mattfeltonma/azure-network-journey mattfeltonma/azure-network-journey

  • Stars
    star
    183
  • Rank 208,893 (Top 5 %)
  • Language
  • License
    MIT License
  • Created over 2 years ago
  • Updated about 1 year ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
mattfeltonma/azure-network-journey
github

mattfeltonma

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

This repository contains a collection of core networking patterns starting from basic to advanced. The goal is to assist customers with picking the right pattern for their stage of the journey. Each pattern includes a summary, benefits and considerations, and diagrams providing examples of the patterns and what the route tables could look like.

A Journey through Azure Networking

Overview

Organizations often begin the cloud journey with simple requirements. These requirements grow as an organization scales, matures, and migrates critical data and workloads. As more requirements are introduced, the architecture of the an organization's cloud deployment becomes more complex.

This repository contains a collection of core networking patterns starting from basic to advanced. The goal is to assist customers with picking the right pattern for their stage of the journey. Each pattern includes a summary, benefits and considerations, and diagrams providing examples of the patterns and what the route tables could look like.

For the purposes of this repository, north and south traffic is traffic ingressing or egressing to the Internet. East and west is traffic ingressing or egressing between on-premises and Azure or between workloads running in different virtual networks in Azure.

Note that in the patterns with firewalls, the firewalls are assumed to have a separate dedicated network interface in a management subnet. This is not shown in the diagrams.

For detail on the traffic flows of the more complex network architectures listed here, reference this repository.

Sections

General

Hub and Spoke

Virtual WAN

Patterns

Single VNet And Single Subnet

visual

In this pattern there is a single virtual network with a single subnet all resources are placed in.

Benefits

  • All virtual machines in the same virtual network can communicate with each other using default system routes.
  • Virtual machine communication within the subnet can be mediated a network security group.

Considerations

  • Scaling this pattern can be a significant problem because subnets cannot be resized once network interfaces are associated with them.
  • Managing network security groups for intra-subnet traffic can be prone to misconfigurations.
  • All resources have direct access to the Internet through the default system route.
  • This pattern does not allow for connectivity back on-premises.

Single VNet And Multiple Subnets

visual

In this pattern there is a single virtual network with multiple subnets.

This is a common pattern for proof-of-concepts for a single workload where there is no requirement for on-premises connectivity.

Benefits

  • All virtual machines in the same virtual network can communicate with each other using default system routes.
  • Virtual machine communication between subnets can be mediated with network security groups.

Considerations

  • All resources have direct access to the Internet through the default system route.
  • This pattern does not allow for connectivity back on-premises.

Single VNet And Multiple Workloads

visual

In this pattern there is a single virtual network with multiple subnets hosting multiple workloads.

Benefits

  • Workload-to-workload communication can be mediated with network security groups.
  • All virtual machines in the same virtual network can communicate with each other using default system routes.
  • Virtual machine communication between subnets can be mediated with network security groups.

Considerations

  • Resources for both workloads that require integration with the virtual network must be in the same subscription creating a single blast radius.
  • It is not possible to restrict RBAC permissions on a per subnet basis within the same virtual network.
  • All resources have direct access to the Internet through the default system route.
  • This pattern does not allow for connectivity back on-premises.

Single VNet And On-Premises Connectivity

visual

In this pattern there is a single virtual network with multiple subnets and the workloads require on-premises connectivity.

This is a common pattern for proof-of-concepts for a single workload where on-premises connectivity is required.

Benefits

  • On-premises connectivity is provided by a Virtual Network Gateway configured with either a site-to-site VPN or ExpressRoute connection. Routes can be exchanged between on-premises and Azure using BGP.
  • All virtual machines in the same virtual network can communicate with each other using default system routes.
  • Virtual machine communication between subnets can be mediated with network security groups.

Considerations

  • The workload and on-premises connectivity resources must be within the same subscription.
  • All resources have direct access to the Internet through the default system route.

Peered VNets And On-Premises Connectivity With Multiple Workloads

visual

In this pattern each workload is its own virtual network and requires on-premises connectivity.

