Azure Landing Zone Onpremises network Azure FirewallWAF Gateway

  • Slides: 7
Download presentation
Azure Landing Zone On-premises network (Azure Firewall/WAF) Gateway subnet Azure Firewall: VNet Peering Web

Azure Landing Zone On-premises network (Azure Firewall/WAF) Gateway subnet Azure Firewall: VNet Peering Web tier Business tier Data tier (Bidirectional) UDR VNet (Spoke 1) Jumpbox Management subnet App Services Hub VNet Peering (Bidirectional) Managed Database VNet (Spoke 2) 1

Azure Landing Zone (NVA) On-premises network Gateway subnet https: //docs. microsoft. com/en-us/azure/architecture/reference-architectures/dmz/secure-vnet-dmz Private DMZ

Azure Landing Zone (NVA) On-premises network Gateway subnet https: //docs. microsoft. com/en-us/azure/architecture/reference-architectures/dmz/secure-vnet-dmz Private DMZ in Private DMZ out VNet Peering Web tier Business tier Data tier (Bidirectional) UDR Availability set VNet (Spoke 1) Management subnet Jumpbox Public DMZ in Public DMZ out Availability set VNet Peering Hub VNet App Services (Bidirectional) Managed Database VNet (Spoke 2) 2

Azure Network Architecture: Deployment to Primary Azure Region Hub Management Group Hub Subscription *

Azure Network Architecture: Deployment to Primary Azure Region Hub Management Group Hub Subscription * Additional Resource Groups will be used for Azure resources as required for better resource management and security control Hub Resource Group(s)* On-premises Network HQ Non-Prod Management Group Non-Prod Subscription Gateway Subnet S 2 S VPN Tunnel Dev Resource Group(s)* Firewall Subnet VNet Peering On-premises Network Site 2 10. xx. xx/zz S 2 S VPN Tunnel 10. xx. xx/zz (Bidirectional ) 10. xx. xx/yy Dev VNet (Spoke 1) 10. xx. xx. xx/zz 10. xx. xx/zz Test Resource Group(s)* Management Subnet 10. xx. xx/zz VNet Peering VPN Client P 2 S VPN Tunnel SIEM Subnet (Bidirectional ) 10. xx. xx/yy Test VNet (Spoke 2) 10. xx. xx. xx/zz Prod Management Group Prod Subscription HTTP/HTTPS Internet WAF Subnet VNet Peering (Bidirectional ) 10. xx. xx/yy Hub VNet Prod Resource Group(s)* 10. xx. xx/yy 10. xx. xx/zz Prod VNet (Spoke 3) 10. xx. xx. xx/zz 10. xx. xx/zz 3

Azure Network Architecture: with animation Hub Management Group Hub Subscription * Additional Resource Groups

Azure Network Architecture: with animation Hub Management Group Hub Subscription * Additional Resource Groups will be used for Azure resources as required for better resource management and security control Hub Resource Group(s)* On-premises Network HQ Non-Prod Management Group Non-Prod Subscription Gateway Subnet S 2 S VPN Tunnel Dev Resource Group(s)* Firewall Subnet VNet Peering 10. xx. xx/zz (Bidirectional ) 10. xx. xx/zz On-premises Network Site 2 S 2 S VPN Tunnel 10. xx. xx/yy Dev VNet (Spoke 1) 10. xx. xx. xx/zz 10. xx. xx/zz Test Resource Group(s)* Management Subnet 10. xx. xx/zz VNet Peering VPN Client P 2 S VPN Tunnel SIEM Subnet (Bidirectional ) 10. xx. xx/yy Test VNet (Spoke 2) 10. xx. xx. xx/zz Prod Management Group Prod Subscription WAF Subnet HTTP/HTTPS 10. xx. xx/yy Internet Hub VNet Prod Resource Group(s)* VNet Peering (Bidirectional ) 10. xx. xx/yy 10. xx. xx/zz Prod VNet (Spoke 3) 10. xx. xx. xx/zz 10. xx. xx/zz 4

