- Overview
- Hub Virtual Network
- Management Restricted Zone Virtual Network
- Shared Public Access Zone subnet in the Hub
- User Defined Routes
- Network Security Groups
- Required Routes
- Azure Firewall Rules
- Log Analytics Integration
- Azure Deployment
- Schema Definition
- Delete Locks
- Deployment Scenarios
- Example Deployment Parameters
The recommended network design achieves the purpose of hosting Protected B workloads on Profile 3 (cloud only). This is a simplified network design given all ingress and egress traffic will traverse through the same VIP.
-
Cloud network topology based on proven hub-and-spoke design.
-
Hub contains a single instance of Azure Firewall and Azure Firewall Policy.
-
The hub contains a subnet acting as a public access zones (PAZ, using RFC 6598 space) where service delivery occurs (i.e. web application delivery), either dedicated to line of business workload or as a shared system. When using Azure Application Gateway, this subnet(PAZ) will be reserved for it.
-
Hub links to a spoke MRZ Virtual Network (Management Restricted Zone) for management, security, and shared infrastructure purposes (i.e. Domain Controllers, Secure Jumpbox, Software Management, Log Relays, etc.).
-
Spokes contains RZ (Restricted Zone) for line of business workloads, including dedicated PAZ (Public Access Zone), App RZ (Restricted Zone), and Data RZ (Data Restricted Zone).
-
All ingress traffic traverses the hub's firewall, and all egress to internet routed to the firewall for complete traffic inspection for virtual machines. PaaS and Managed IaaS services will have direct communication with the Azure control plane to avoid asymmetric routing.
-
No public IPs allowed in the landing zone spokes for virtual machines. Public IPs for landing zones are only allowed in the external area network (EAN). Azure Policy is in place to prevent Public IPs from being directly attached to Virtual Machines NICs.
-
Spokes have network segmentation and security rules to filter East-West traffic and Spoke-to-Spoke traffic will be denied by default in the firewall.
-
Most network operations in the spokes, as well as all operations in the hub, are centrally managed by networking team.
-
In this initial design, the hub is in a single region, no BCDR plan yet.
Application Gateway with WAFv2 will be used for ingress traffic and application delivery. Application Gateways will be placed on the shared Public Access Zone (a subnet in the Hub), where public IPs will be protected with Azure DDoS (either Basic or Standard).
Other possible topologies are explained in Azure documentation and we recommend reviewing to ensure the topology aligns to your department's network design.
There will be at least one shared Application Gateway instance and multiple dedicated Application Gateways for those line of businesses that require their own deployment (i.e. performance or cost allocation). All egress traffic from the spokes will be routed to the hub's edge firewall, inspected, and authorized/denied based on network (IP/Port) or application rules (FQDNs).
Network design will require 3 IP blocks:
- RFC 1918 for Azure native-traffic (including IaaS and PaaS). Example:
10.18.0.0/16 - RFC 1918 for Azure Bastion. Example:
192.168.0.0/16 - RFC 6598 for department to department traffic through GCnet. Example:
100.60.0.0/16
This document will reference the example IP addresses above to illustrate network flow and configuration.
Virtual Network Address Space
- Azure Firewall Premium instance configured with
- Either forced tunneling (requires the next hop as another device such as NVA, on-premises or another Azure Firewall at the edge) or without forced tunneling. When forced tunneling is turned on, all management traffic will flow through the separate
AzureFirewallManagementSubnetsubnet. - DNS Proxy
- Threat Intelligence in Alert mode
- IDPS in Alert mode
- Either forced tunneling (requires the next hop as another device such as NVA, on-premises or another Azure Firewall at the edge) or without forced tunneling. When forced tunneling is turned on, all management traffic will flow through the separate
- Azure Firewall Policy
- Base firewall rules to support spoke archetypes
- Azure Bastion
-
Management Access Zone (OZ) - to host any privileged access workstations (PAW), with Management Public IPs forwarded via the hub's firewall.
-
Management (OZ) – hosting the management servers (domain controllers).
-
Infrastructure (OZ) – hosting other common infrastructure, like file shares.
-
Security Management (OZ) – hosting security, proxies and patching servers.
-
Logging (OZ) – hosting logging relays.
-
A User-Defined-Route forces all traffic to be sent to the Hub's firewall via the Internal Load Balancer in the Hub (this doesn't apply to Azure Bastion).
MrzSpokeUdr Route Table
To simplify management and compliance, all public-facing web servers, reverse proxies and application delivery controllers will be hosted in this subnet, as a sort of DMZ.
Application Gateway can have either public or private frontends (also with RFC 6598 space) and it requires a full subnet for it's instances.