Benefts

  • On-premises connectivity is provided by a Virtual Network Gateway configured with either a site-to-site VPN or ExpressRoute connection. Routes can be exchanged between on-premises and Azure using BGP.
  • On-premises connectivity for the peered virtual network is provided by gateway transit.
  • Workload resources can be placed in separate subscriptions which creates a smaller blast radius.
  • All virtual machines in the separate peered virtual networks can communicate with each other using default system routes.
  • Virtual machine communication between subnets in the separate peered virtual networks can be mediated with network security groups.
  • All virtual machines in the same virtual network can communicate with each other using default system routes.
  • Virtual machine communication between subnets in the same virtual network can be mediated with network security groups.

Considerations

  • The workload and on-premises connectivity resources must be within the same subscription.
  • All resources have direct access to the Internet through the default system route.

Hub And Spoke With A Flat Network And Forced Tunneling

visual

In this pattern there is a dedicated virtual network used for on-premises connectivity which is shared with each workload that each have their own dedicated virtual network and there is a requirement to send Internet-bound traffic back on-premises for inspection, mediation, and/or logging.

This is a common pattern for organizations new to Azure that may have a significant capital investment in security appliances on-premises that are not yet fully depreciated and are comfortable mediating network traffic between workloads using network security groups.

Benefits

  • All resources are forced to route Internet-bound traffic back on-premises where it can be mediated, inspected, and/or logged.
  • Workloads have dedicated subscriptions containing their virtual network and workload resources creating separate blast radiuses.
  • The on-premises connectivity resources are in a dedicated subscription creating a separate blast radius.
  • All virtual machines in the separate peered virtual networks can communicate with each other through the Virtual Network Gateway (VPN) or MSEE (Microsoft Enterprise Edge) router (ExpressRoute).
  • On-premises connectivity is provided by a Virtual Network Gateway configured with either a site-to-site VPN or ExpressRoute connection. Routes can be exchanged between on-premises and Azure using BGP.
  • On-premises connectivity for the peered virtual network is provided by gateway transit.
  • Virtual machine communication between subnets in the separate peered virtual networks can be mediated with network security groups.
  • All virtual machines in the same virtual network can communicate with each other using default system routes.
  • Virtual machine communication between subnets in the same virtual network can be mediated with network security groups.

Considerations

  • This pattern creates a flat network where only network security groups can be used to mediate traffic between workloads.
  • Additional costs and latency will be incurred for egressing Internet-bound traffic back on-premises.

Hub And Spoke With East and West Firewall And Forced Tunneling

visual

In this pattern there is a dedicated virtual network used for on-premises connectivity which is shared with each workload that each have their own dedicated virtual network and there is a requirement to send Internet-bound traffic back on-premises for inspection, mediation, filtering, and/or logging. There is also a requirement for inspection, mediation, and/or logging for traffic between on-premises and workloads and for traffic between workloads but these activities must be performed by a firewall in Azure.

This pattern also uses a dedicated virtual network in a dedicated subscription for shared infrastructure services. These services can include Microsoft Active Directory, patching or update services, or logging services.

This is a common pattern for organizations new to Azure that may have a significant capital investment in security appliances on-premises that are not yet fully depreciated but want mediation, inspection, and/or centralized logging between workloads which is provided by a firewall in Azure.

Benefits

  • The firewall in Azure receives all traffic from workloads destined for on-premises, other workloads, or the Internet and can be used to centrally mediate, inspect, and/or log traffic.
  • All Internet-bound traffic is forced to route back on-premises where it can be mediated, inspected, and/or logged.
  • Shared infrastructure services added to Azure reduce the for workloads to go back on-premises for these services reducing network costs, latency, and mitigate impact of lost connectivity to on-premises.
  • Shared infrastructure services have a dedicated subscription containing its own virtual network and resources creating a separate blast radius.
  • Workloads have dedicated subscriptions containing their virtual network and workload resources creating separate blast radiuses.
  • The on-premises connectivity and network security appliances resources are in a dedicated subscription creating a separate blast radius.
  • All virtual machines in the separate peered virtual networks can communicate with each other through the Virtual Network Gateway (VPN) or MSEE (Microsoft Enterprise Edge) router (ExpressRoute).
  • On-premises connectivity is provided by a Virtual Network Gateway configured with either a site-to-site VPN or ExpressRoute connection. Routes can be exchanged between on-premises and Azure using BGP.
  • Virtual machine communication between subnets in the separate peered virtual networks can be mediated with network security groups.
  • All virtual machines in the same virtual network can communicate with each other using default system routes.
  • Virtual machine communication between subnets in the same virtual network can be mediated with network security groups.