Hub and Spoke Network Topology HTTP/ HTTPS Spoke 1 Subnets Spoke 3 Subnets Spoke

Hub and Spoke Network Topology HTTP/ HTTPS Spoke 1 Subnets Spoke 3 Subnets Spoke 2 VNet Spoke 3 VNet Hub Subnets Gateway Subnet Spoke 2 Subnets Spoke 2 VNet Spoke 4 Subnets Spoke 4 VNet Hub VNet P 2 S VPN Tunnel VPN Client S 2 S VPN Tunnel On-premises Network HQ On-premises Network Site 2 5

Hub and Spoke Topology HTTP/ HTTPS Spoke 1 Subnets Spoke 3 Subnets Spoke 2

Hub and Spoke Topology HTTP/ HTTPS Spoke 1 Subnets Spoke 3 Subnets Spoke 2 VNet Spoke 3 VNet Hub Subnets Gateway Subnet Spoke 2 Subnets Spoke 2 VNet VPN Client Hub & Spoke § § Simplified § Easier to manage shared services Lower licensing costs Improved segregation Easy to scale No single point of failure Spoke 4 VNet Hub VNet P 2 S VPN Tunnel Benefits Spoke 4 Subnets S 2 S VPN Tunnel On-premises Network HQ On-premises Network Site 2 Drawbacks § § Single point of failure Overhead of managing UDRs § § § Duplication of shared services (Firewall, SIEM) Higher licensing costs Challenging to scale 6

Example Azure Network Plan: VNets & Subnets ID 1 2 3 4 5 6

Example Azure Network Plan: VNets & Subnets ID 1 2 3 4 5 6 7 v. NET HUB HUB PROD DEV STAGING Subnet 10. 151. 98. 0 10. 151. 96. 0 10. 151. 97. 0 10. 151. 98. 64 10. 151. 0. 0 10. 151. 32. 0 10. 151. 64. 0 Netmask 26 26 24 26 19 19 19 CIDR 10. 151. 98. 0/26 10. 151. 96. 0/26 10. 151. 97. 0/24 10. 151. 98. 64/26 10. 151. 0. 0/19 10. 151. 32. 0/19 10. 151. 64. 0/19 # Of hosts Subscription 62 Hub 254 Hub 62 Hub 8190 Prod 8190 Non-Prod Security zone HUB_SZ_MSS HUB_SZ_PRIVATE_DMZ HUB_SZ_PUBLIC_DMZ HUB_SZ_JUMP_BOX PROD_SZ_WORKLOAD 1 DEV_SZ_NON_PROD STAGING_SZ_NON_PROD Gateway unit Microsoft Azure Firewall 1(Internal) Firewall 0 (External) Microsoft Azure Gateway address 10. 151. 98. 1 10. 151. 96. 1 10. 151. 97. 1 10. 151. 98. 65 10. 151. 0. 1 10. 151. 32. 1 10. 151. 64. 1 7

OnPremises OnPremises Cloud OnPremises Hybrid Cloud Lync OnlineOnPremises OnPremises Cloud OnPremises Hybrid Cloud Lync Online
OnPremises OnPremises Cloud OnPremises Hybrid Cloud Lync OnlineOnPremises OnPremises Cloud OnPremises Hybrid Cloud Lync Online
OnPremises to Azure in Three Steps OnPremises toOnPremises to Azure in Three Steps OnPremises to
Identity Onpremises Devices Apps Data Onpremises Combined MicrosoftIdentity Onpremises Devices Apps Data Onpremises Combined Microsoft
POLAR ZONE TEMPERATE ZONE TROPICAL ZONE TEMPERATE ZONEPOLAR ZONE TEMPERATE ZONE TROPICAL ZONE TEMPERATE ZONE
Onpremises Private cloud Public Commercial Azure Microsoft AzureOnpremises Private cloud Public Commercial Azure Microsoft Azure