The Backend URL should map to a VIP and Port mapping in the firewall's External network. In the future, Backend URLs could be directly pointed to the Frontend subnets in the spoke. The firewall performs DNAT and sends to the webserver, which will answer to the source IP (Application Gateway's internal IP), which means the webserver may need a UDR to force traffic destined to Application Gateway to re-traverse the firewall (next-hop), which is considered asymmetric routing (other example topologies).
All traffic to be sent to the Hub's Azure Firewall VIP.
Azure supports connecting to PaaS services using RFC 1918 private IPs, avoiding all traffic from the internet and only allowing connections from designated private endpoints as a special kind of NICs in the subnet of choice. Private DNS resolution must be implemented so the PaaS service URLs properly translate to the individual private IP of the private endpoint.
Below is a list of requirements for the NSGs in each subnet:
-
Hub Virtual Network
- PazSubnet – must follow Application Gateway's guidelines
- TCP ports 65200-65535 for the v2 SKU with the destination subnet as Any and source as GatewayManager service tag
- Defaults (Allow AzureLoadBalancer)
- AzureBastionSubnet - See documentation
- PazSubnet – must follow Application Gateway's guidelines
This section will reference the example IP addresses above to illustrate network flow and configuration.
We'll use as few IPs as possible for the Core, MRZ and PAZ virtual networks, and use a small CIDR for a Generic Subscription archetype that works as an example for other Prod and Dev workloads. However, it's key to remember that each line of business may have to get their own IP range (RFC 1918) and peer it to the Hub network without conflicts (i.e. with 10.18.0.0/16).
We also use a RFC 6598 range for external networking, which makes this design compatible with SCED requirements for future hybrid. connectivity.
To leverage Azure Bastion as a shared service for all spoke virtual networks, we use a third IP range (outside of the RFC 1918 and RFC 6598 ranges).
Hub Virtual Network Address Space
Subnets with Network Security Group & User Defined Routes
| Hub Virtual Network - 10.18.0.0/22, 100.60.0.0/24, 192.168.0.0/16 | Function | IP block |
|---|---|---|
| PAZSubnet | Shared Application Gateways | 100.60.1.0/24 |
| AzureFirewallSubnet | Data plane traffic. When forced tunneling is off, it is also used for management traffic. | 100.60.1.0/24 |
| AzureFirewallManagementSubnet | Management plane traffic. Only used when forced tunneling is on. | |
| AzureBastionSubnet | Azure Bastion | 192.168.0.0/24 |
| GatewaySubnet | Gateway Subnet | 10.18.0.0/27 |
MRZ Virtual Network Address Space
Subnets with Network Security Group & User Defined Routes
| Hub Virtual Network - 10.18.4.0/22 | Function | IP block |
|---|---|---|
| MazSubnet | Management (Access Zone) | 10.18.4.0/25 |
| InfSubnet | Infrastructure Services (Restricted Zone) | 10.18.4.128/25 |
| SecSubnet | Security Services (Restricted Zone) | 10.18.5.0/26 |
| LogSubnet | Logging Services (Restricted Zone) | 10.18.5.64/26 |
| MgmtSubnet | Core Management Interfaces | 10.18.4.128/26 |
| Spoke Virtual Network - 10.18.16.0/21 | Function | IP block |
|---|---|---|
| oz-subnet | Internal Foundational Elements (OZ) | /25 |
| paz-subnet | Presentation Zone (PAZ) | /25 |
| rz-subnet | Application zone (RZ) | /25 |
| hrz-subnet | Data Zone (HRZ) | /25 |
Required routing rules to enforce the security controls required to protect the workloads by centralizing all network flows through the Hub's firewall.
Example: MrzSpokeUdr Route Table
| UDR Name | Rules | Applied to | Comments |
|---|---|---|---|
| PrdSpokesUdr | 0.0.0.0/0, 10.18.0.0/16 and 100.60.0.0/16 via Azure Firewall VIP. |
All production spoke virtual networks. | Via peering, spokes learn static routes to reach any IP in the Hub. Hence, we override the Hub virtual network's IPs (10.18/16 and 100.60/16) and force traffic via Firewall. |
| DevSpokesUdr | Same as above. | All development spoke virtual networks. | Same as above. |
| MrzSpokeUdr | Same as above. | Mrz spoke virtual network | Same as above. |
| PazSubnetUdr | Same as above. | Force traffic from Application Gateway to be sent via the Firewall VIP | Same as above. |
Azure Firewall Rules are configured via Azure Firewall Policy. This allows for firewall rules to be updated without redeploying the Hub Networking elements including Azure Firewall instances.