Considerations

  • Additional costs of the firewall running in Azure.
  • Additional costs and latency will be incurred for egressing Internet-bound traffic back on-premises.

Hub And Spoke With Single Firewall For North South East West

visual

In this pattern there is a dedicated virtual network used for on-premises connectivity which is shared with each workload that each have their own dedicated virtual network. There is requirement for Internet-bound traffic, traffic between on-premises and Azure, and traffic between workloads in Azure to be mediated, inspected, and/or centrally logged by firewalls in Azure.

This pattern also uses a dedicated virtual network in a dedicated subscription for shared infrastructure services. These services can include Microsoft Active Directory, patching or update services, or logging services.

This is one of the more common patterns for organizations using Azure.

Benefits

  • Traffic between the interface in the public subnet and private subnet is blackholed to help create a DMZ-like design.
  • The firewall in Azure receives all traffic from workloads destined for on-premises, other workloads, or the Internet and can be used to centrally mediate, inspect, and/or log traffic.
  • All Internet-bound traffic is egressed directly out of Azure reducing networking complexity.
  • Shared infrastructure services added to Azure reduce the for workloads to go back on-premises for these services reducing network costs, latency, and mitigate impact of lost connectivity to on-premises.
  • Shared infrastructure services have a dedicated subscription containing its own virtual network and resources creating a separate blast radius.
  • Workloads have dedicated subscriptions containing their virtual network and workload resources creating separate blast radiuses.
  • The on-premises connectivity and network security appliances resources are in a dedicated subscription creating a separate blast radius.
  • All virtual machines in the separate peered virtual networks can communicate with each other through the Virtual Network Gateway (VPN) or MSEE (Microsoft Enterprise Edge) router (ExpressRoute).
  • On-premises connectivity is provided by a Virtual Network Gateway configured with either a site-to-site VPN or ExpressRoute connection. Routes can be exchanged between on-premises and Azure using BGP.
  • Virtual machine communication between subnets in the separate peered virtual networks can be mediated with network security groups.
  • All virtual machines in the same virtual network can communicate with each other using default system routes.
  • Virtual machine communication between subnets in the same virtual network can be mediated with network security groups.

Considerations

  • All north/south/east/west traffic flows through a single set of firewalls which could create a bottleneck.
  • Additional costs of the firewall running in Azure.

Hub And Spoke With Dedicated North And South Firewall And Dedicated East And West Firewall

visual

In this pattern there is a dedicated virtual network used for on-premises and Internet connectivity which is shared with each workload that each have their own dedicated virtual network. There is requirement for Internet-bound traffic, traffic between on-premises and Azure, and traffic between workloads in Azure to be mediated, inspected, and/or centrally logged by firewalls in Azure. There is a separate firewall stack for north/south traffic and another for east/west traffic.

This pattern also uses a dedicated virtual network in a dedicated subscription for shared infrastructure services. These services can include Microsoft Active Directory, patching or update services, or logging services.

This is one of the more common patterns for organizations using Azure that have a significant amount of internal and externallly facing workloads and would like to mitigate the risk of a bottleneck.

Benefits

  • North/south and east/west traffic is distributed to two separate firewall stacks reducing the risk of a bottleneck.
  • Traffic between the north/south public subnet and private subnet interfaces is blackholed creating a DMZ-like configuration.
  • Traffic between the north/south public and private interfaces is blackholed to create a DMZ-like configuration.
  • All Internet-bound traffic is egressed directly out of Azure reducing networking complexity.
  • Shared infrastructure services added to Azure reduce the for workloads to go back on-premises for these services reducing network costs, latency, and mitigate impact of lost connectivity to on-premises.
  • Shared infrastructure services have a dedicated subscription containing its own virtual network and resources creating a separate blast radius.
  • Workloads have dedicated subscriptions containing their virtual network and workload resources creating separate blast radiuses.
  • The on-premises connectivity and network security appliances resources are in a dedicated subscription creating a separate blast radius.
  • All virtual machines in the separate peered virtual networks can communicate with each other through the Virtual Network Gateway (VPN) or MSEE (Microsoft Enterprise Edge) router (ExpressRoute).
  • On-premises connectivity is provided by a Virtual Network Gateway configured with either a site-to-site VPN or ExpressRoute connection. Routes can be exchanged between on-premises and Azure using BGP.
  • Virtual machine communication between subnets in the separate peered virtual networks can be mediated with network security groups.
  • All virtual machines in the same virtual network can communicate with each other using default system routes.
  • Virtual machine communication between subnets in the same virtual network can be mediated with network security groups.

