ºÝºÝߣ

ºÝºÝߣShare a Scribd company logo
Azure Landing Zone (Azure Firewall/WAF)
Azure Firewall:
On-premises network Gateway subnet
UDR
Management
subnet
Hub
VNet
Web tier Business tier Data tier
App Services Managed Database
Jumpbox
VNet
Peering
(Bidirectional)
VNet
Peering
(Bidirectional)
VNet
(Spoke 1)
VNet
(Spoke 2)
1
Azure Landing Zone (NVA)
On-premises network Gateway subnet
UDR
Management
subnet
Hub
VNet
Web tier Business tier Data tier
VNet
(Spoke 2)
App Services Managed Database
VNet
Peering
(Bidirectional)
Jumpbox
Availability
set
Public DMZ in Public DMZ out
Availability
set
Private DMZ in Private DMZ out
VNet
Peering
(Bidirectional)
VNet
(Spoke 1)
https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/dmz/secure-vnet-dmz
2
Azure Network Architecture: Deployment to Primary Azure Region
On-premises Network HQ
Internet
VNet
Peering
(Bidirectional)
Prod Subscription
Prod Resource Group(s)*
Prod VNet
(Spoke 3)
10.xx.xx.xx/yy
10.xx.xx.xx/zz 10.xx.xx.xx/zz 10.xx.xx.xx/zz
Prod Management Group
Gateway Subnet
Hub
VNet
Firewall
Subnet
SIEM
Subnet
WAF
Subnet
Management
Subnet
10.xx.xx.xx/zz
10.xx.xx.xx/zz
10.xx.xx.xx/zz
10.xx.xx.xx/zz
10.xx.xx.xx/zz
10.xx.xx.xx/yy
Hub Resource Group(s)*
Hub Subscription
Hub Management Group
VNet
Peering
(Bidirectional)
VNet
Peering
(Bidirectional)
Non-Prod Subscription
Dev Resource Group(s)*
Non-Prod Management Group
Dev VNet
(Spoke 1)
10.xx.xx.xx/yy
10.xx.xx.xx/zz 10.xx.xx.xx/zz 10.xx.xx.xx/zz
Test VNet
(Spoke 2)
10.xx.xx.xx/yy
10.xx.xx.xx/zz 10.xx.xx.xx/zz 10.xx.xx.xx/zz
Test Resource Group(s)*
Additional Resource Groups will be used for Azure resources as required for better
resource management and security control
*
P2S VPN Tunnel
S2S VPN Tunnel
HTTP/HTTPS
VPN Client
On-premises Network Site 2
S2S VPN Tunnel
3
Azure Network Architecture: with animation
VNet
Peering
(Bidirectional)
Prod Subscription
Prod Resource Group(s)*
Prod VNet
(Spoke 3)
10.xx.xx.xx/yy
10.xx.xx.xx/zz 10.xx.xx.xx/zz 10.xx.xx.xx/zz
Prod Management Group
Non-Prod Subscription
Dev Resource Group(s)*
Non-Prod Management Group
Dev VNet
(Spoke 1)
10.xx.xx.xx/yy
10.xx.xx.xx/zz 10.xx.xx.xx/zz 10.xx.xx.xx/zz
Test VNet
(Spoke 2)
10.xx.xx.xx/yy
10.xx.xx.xx/zz 10.xx.xx.xx/zz 10.xx.xx.xx/zz
Gateway Subnet
Hub
VNet
Firewall
Subnet
SIEM
Subnet
WAF
Subnet
Management
Subnet
10.xx.xx.xx/zz
10.xx.xx.xx/zz
10.xx.xx.xx/zz
10.xx.xx.xx/zz
10.xx.xx.xx/zz
10.xx.xx.xx/yy
Hub Resource Group(s)*
Hub Subscription
Hub Management Group
Test Resource Group(s)*
VNet
Peering
(Bidirectional)
VNet
Peering
(Bidirectional)
Additional Resource Groups will be used for Azure resources as required for better
resource management and security control
*
On-premises Network HQ
Internet
P2S VPN Tunnel
S2S VPN Tunnel
HTTP/HTTPS
VPN Client
On-premises Network Site 2
S2S VPN Tunnel
4
Hub and Spoke Network Topology
VPN Client On-premises
Network HQ
On-premises
Network Site 2
Hub VNet
Hub Subnets
P2S VPN
Tunnel
S2S VPN
Tunnel
Gateway
Subnet
Spoke 2 VNet
Spoke 1 Subnets
Spoke 2 VNet
