Azure Landing Zone – Networking Resources

September 15, 2020 Ifran Talib

Recently, I worked on a few Azure Landing Zone projects to kick-off clients’ journeys to the cloud. Networking was a major part of these projects, along with security and monitoring. Below, I go through Azure networking resources and the important features. 

Sample Architecture Diagram 

Azure Landing Zone

Virtual Network (VNet) 

Virtual Network (VNet) is a basic networking building block in Azure; VNet is an isolated private network within Azure dedicated to subscription for secure communication between resources like virtual machines, containers and other networks.  

Important features of Azure Virtual Network:

  • Create a private IP range for your network. Multiple IP ranges can be added in a single VNet. The IP range must be different than on-prem and peered networks.
  • Segment IP range into subnets. Application gateway, Azure firewall and Bastion require their own dedicated subnet. 
  • Peering allows communication between resources in different VNets. 
  • IP range cannot be modified after establishing peering with other VNets. 
  • On VNet, Azure or Custom DNS can be set to assign automatically to resources. 

Network Security Group (NSG) 

NSG contains firewall rules to filter inbound and outbound traffic where each rule contains source, destination, protocol, and action. Source and destination can be IP address, VNet, Service Tag or an Application Security Group (ASG). NSG can be assigned to subnet or directly to the NIC.  

VPN Gateway  

The VPN Gateway service allows you to connect the virtual network to the on-premises network in a hybrid environment. 

Key Features: 

  • Azure VPN Gateway supports both policy-based and route-based connection. A route-based connection supports multiple site connections to a single Azure VPN Gateway while policy-based connection supports on one connection per VPN Gateway. 
  • Azure VPN Gateway supports site-to-site, multi-site, point-to-site, VNet-to-VNet and Microsoft Azure Express route connections. 
  • This requires a separate subnet and must be named as GatewaySubnet. 
  • Spoke VNet can connect to on-prem network via HUB VNet by enabling peering and allowing gateway transit feature. 

Application gateway 

Application gateway is a web load balancer with optional web application firewall to secure inbound web traffic. 

Key Features: 

  • SSL offloading offloads SSL on application gateway to eliminate the SSL encryption/decryption burden on web server. End-to-end SSL also can be configured. 
  • Path-based routing allows you to distribute web traffic based on URL to different web server backends. 
  • URL redirection feature can forward traffic between ports like from HTTP to HTTPS or to an entirely different URL.  
  • WAF firewall works as firewall for sites based on OWASP standards. Custom rules also can be created. 

Azure Firewall 

Azure Firewall is a managed firewall solution in Azure with built-in scalability and high availability features. It filters traffic between VNets and internet. 

Key Features: 

  • Network rules allow or deny network traffic based on source and destination IP address, port, and protocol. Azure Firewall is fully stateful.  
  • Application rule allows traffic filtering based on domain names and support wildcard. 
  • NAT Rules allow outbound VNets traffic to be translated into firewall public IPs (SNAT) while inbound traffic is translated into firewall public IP to private VNet IPs (DNAT). 
  • Rules can be applied on multiple subnets/VNets in different subscriptions under the same tenant. Subnets requires a route table to route traffic through firewall. 
  • The threat intelligence feature blocks attacks from malicious IPs and domains as sourced from Microsoft’s threat intelligence feed. 
  • Fully integrated with Azure monitor for logging and analytics. 

Azure Bastion 

Azure Bastion is a PaaS service, providing secure and seamless RDP/SSH connectivity to your VMs from the Azure portal over SSL. It eliminates the public IP requirement for VM so you can manage it remotely over the internet. Bastion is deployed inside VNet and requires a dedicated subnet. 

Private endpoint  

Azure Private Endpoint is a network interface that connects you privately and securely to a service powered by Azure Private Link. Private Endpoint uses a private IP address from your VNet, effectively bringing the service into your VNet. This could be an Azure service such as Azure Storage, Azure Cosmos DB, SQL or your own Private Link Service. 

Traffic Manager 

Azure Traffic Manager is a DNS-based georedundant load balancer which routes traffic based on different rules, backend endpoint performance, latency, and location. It redirects traffic for planned maintenance, too. Traffic Manager is resilient to failure of an entire Azure region and can work in front of Application Gateway for geo-redundant solution requirements. 

Azure Front door 

Azure Front Door is globally redundant load balancer with web application firewall. Though both Front Door and Application Gateway share the same SSL offloading, path-based routing, and WAF features, Front Door is a global service whereas Application Gateway is a regional service. Also, Application Gateway allows you to load balance between your VMs/containers and web app while Front Door supports web apps as backend. 

Join us for a free webinar on September 24 to learn about how Azure and a DevOps approach can transform your business:


About the Author

Irfan Talib is an Azure Infrastructure Consultant at New Signature with expertise in delivering Azure solutions at the enterprise level. He focuses on using Microsoft-native technologies to ensure clients have a successful journey to Azure by building, migrating and automating cloud infrastructureIrfan enjoys spending time with his family, listening to music and playing cricket. 

Previous Article
Azure DevOps Auditing: Monitoring Who Did What
Azure DevOps Auditing: Monitoring Who Did What

Managing the security and audit records for who is accessing and modifying resources inside Azure DevOps ha...

Next Article
Cognizant to Acquire 10th Magnitude
Cognizant to Acquire 10th Magnitude

Cognizant (Nasdaq: CTSH) today announced it has entered into an agreement to acquire Chicago-based 10th Mag...