Considerations

  • Carving out IP address blocks for Azure must be well planned to avoid frequent changes to static routes.
  • Routing can become complex.
  • Additional costs of running multiple sets of firewalls.

Hub And Spoke With Dedicated North And South Firewall And Dedicated East And West Firewall In Seperate Virtual Networks

visual

In this pattern there is a dedicated virtual network used for on-premises connectivity (Internal Virtual Network) and a second dedicated virtual network for Internet connectivity (External Virtual Network). Workloads each have a dedicated virtual network and are dual peered to both Internal Virtual Network and External Virtual Network.There is requirement for Internet-bound traffic, traffic between on-premises and Azure, and traffic between workloads in Azure to be mediated, inspected, and/or centrally logged by firewalls in Azure. There is a separate firewall stack for north/south traffic in the External Virtual Network and another for east/west in the Internal Virtual Network.

This pattern also uses a dedicated virtual network in a dedicated subscription for shared infrastructure services. These services can include Microsoft Active Directory, patching or update services, or logging services.

The pattern is complex and should only be used where there is a hard requirement to establish separate subscription-level boundaries and blast radiuses for east/west and north/south traffic. It should not used for the purposes of replicating traditional on-premises DMZ architectures. The previous two architectures can establish a DMZ-like architecture in a single virtual network.

Benefits

  • North/south and east/west firewall have separate subscription-level blast radiuses.
  • North/south and east/west traffic is distributed to two separate firewall stacks reducing the risk of a bottleneck.
  • Traffic between the north/south public subnet and private subnet interfaces is blackholed creating a DMZ-like configuration.
  • Traffic between the north/south public and private interfaces is blackholed to create a DMZ-like configuration.
  • All Internet-bound traffic is egressed directly out of Azure reducing networking complexity.
  • Shared infrastructure services added to Azure reduce the for workloads to go back on-premises for these services reducing network costs, latency, and mitigate impact of lost connectivity to on-premises.
  • Shared infrastructure services have a dedicated subscription containing its own virtual network and resources creating a separate blast radius.
  • Workloads have dedicated subscriptions containing their virtual network and workload resources creating separate blast radiuses.
  • The on-premises connectivity and network security appliances resources are in a dedicated subscription creating a separate blast radius.
  • All virtual machines in the separate peered virtual networks can communicate with each other through the Virtual Network Gateway (VPN) or MSEE (Microsoft Enterprise Edge) router (ExpressRoute).
  • On-premises connectivity is provided by a Virtual Network Gateway configured with either a site-to-site VPN or ExpressRoute connection. Routes can be exchanged between on-premises and Azure using BGP.
  • Virtual machine communication between subnets in the separate peered virtual networks can be mediated with network security groups.
  • All virtual machines in the same virtual network can communicate with each other using default system routes.
  • Virtual machine communication between subnets in the same virtual network can be mediated with network security groups.

Considerations

  • Snowflake pattern that introduces additional complexity for limited security benefits for most organizations.
  • Carving out IP address blocks for Azure must be well planned to avoid frequent changes to static routes.
  • Routing can become complex.
  • Additional costs of running multiple sets of firewalls.

VWAN - Single Region VWAN Hub

visual

In this pattern there is a VWAN with a hub in a single region with connections to two virtual networks.

Benefits

  • Intra-hub virtual networks can communicate with each other by default.

Considerations

  • All resources in Azure have direct access to the Internet through the default system route.
  • Mediation between intra-hub virtual networks is done with Network Security Groups.

VWAN - Single Region VWAN Hub With Single Branch

visual

In this pattern there is a VWAN with a hub in a single region with connections to two virtual networks. A single branch site is connected to the hub.

