Azure network design considerations

Azure networking looks simple at first glance. You create a virtual network in the Azure portal. In the next part, you define a subnet with an IP range. With only a few mouse clicks, there is a network in which you can place resources.  At a certain point in time, organizations are going to install “something” in Azure. In most cases, this involves a test environment for one thing or another. The IT organization arranges access to the Azure Portal so the Azure team can start building.

Virtueel netwerk aanmaken

There is nothing more permanent than a temporary solution. This rule seems to be especially valid for “test” environments in the cloud.

In most cases, the Azure environment needs a connection to the existing infrastructure after some time. This connection is relatively easy to build with the Azure VPN Gateway. You have to make sure you’ve thought it through from the beginning, or else you will run into difficulties. To protect you from difficult situations, here is a list of considerations when designing an Azure network:  

  • Have I thought of an IP Plan?
    • Subnets per resource group
  • Which locations should I connect to Azure?
    • Data Centers
    • Offices
    • 3rd party
  • What technology do I use to connect the sites to Azure?
    • IPSEC site-to-site
    • Express route
    • IPSEC to NVA
    • Cato Networks
  • How do I apply network security within my Azure network?
    • Network security groups
    • Application security groups
    • Network virtual appliances (NVA)
  • What Azure network topology am I going to use?
    • Hub and spoke
    • Vnet peering
  • Is routing needed?
    • User-defined-routes

These topics will help you start designing your Azure network. There is plenty of information on each subject on the Internet. If you get lost in the sea of information, don’t hesitate to contact me. You can always reach me at ask-me@ivo-security.blog. The “keep it simple stupid” philosophy works very well for Azure network design. Nowadays, we should also apply the idea of “safe” to this philosophy.

Hub and spoke ontwerp

In my next blog, I’ll share details of our connection from the on-premises datacenters to Azure. These datacenters connections are not via a Microsoft ExpressRoute. If you suspect we are using IPSEC tunnels, you will be in for a surprise next time. We use one of the most fascinating and secure connections to Azure from our different datacenters.

Follow @lol.it.rofl on instagram for your daily dose of IT humor.