Spoke 2 Subnets
Spoke 3 VNet
Spoke 3 Subnets
Spoke 4 VNet
Spoke 4 Subnets
HTTP/
HTTPS
5
Hub and Spoke Topology
Benefits Drawbacks
Hub & Spoke ? Easier to manage shared services
? Lower licensing costs
? Improved segregation
? Easy to scale
? Single point of failure
? Overhead of managing UDRs
Simplified ? No single point of failure ? Duplication of shared services (Firewall, SIEM)
? Higher licensing costs
? Challenging to scale
VPN Client On-premises
Network HQ
On-premises
Network Site 2
Hub VNet
Hub Subnets
P2S VPN
Tunnel
S2S VPN
Tunnel
Gateway
Subnet
Spoke 2 VNet
Spoke 1 Subnets
Spoke 2 VNet
Spoke 2 Subnets
Spoke 3 VNet
Spoke 3 Subnets
Spoke 4 VNet
Spoke 4 Subnets
HTTP/
HTTPS
6
Example Azure Network Plan: VNets & Subnets
ID vNET Subnet Netmask CIDR
# Of
hosts Subscription Security zone Gateway unit Gateway address
1 HUB 10.151.98.0 26 10.151.98.0/26 62 Hub HUB_SZ_MSS Microsoft Azure 10.151.98.1
2 HUB 10.151.96.0 26 10.151.96.0/26 62 Hub HUB_SZ_PRIVATE_DMZ Firewall 1(Internal) 10.151.96.1
3 HUB 10.151.97.0 24 10.151.97.0/24 254 Hub HUB_SZ_PUBLIC_DMZ Firewall 0 (External) 10.151.97.1
4 HUB 10.151.98.64 26 10.151.98.64/26 62 Hub HUB_SZ_JUMP_BOX Microsoft Azure 10.151.98.65
5 PROD 10.151.0.0 19 10.151.0.0/19 8190 Prod PROD_SZ_WORKLOAD1 Microsoft Azure 10.151.0.1
6 DEV 10.151.32.0 19 10.151.32.0/19 8190 Non-Prod DEV_SZ_NON_PROD Microsoft Azure 10.151.32.1
7 STAGING 10.151.64.0 19 10.151.64.0/19 8190 Non-Prod STAGING_SZ_NON_PROD Microsoft Azure 10.151.64.1
7

More Related Content

Azure Hub spoke v1.0

  • 1. Azure Landing Zone (Azure Firewall/WAF) Azure Firewall: On-premises network Gateway subnet UDR Management subnet Hub VNet Web tier Business tier Data tier App Services Managed Database Jumpbox VNet Peering (Bidirectional) VNet Peering (Bidirectional) VNet (Spoke 1) VNet (Spoke 2) 1
  • 2. Azure Landing Zone (NVA) On-premises network Gateway subnet UDR Management subnet Hub VNet Web tier Business tier Data tier VNet (Spoke 2) App Services Managed Database VNet Peering (Bidirectional) Jumpbox Availability set Public DMZ in Public DMZ out Availability set Private DMZ in Private DMZ out VNet Peering (Bidirectional) VNet (Spoke 1) https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/dmz/secure-vnet-dmz 2
  • 3. Azure Network Architecture: Deployment to Primary Azure Region On-premises Network HQ Internet VNet Peering (Bidirectional) Prod Subscription Prod Resource Group(s)* Prod VNet (Spoke 3) 10.xx.xx.xx/yy 10.xx.xx.xx/zz 10.xx.xx.xx/zz 10.xx.xx.xx/zz Prod Management Group Gateway Subnet Hub VNet Firewall Subnet SIEM Subnet WAF Subnet Management Subnet 10.xx.xx.xx/zz 10.xx.xx.xx/zz 10.xx.xx.xx/zz 10.xx.xx.xx/zz 10.xx.xx.xx/zz 10.xx.xx.xx/yy Hub Resource Group(s)* Hub Subscription Hub Management Group VNet Peering (Bidirectional) VNet Peering (Bidirectional) Non-Prod Subscription Dev Resource Group(s)* Non-Prod Management Group Dev VNet (Spoke 1) 10.xx.xx.xx/yy 10.xx.xx.xx/zz 10.xx.xx.xx/zz 10.xx.xx.xx/zz Test VNet (Spoke 2) 10.xx.xx.xx/yy 10.xx.xx.xx/zz 10.xx.xx.xx/zz 10.xx.xx.xx/zz Test Resource Group(s)* Additional Resource Groups will be used for Azure resources as required for better resource management and security control * P2S VPN Tunnel S2S VPN Tunnel HTTP/HTTPS VPN Client On-premises Network Site 2 S2S VPN Tunnel 3