Benefits

  • Intra-hub virtual networks can communicate with each other by default.
  • Branch sites can communicate with intra-hub virtual networks by default.

Considerations

  • All resources in Azure have direct access to the Internet through the default system route.
  • Mediation between intra-hub virtual networks is done with Network Security Groups.
  • Mediation between branch sites and virtual networks is done with Network Security Groups and optional on-premises security appliances.

VWAN - Single Region VWAN Hub With Multiple Branches

visual

In this pattern there is a VWAN with a hub in a single region with connections to two virtual networks. Multiple branch sites are connected to the hub.

Benefits

  • Intra-hub virtual networks can communicate with each other by default.
  • Branch sites can communicate with intra-hub virtual networks by default.
  • Branch sites can communicate with other branch sites by default.

Considerations

  • All resources in Azure have direct access to the Internet through the default system route.
  • Mediation between intra-hub virtual networks is done with Network Security Groups.
  • Mediation between branch sites and virtual networks is done with Network Security Groups and optional on-premises security appliances.
  • Mediation between branch sites is done with on-premises firewalls.

VWAN - Multiple Region VWAN Hubs With Multiple Branches Connected to a Single Hub

visual

In this pattern there are multiple VWAN Hubs in separate regions. Each hub is connected to multiple virtual networks within the region.

Branch sites are connected to a hub in a single region to allow connectivity to the virtual networks in both regions using the VWAN cross hub connectivity.

Benefits

  • Intra-hub virtual networks can communicate with each other by default.
  • Inter-hub virtual networks can communicate with each other by default.
  • Branch sites can communicate with intra-hub virtual networks by default.
  • Branch sites can communicate with other branch sites by default.
  • Branch sites can comunicate with inter-hub virtual networks by default.

Considerations

  • All resources in Azure have direct access to the Internet through the default system route.
  • Mediation between intra-hub and inter-hub virtual networks is done with Network Security Groups.
  • Mediation between branch sites and virtual networks both intra-hub and inter-hub is done with Network Security Groups and optional on-premises security appliances.
  • Mediation between branch sites is done with on-premises firewalls.
  • Loss of connectivity from the branch sites to the hub the site is connected to results in loss of connectivity to Azure.

VWAN - Multiple Region VWAN Hubs With Multiple Branches Connected to Multiple Hubs

visual

This is an appropriate pattern for organizations that want any-to-any connectivity out of the box. It allows for connectivity between branches and virtual networks, including across regions.

It is not appropriate for organizations that require centralized mediation and/or inspection using an NVA (network virtual appliance).

Benefits

  • Intra-hub virtual networks can communicate with each other by default.
  • Inter-hub virtual networks can communicate with each other by default.
  • Branch sites can communicate with intra-hub virtual networks by default.
  • Branch sites can communicate with other branch sites by default both intra-hub and inter-hub.
  • Branch sites can comunicate with inter-hub virtual networks by default.

Considerations

  • All resources in Azure have direct access to the Internet through the default system route.
  • Mediation between intra-hub and inter-hub virtual networks is done with Network Security Groups.
  • Mediation between branch sites and virtual networks both intra-hub and inter-hub is done with Network Security Groups and optional on-premises security appliances.
  • Mediation between branch sites is done with on-premises firewalls.
  • Loss of connectivity from the branch sites to the hub the site is connected to results in loss of connectivity to Azure.

VWAN - Multiple Region VWAN Hubs With Multiple Branches Connected to Multiple Hubs For Redundancy

visual

This is an appropriate pattern for organizations that want any-to-any connectivity out of the box. It allows for connectivity between branches and virtual networks, including across regions. Branch sites also have redundancy to their connectivity in Azure in the instance an Azure region were to become unavailable.

It is not appropriate for organizations that require centralized mediation and/or inspection using an NVA (network virtual appliance).

Benefits

  • Intra-hub virtual networks can communicate with each other by default.
  • Inter-hub virtual networks can communicate with each other by default.
  • Branch sites can communicate with intra-hub virtual networks by default.
  • Branch sites can communicate with other branch sites by default both intra-hub and inter-hub.
  • Branch sites can comunicate with inter-hub virtual networks by default.
  • Local preferences can be applied to routes advertised from VWAN Hub to branch sites to prefer a specific connection.
  • If connectivity from a branch site to a hub is lost, connectivity to Azure will still be possible using the connection to the other hub.

