Scribd
Upload
184 views

Hub Spoke v1.0

This document describes an Azure network architecture that includes: - An Azure firewall deployed in the "Gateway subnet" that provides network and application traffic filtering between the on-premises network and the Azure VNet. - The Azure VNet is segmented into different tiers (Web, Business, Data) and connected to on-premises networks and other VNets through peering and VPN connections. - Additional subnets are used for management, SIEM, and a web application firewall to filter inbound and outbound traffic between different network segments.

Uploaded by

springlee
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
184 views

Hub Spoke v1.0

This document describes an Azure network architecture that includes: - An Azure firewall deployed in the "Gateway subnet" that provides network and application traffic filtering between the on-premises network and the Azure VNet. - The Azure VNet is segmented into different tiers (Web, Business, Data) and connected to on-premises networks and other VNets through peering and VPN connections. - Additional subnets are used for management, SIEM, and a web application firewall to filter inbound and outbound traffic between different network segments.

Uploaded by

springlee
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 7

Azure Landing Zone (Azure Firewall/WAF)

On-premises network Gateway subnet


Azure Firewall: NAT, Network VNet Web tier Business tier Data tier
Peering
and Application traffic filtering (Bidirectional)

UDR rules allows Inbound/Outbound


access

L3-L7 Connectivity Policies VNet


(Spoke 1)

Management
subnet
Jumpbox

App Services Managed Database


VNet
Hub Peering
(Bidirectional)
VNet
(Spoke 2)
VNet

1
Azure Landing Zone (NVA) https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/dmz/secure-vnet-dmz

On-premises network Gateway subnet Private DMZ in Private DMZ out


VNet Web tier Business tier Data tier
Peering
(Bidirectional)
UDR

Availability
set

VNet
(Spoke 1)

Management
subnet
Jumpbox

Public DMZ in Public DMZ out

Availability
set
VNet
Peering App Services Managed Database
(Bidirectional)

Hub VNet
VNet (Spoke 2)

2
Azure Network Architecture: Deployment to Primary Azure Region

Hub Management Group


Hub Subscription
* Additional Resource Groups will be used for Azure resources as required for better
resource management and security control

On-premises Network HQ Hub Resource Group(s)* Non-Prod Management Group


Non-Prod Subscription
Gateway Subnet
S2S VPN Tunnel Dev Resource Group(s)*
Firewall
Subnet
VNet
Peering 10.xx.xx.xx/yy
(Bidirectional)
On-premises Network Site 2 10.xx.xx.xx/zz 10.xx.xx.xx/zz Dev VNet
(Spoke 1) 10.xx.xx.xx/zz 10.xx.xx.xx/zz 10.xx.xx.xx/zz

S2S VPN Tunnel Test Resource Group(s)*


Management
Subnet
10.xx.xx.xx/zz

VNet 10.xx.xx.xx/yy
VPN Client Peering Test VNet
P2S VPN Tunnel (Bidirectional) 10.xx.xx.xx/zz 10.xx.xx.xx/zz 10.xx.xx.xx/zz
SIEM (Spoke 2)
Subnet

10.xx.xx.xx/zz Prod Management Group


Prod Subscription

HTTP/HTTPS Prod Resource Group(s)*


WAF
Subnet VNet
Peering
10.xx.xx.xx/yy (Bidirectional)
Internet 10.xx.xx.xx/yy
Hub Prod VNet
VNet 10.xx.xx.xx/zz (Spoke 3) 10.xx.xx.xx/zz 10.xx.xx.xx/zz 10.xx.xx.xx/zz

3
Azure Network Architecture: with animation

Hub Management Group


Hub Subscription
* Additional Resource Groups will be used for Azure resources as required for better
resource management and security control

Hub Resource Group(s)* Non-Prod Management Group


On-premises Network HQ
Non-Prod Subscription
Gateway Subnet
Dev Resource Group(s)*
S2S VPN Tunnel
Firewall
Subnet
VNet
Peering 10.xx.xx.xx/yy
10.xx.xx.xx/zz (Bidirectional)
10.xx.xx.xx/zz Dev VNet
On-premises Network Site 2 (Spoke 1) 10.xx.xx.xx/zz 10.xx.xx.xx/zz 10.xx.xx.xx/zz

Test Resource Group(s)*


Management
S2S VPN Tunnel
Subnet
10.xx.xx.xx/zz

VNet 10.xx.xx.xx/yy
Peering Test VNet
VPN Client SIEM (Bidirectional)
(Spoke 2)
10.xx.xx.xx/zz 10.xx.xx.xx/zz 10.xx.xx.xx/zz

P2S VPN Tunnel


Subnet

10.xx.xx.xx/zz Prod Management Group


Prod Subscription

Prod Resource Group(s)*


HTTP/HTTPS WAF
Subnet VNet
Peering
10.xx.xx.xx/yy (Bidirectional)
10.xx.xx.xx/yy
Internet Hub Prod VNet
VNet 10.xx.xx.xx/zz (Spoke 3) 10.xx.xx.xx/zz 10.xx.xx.xx/zz 10.xx.xx.xx/zz

4
Hub and Spoke Network Topology

HTTP/
HTTPS

Spoke 1 Subnets Spoke 3 Subnets


Spoke 2 VNet Spoke 3 VNet

Hub Subnets

Gateway
Subnet
Spoke 2 Subnets Spoke 4 Subnets
Spoke 2 VNet Hub VNet Spoke 4 VNet

P2S VPN S2S VPN


Tunnel Tunnel

VPN Client On-premises On-premises


Network HQ Network Site 2

5
Hub and Spoke Topology
HTTP/
HTTPS

Spoke 1 Subnets Spoke 3 Subnets


Spoke 2 VNet Spoke 3 VNet

Hub Subnets

Gateway
Subnet
Spoke 2 Subnets Spoke 4 Subnets
Spoke 2 VNet Hub VNet Spoke 4 VNet

P2S VPN S2S VPN


Tunnel Tunnel

VPN Client On-premises On-premises


Network HQ Network Site 2

Benefits Drawbacks

Hub & Spoke  Easier to manage shared services  Single point of failure
 Lower licensing costs  Overhead of managing UDRs
 Improved segregation
 Easy to scale

Simplified  No single point of failure  Duplication of shared services (Firewall, SIEM)


 Higher licensing costs
 Challenging to scale

6
Example Azure Network Plan: VNets & Subnets

# Of
ID vNET Subnet Netmask CIDR hosts Subscription Security zone Gateway unit Gateway address
1 HUB 10.151.98.0 26 10.151.98.0/26 62 Hub HUB_SZ_MSS Microsoft Azure 10.151.98.1
2 HUB 10.151.96.0 26 10.151.96.0/26 62 Hub HUB_SZ_PRIVATE_DMZ Firewall 1(Internal) 10.151.96.1
3 HUB 10.151.97.0 24 10.151.97.0/24 254 Hub HUB_SZ_PUBLIC_DMZ Firewall 0 (External) 10.151.97.1
4 HUB 10.151.98.64 26 10.151.98.64/26 62 Hub HUB_SZ_JUMP_BOX Microsoft Azure 10.151.98.65
5 PROD 10.151.0.0 19 10.151.0.0/19 8190 Prod PROD_SZ_WORKLOAD1 Microsoft Azure 10.151.0.1
6 DEV 10.151.32.0 19 10.151.32.0/19 8190 Non-Prod DEV_SZ_NON_PROD Microsoft Azure 10.151.32.1
7 STAGING 10.151.64.0 19 10.151.64.0/19 8190 Non-Prod STAGING_SZ_NON_PROD Microsoft Azure 10.151.64.1

You might also like