  • 4. Azure Network Architecture: with animation VNet Peering (Bidirectional) Prod Subscription Prod Resource Group(s)* Prod VNet (Spoke 3) 10.xx.xx.xx/yy 10.xx.xx.xx/zz 10.xx.xx.xx/zz 10.xx.xx.xx/zz Prod Management Group Non-Prod Subscription Dev Resource Group(s)* Non-Prod Management Group Dev VNet (Spoke 1) 10.xx.xx.xx/yy 10.xx.xx.xx/zz 10.xx.xx.xx/zz 10.xx.xx.xx/zz Test VNet (Spoke 2) 10.xx.xx.xx/yy 10.xx.xx.xx/zz 10.xx.xx.xx/zz 10.xx.xx.xx/zz Gateway Subnet Hub VNet Firewall Subnet SIEM Subnet WAF Subnet Management Subnet 10.xx.xx.xx/zz 10.xx.xx.xx/zz 10.xx.xx.xx/zz 10.xx.xx.xx/zz 10.xx.xx.xx/zz 10.xx.xx.xx/yy Hub Resource Group(s)* Hub Subscription Hub Management Group Test Resource Group(s)* VNet Peering (Bidirectional) VNet Peering (Bidirectional) Additional Resource Groups will be used for Azure resources as required for better resource management and security control * On-premises Network HQ Internet P2S VPN Tunnel S2S VPN Tunnel HTTP/HTTPS VPN Client On-premises Network Site 2 S2S VPN Tunnel 4
  • 5. Hub and Spoke Network Topology VPN Client On-premises Network HQ On-premises Network Site 2 Hub VNet Hub Subnets P2S VPN Tunnel S2S VPN Tunnel Gateway Subnet Spoke 2 VNet Spoke 1 Subnets Spoke 2 VNet Spoke 2 Subnets Spoke 3 VNet Spoke 3 Subnets Spoke 4 VNet Spoke 4 Subnets HTTP/ HTTPS 5
  • 6. Hub and Spoke Topology Benefits Drawbacks Hub & Spoke ? Easier to manage shared services ? Lower licensing costs ? Improved segregation ? Easy to scale ? Single point of failure ? Overhead of managing UDRs Simplified ? No single point of failure ? Duplication of shared services (Firewall, SIEM) ? Higher licensing costs ? Challenging to scale VPN Client On-premises Network HQ On-premises Network Site 2 Hub VNet Hub Subnets P2S VPN Tunnel S2S VPN Tunnel Gateway Subnet Spoke 2 VNet Spoke 1 Subnets Spoke 2 VNet Spoke 2 Subnets Spoke 3 VNet Spoke 3 Subnets Spoke 4 VNet Spoke 4 Subnets HTTP/ HTTPS 6
  • 7. Example Azure Network Plan: VNets & Subnets ID vNET Subnet Netmask CIDR # Of hosts Subscription Security zone Gateway unit Gateway address 1 HUB 10.151.98.0 26 10.151.98.0/26 62 Hub HUB_SZ_MSS Microsoft Azure 10.151.98.1 2 HUB 10.151.96.0 26 10.151.96.0/26 62 Hub HUB_SZ_PRIVATE_DMZ Firewall 1(Internal) 10.151.96.1 3 HUB 10.151.97.0 24 10.151.97.0/24 254 Hub HUB_SZ_PUBLIC_DMZ Firewall 0 (External) 10.151.97.1 4 HUB 10.151.98.64 26 10.151.98.64/26 62 Hub HUB_SZ_JUMP_BOX Microsoft Azure 10.151.98.65 5 PROD 10.151.0.0 19 10.151.0.0/19 8190 Prod PROD_SZ_WORKLOAD1 Microsoft Azure 10.151.0.1 6 DEV 10.151.32.0 19 10.151.32.0/19 8190 Non-Prod DEV_SZ_NON_PROD Microsoft Azure 10.151.32.1 7 STAGING 10.151.64.0 19 10.151.64.0/19 8190 Non-Prod STAGING_SZ_NON_PROD Microsoft Azure 10.151.64.1 7