Considerations

  • All resources in Azure have direct access to the Internet through the default system route.
  • Mediation between intra-hub and inter-hub virtual networks is done with Network Security Groups.
  • Mediation between branch sites and virtual networks both intra-hub and inter-hub is done with Network Security Groups and optional on-premises security appliances.
  • Mediation between branch sites is done with on-premises firewalls.

VWAN - Multiple Region VWAN Secure Hubs with Multiple Branches Connected to Multiple Hubs for Redundancy and North and South Firewall Using Routing Intent

visual

The author recommends this pattern for regulated customers using Azure Virtual WAN who have requirements to mediate and inspect north and south traffic. In this pattern, north and south traffic is automatically routed through Azure Firewall or a compatible NVA (network virtual appliance) that is deployed into each VWAN hub using the Secure Hub feature. Traffic can be centrally mediated and/or inspected.

Benefits

  • Intra-hub virtual networks can communicate with each other by default.
  • Inter-hub virtual networks can communicate with each other by default.
  • Branch sites can communicate with intra-hub virtual networks by default.
  • Branch sites can communicate with other branch sites by default both intra-hub and inter-hub.
  • Branch sites can comunicate with inter-hub virtual networks by default.
  • Local preferences can be applied to routes advertised from VWAN Hub to branch sites to prefer a specific connection.
  • If connectivity from a branch site to a hub is lost, connectivity to Azure will still be possible using the connection to the other hub.
  • Traffic to the Internet from the attached virtual networks (and optionally sites) is routed through a supported appliance in the hub for mediation and/or inspection.

Considerations

  • Requires a security appliance that is supported to run in a VWAN Secure Hub
  • Mediation between intra-hub and inter-hub virtual networks is done with Network Security Groups.
  • Mediation between branch sites and virtual networks both intra-hub and inter-hub is done with Network Security Groups and optional on-premises security appliances.
  • Mediation between branch sites is done with on-premises firewalls.
  • Static routes on default route tables are not supported.

VWAN - Multiple Region VWAN Secure Hubs with Multiple Branches Connected to Multiple Hubs for Redundancy and North South East West Firewall Using Routing Intent

visual

The author recommends this pattern for regulated customers using Azure Virtual WAN who have requirements to mediate and inspect north, south, east, and west traffic. In this pattern north, south, east, and west traffic is automatically routed through Azure Firewall or a compatible NVA (network virtual appliance) that is deployed into each VWAN hub using the Secure Hub feature.

Benefits

  • Intra-hub virtual networks can communicate with each other by default.
  • Branch sites can communicate with intra-hub virtual networks by default.
  • Branch sites can communicate with other branch sites by default intra-hub..
  • Local preferences can be applied to routes advertised from VWAN Hub to branch sites to prefer a specific connection.
  • If connectivity from a branch site to a hub is lost, connectivity to the hub virtual networks the branch still has connection to will still be possible.
  • Traffic to the Internet from the attached virtual networks (and optionally sites) is routed through a supported appliance in the hub for mediation and/or inspection.
  • Traffic to and from the branch and virtual network intra-hub is routed through a supported appliance in the hub for mediation and/or inspection.
  • Traffic between branch sites is routed through a supported security appliance in the hub for mediation and/or inspection.
  • Traffic between virtual networks both within region and between regions is routed through a supported security appliance in the hub for mediation and/or inspection.

Considerations

  • Requires a security appliance that is supported to run in a VWAN Secure Hub
  • Static routes on default route tables are not supported.

VWAN - Multiple Region VWAN Secure Hubs with Multiple Branches Connected to Multiple Hubs for Redundancy and East West Firewall Using Routing Intent with Forced Tunneling

visual

In this pattern east and west traffic is automatically routed through Azure Firewall or a compatible NVA (network virtual appliance) that is deployed into each VWAN hub using the Secure Hub feature. Traffic destined for the Internet from Azure is routed back on-premises for egress out of a customer's data center (forced tunneling).

