Subnet Spoke 4 Subnets Spoke 2 Subnets Spoke 4 VNet Spoke 2 VNet Hub VNet P2S VPN Tunnel S2S VPN Tunnel On-premises Network HQ On-premises Network Site 2 VPN Client 5
Hub and Spoke Topology Hub and Spoke Topology HTTP/ HTTPS Spoke 3 Subnets Spoke 1 Subnets Spoke 3 VNet Spoke 2 VNet Hub Subnets Gateway Subnet Spoke 4 Subnets Spoke 2 Subnets Spoke 4 VNet Spoke 2 VNet Hub VNet P2S VPN Tunnel S2S VPN Tunnel On-premises Network HQ On-premises Network Site 2 VPN Client Benefits Drawbacks Hub & Spoke Easier to manage shared services Lower licensing costs Improved segregation Easy to scale Single point of failure Overhead of managing UDRs Simplified No single point of failure Duplication of shared services (Firewall, SIEM) Higher licensing costs Challenging to scale 6
Example Azure Network Plan: VNets & Subnets # Of hosts vNET HUB HUB HUB HUB PROD DEV STAGING Subnet Netmask CIDR 10.151.98.0/26 10.151.96.0/26 10.151.97.0/24 10.151.98.64/26 10.151.0.0/19 10.151.32.0/19 10.151.64.0/19 Subscription Hub Hub Hub Hub Prod Non-Prod Non-Prod Security zone HUB_SZ_MSS HUB_SZ_PRIVATE_DMZ HUB_SZ_PUBLIC_DMZ HUB_SZ_JUMP_BOX PROD_SZ_WORKLOAD1 DEV_SZ_NON_PROD STAGING_SZ_NON_PROD Gateway unit Microsoft Azure Firewall 1(Internal) Firewall 0 (External) Microsoft Azure Microsoft Azure Microsoft Azure Microsoft Azure Gateway address 10.151.98.1 10.151.96.1 10.151.97.1 10.151.98.65 10.151.0.1 10.151.32.1 10.151.64.1 ID 1 2 3 4 5 6 7 10.151.98.0 10.151.96.0 10.151.97.0 10.151.98.64 10.151.0.0 10.151.32.0 10.151.64.0 26 26 24 26 19 19 19 62 62 254 62 8190 8190 8190 7