The document discusses several Azure network architectures including:
1) An Azure landing zone with firewall/WAF that includes hub-spoke VNets with web, business, and data tiers separated across spokes connected to an on-premises network.
2) An Azure network architecture deployed to a primary region including production and non-production subscriptions, VNets, and resource groups separated by function and connected to an on-premises network via VPN.
3) A hub-spoke network topology with shared services and subnets in a central hub VNet and workloads separated across spoke VNets connected to the hub.
2. Azure Landing Zone (NVA)
On-premises network Gateway subnet
UDR
Management
subnet
Hub
VNet
Web tier Business tier Data tier
VNet
(Spoke 2)
App Services Managed Database
VNet
Peering
(Bidirectional)
Jumpbox
Availability
set
Public DMZ in Public DMZ out
Availability
set
Private DMZ in Private DMZ out
VNet
Peering
(Bidirectional)
VNet
(Spoke 1)
https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/dmz/secure-vnet-dmz
2
3. Azure Network Architecture: Deployment to Primary Azure Region
On-premises Network HQ
Internet
VNet
Peering
(Bidirectional)
Prod Subscription
Prod Resource Group(s)*
Prod VNet
(Spoke 3)
10.xx.xx.xx/yy
10.xx.xx.xx/zz 10.xx.xx.xx/zz 10.xx.xx.xx/zz
Prod Management Group
Gateway Subnet
Hub
VNet
Firewall
Subnet
SIEM
Subnet
WAF
Subnet
Management
Subnet
10.xx.xx.xx/zz
10.xx.xx.xx/zz
10.xx.xx.xx/zz
10.xx.xx.xx/zz
10.xx.xx.xx/zz
10.xx.xx.xx/yy
Hub Resource Group(s)*
Hub Subscription
Hub Management Group
VNet
Peering
(Bidirectional)
VNet
Peering
(Bidirectional)
Non-Prod Subscription
Dev Resource Group(s)*
Non-Prod Management Group
Dev VNet
(Spoke 1)
10.xx.xx.xx/yy
10.xx.xx.xx/zz 10.xx.xx.xx/zz 10.xx.xx.xx/zz
Test VNet
(Spoke 2)
10.xx.xx.xx/yy
10.xx.xx.xx/zz 10.xx.xx.xx/zz 10.xx.xx.xx/zz
Test Resource Group(s)*
Additional Resource Groups will be used for Azure resources as required for better
resource management and security control
*
P2S VPN Tunnel
S2S VPN Tunnel
HTTP/HTTPS
VPN Client
On-premises Network Site 2
S2S VPN Tunnel
3
4. Azure Network Architecture: with animation
VNet
Peering
(Bidirectional)
Prod Subscription
Prod Resource Group(s)*
Prod VNet
(Spoke 3)
10.xx.xx.xx/yy
10.xx.xx.xx/zz 10.xx.xx.xx/zz 10.xx.xx.xx/zz
Prod Management Group
Non-Prod Subscription
Dev Resource Group(s)*
Non-Prod Management Group
Dev VNet
(Spoke 1)
10.xx.xx.xx/yy
10.xx.xx.xx/zz 10.xx.xx.xx/zz 10.xx.xx.xx/zz
Test VNet
(Spoke 2)
10.xx.xx.xx/yy
10.xx.xx.xx/zz 10.xx.xx.xx/zz 10.xx.xx.xx/zz
Gateway Subnet
Hub
VNet
Firewall
Subnet
SIEM
Subnet
WAF
Subnet
Management
Subnet
10.xx.xx.xx/zz
10.xx.xx.xx/zz
10.xx.xx.xx/zz
10.xx.xx.xx/zz
10.xx.xx.xx/zz
10.xx.xx.xx/yy
Hub Resource Group(s)*
Hub Subscription
Hub Management Group
Test Resource Group(s)*
VNet
Peering
(Bidirectional)
VNet
Peering
(Bidirectional)
Additional Resource Groups will be used for Azure resources as required for better
resource management and security control
*
On-premises Network HQ
Internet
P2S VPN Tunnel
S2S VPN Tunnel
HTTP/HTTPS
VPN Client
On-premises Network Site 2
S2S VPN Tunnel
4