Note that as of June 2023 customers cannot use the Internet traffic routing policy in combination with advertising a default route from on-premises. This limitation may be lifted at some point and this pattern will no longer be needed.

Benefits

  • Intra-hub virtual networks can communicate with each other by default.
  • Branch sites can communicate with intra-hub virtual networks by default.
  • Branch sites can communicate with other branch sites by default intra-hub..
  • Local preferences can be applied to routes advertised from VWAN Hub to branch sites to prefer a specific connection.
  • If connectivity from a branch site to a hub is lost, connectivity to the hub virtual networks the branch still has connection to will still be possible.
  • Traffic to the Internet from the attached virtual networks is routed back on-premises for egress out of the customer's data center.
  • Traffic to and from the branch and virtual network intra-hub is routed through a supported appliance in the hub for mediation and/or inspection.
  • Traffic between branch sites is routed through a supported security appliance in the hub for mediation and/or inspection.
  • Traffic between virtual networks both within region and between regions is routed through a supported security appliance in the hub for mediation and/or inspection.

Considerations

  • When using Azure Firewall the traffic sent back on-premises will be SNATed to the Azure Firewall private IP address.
  • User-defined route for the default route must be maintained on spoke virtual network.

VWAN - Multiple Region VWAN Hubs With Multiple Branches Connected to Multiple Hubs For Redundancy and North and South Third Party Firewall

visual

This is an appropriate pattern for organizations that only need north and south traffic inspection and mediation using a 3rd-party firewall that is not supported running in a VWAN Secure Hub. This IS NOT an appropriate pattern for customers who anticipate east and west traffic inspection and mediation requirements down the road.

This pattern is sometimes referred to as "firewall-on-a-stick"

Benefits

  • Supports 3rd-party security appliances for north/south traffic inspection
  • Intra-hub virtual networks can communicate with each other by default.
  • Inter-hub virtual networks can communicate with each other by default.
  • Branch sites can communicate with intra-hub virtual networks by default.
  • Branch sites can communicate with other branch sites by default both intra-hub and inter-hub.
  • Branch sites can comunicate with inter-hub virtual networks by default.

Considerations

  • Cannot support traffic east/west traffic inspection between virtual networks
  • Traffic inspection between on-premises and Azure or vice versa must be performed by customer on-premises security appliance
  • Loss of security virtual network in a region causes loss of Internet access for virtual networks in that region
  • Mediation between intra-hub and inter-hub virtual networks is done with Network Security Groups.
  • Mediation between branch sites and virtual networks both intra-hub and inter-hub is done with Network Security Groups and optional on-premises security appliances.

VWAN - Multiple Region VWAN Hubs with Multiple Branches Connected to Multiple Hubs for Redundancy and North South East West Third Party Firewall

visual

This pattern is sometimes referred to as an indirect spoke or indirect hub pattern. It provides the customer the ability to centrally mediate and inspect north, south, east, and west traffic with a 3rd party firewall that is not supported running in a VWAN Secure Hub.

Benefits

  • Branch sites can communicate with other branch sites by default intra-hub.
  • Local preferences can be applied to routes advertised from VWAN Hub to branch sites to prefer a specific connection.
  • If connectivity from a branch site to a hub is lost, connectivity to the hub virtual networks the branch still has connection to will still be possible.
  • Traffic to the Internet from the indirect spokes can be mediated and inspected by a 3rd party security appliance that is not supported to run in a VWAN Secure Hub.
  • Traffic between indirect spokes both within the same region and in different regions can be mediated and inspected by a 3rd party security appliance that is not supported to run in a VWAN Secure Hub.
  • Traffic to and from the branch and virtual network intra-hub can be mediated and inspected by a 3rd party security appliance that is not supported to run in a VWAN Secure Hub.

Considerations

  • This is complex pattern that requires extensive knowledge of both general Azure networking and Azure VWAN.
  • Maintaining the static routes on each connection can become operationally significant at scale. While the static route prefixes can be summarized when applied to the route tables, the connections do not allow for summarization.

More Repositories

1

azure-networking-patterns

This repository contains traffic patterns for common Azure networking patterns
135
star
2

azure-labs

This repository contains a collection of templatized lab environments I've built
Shell
116
star
3

certifications

Repository for exam certification custom study guides
49
star
4

azure-site-recovery-demo

This repository includes artifacts to help with demonstrating and learning Azure Site Recovery
PowerShell
17
star
5

python-b2c-sample

Simple Python Web App and Web API that can be used to demonstrate Azure AD B2C
Python
15
star
6

azure-managed-identity-micro-hack

13
star
7

query-microsoft-graph

This Python script is used to interact with the Microsoft Graph and uses AWS KMS and S3 for credential and data storage
Python
12
star
8

lambda-azureadlogs

Pulls Microsoft Azure AD Sign-In and Audit logs from Microsoft Graph API and stores in S3
Python
10
star
9

python-msal-cert-authentication-demo

This solution demonstrates how to authenticate to MSAL uses a certificate
Python
7
star
10

query-azure-resource-graph

This Python script is used to interact with the Microsoft Azure Resource Graph service to query Azure Resource Manager for information on Azure resources.
Python
7
star
11

azure-management-group-diagnostic-settings

This Python solution demonstrates how to enable management group diagnostic settings.
Python
6
star
12

arm-templates

This repository contains a collection of ARM Templates I've developed
6
star
13

azure-openai-apim

This repository contains code samples demonstrating how Azure APIM can supplement the Azure OpenAI Service
4
star
14

aws_access_key_report

This AWS Lambda uses Boto3 to pull information on AWS IAM Access Keys
Python
4
star
15

azure-vm-maintenance

This repository includes learning materials on the topic of Azure VM Maintenance and Patching
3
star
16

azure-custom-policies

This repository contains a collection of custom Azure Policies I've put together
3
star
17

azure-resource-changes-query

This solution returns the last 14 days of changes to all resources of a given Azure Resource type.
Python
3
star
18

python-key-vault

This repository contains a collection of Python code samples that demonstrate how to use Key Vault
Python
3
star
19

aws_services_last_accessed

This Python solution reports the AWS services used by an AWS security principal (user, group, role) and writes the results to the Azure Monitor API for analysis
Python
3
star
20

azure-tenant-activity-logs

This Python solution demonstrates a way to export Tenant Activity Logs
Python
2
star
21

azure-keyvault-reporter

Python
2
star
22

CIS

Notes and information about CIS Controls and Benchmarks
2
star
23

azure-resource-provider-namespace-query

This solution queries the Azure Rest API for the listing of aliases for an Azure resource provider namespace
Python
2
star
24

azure-function-example

This is a simple Azure Function that retrieves the time from a public API
Python
2
star
25

aws_cloudtrail_extract_logs

This Python solution extracts CloudTrail logs from S3 for a user specified date range
Python
2
star
26

azure_policy_evaluation

This Python solution initiates an on-demand Azure Policy evaluation on the specified subscription
Python
2
star
27

azure_monitor_poc

This is a proof of concept Python solution that demonstrates integration with Azure Monitor HTTP Data Collector API
Python
2
star
28

aws-iam-roles

This repository contains a collection of CloudFormation templates which can be used to create a set of AWS IAM Roles. This roles have been crafted to remove destructive or risky permissions and to map to common cloud team roles.
2
star
29

find-orphaned-managed-identites

This repository contains code that helps to identify orphaned system-assigned managed identities
Shell
1
star
30

azure-backup-demo

This repository includes artifacts to help with demonstrating and learning Azure Backup.
PowerShell
1
star
31

azure-web-app-ip

Python application built using Flask framework that displays specific headers from a web request related to the network path.
HTML
1
star
32

demo-openai-python

Simple Python code to integrate with Azure OpenAI Service
Python
1
star
33

azure-function-validate-keyvault

This Azure Function and Azure Policy are used together to validate that keys and secrets are set to expire
Python
1
star
34

azure-demo-openai

Placeholder
1
star
35

aws-public

1
star
36

python-simple-container-app

HTML
1
star
37

python-sample-web-app

Python
1
star
38

python-key-vault-cert-authentication-demo

This solution demonstrates how to pull a client certificate from Key Vault and use it to authenticate as a service principal using MSAL
Python
1
star
39

azure-webapp-get-headers

This is a simple Python application built with the Flask framework which prints out the headers included in a web request.
HTML
1
star