Firewall Rule definition is located at landingzones/lz-platform-connectivity-hub-azfw/azfw-policy/azure-firewall-policy.bicep
Azure Firewall Policy - Rule Collections
Azure Firewall Policy - Network Rules
Azure Firewall Policy - Application Rules
Azure Firewall forwards it's logs to Log Analytics Workspace. This integration is automatically configured through Azure Policy for Diagnostic Settings.
Once Log Analytics Workspace has collected logs, Azure Monitor Workbook for Azure Firewall can be used to monitor traffic flows.
Below are sample queries that can also be used to query Log Analytics Workspace directly.
Sample Firewall Logs Query
AzureDiagnostics
| where Category contains "AzureFirewall"
| where msg_s contains "Deny"
| project TimeGenerated, msg_s
| order by TimeGenerated desc
Sample DNS Logs Query
AzureDiagnostics
| where Category == "AzureFirewallDnsProxy"
| where msg_s !contains "NOERROR"
| project TimeGenerated, msg_s
| order by TimeGenerated desc
Reference implementation uses parameter files with object parameters to consolidate parameters based on their context. The schemas types are:
-
Schema (version:
latest)
As an administrator, you can lock a subscription, resource group, or resource to prevent other users in your organization from accidentally deleting or modifying critical resources. The lock overrides any permissions the user might have. You can set the lock level to CanNotDelete or ReadOnly. Please see Azure Docs for more information.
By default, this archetype deploys CanNotDelete lock to prevent accidental deletion at:
- Hub Virtual Network resource group
- Management Restricted Zone resource group
- Public Access Zone resource group
- DDoS resource group (when enabled)
Sample deployment scenarios are based on the latest JSON parameters file schema definition. If you have an older version of this repository, please use the examples from your repository.
| Scenario | Example JSON Parameters | Notes |
|---|---|---|
| Full Deployment | tests/schemas/lz-platform-connectivity-hub-azfw-policy/FullDeployment.json | - |
Sample deployment scenarios are based on the latest JSON parameters file schema definition. If you have an older version of this repository, please use the examples from your repository.
| Scenario | Example JSON Parameters | Notes |
|---|---|---|
| Full Deployment | tests/schemas/lz-platform-connectivity-hub-azfw/FullDeployment.json | - |
| Full Deployment with Azure Firewall Policy | tests/schemas/lz-platform-connectivity-hub-azfw/FullDeployment-WithAzureFirewallPolicy.json | parameters.azureFirewallExistingPolicyId.value is configured. When it's not defined, this setting is added by Azure DevOps pipeline during deployment. |
| Full Deployment with Log Analytics Workspace | tests/schemas/lz-platform-connectivity-hub-azfw/FullDeployment-WithLogAnalyticsWorkspace.json | parameters.logAnalyticsWorkspaceResourceId.value is configured. When it's not defined, this setting is added by Azure DevOps pipeline during deployment. |
| Deployment without subscription budget | tests/schemas/lz-platform-connectivity-hub-azfw/BudgetIsFalse.json | parameters.subscriptionBudget.value.createBudget is set to false and budget information removed. |
This example configures:
- Resource Group with Tags
- Azure Firewall Policy
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"resourceTags": {
"value": {
"ClientOrganization": "client-organization-tag",
"CostCenter": "cost-center-tag",
"DataSensitivity": "data-sensitivity-tag",
"ProjectContact": "project-contact-tag",
"ProjectName": "project-name-tag",
"TechnicalContact": "technical-contact-tag"
}
},
"resourceGroupName": {
"value": "pubsec-azure-firewall-policy-rg"
},
"policyName": {
"value": "pubsecAzureFirewallPolicy"
}
}
}This example configures:
- Service Health Alerts
- Microsoft Defender for Cloud
- Subscription Role Assignments using built-in and custom roles
- Subscription Budget with $1000
- Subscription Tags
- Resource Tags (aligned to the default tags defined in Policies)
- Log Analytics Workspace integration through Azure Defender for Cloud
- Hub Network with Azure Firewall
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"azureFirewallExistingPolicyId": {
"value": "/subscriptions/ed7f4eed-9010-4227-b115-2a5e37728f27/resourcegroups/pubsec-azure-firewall-policy-rg/providers/Microsoft.Network/firewallPolicies/pubsecAzureFirewallPolicy"
},
"logAnalyticsWorkspaceResourceId": {
"value": "/subscriptions/bc0a4f9f-07fa-4284-b1bd-fbad38578d3a/resourcegroups/pubsec-central-logging-rg/providers/microsoft.operationalinsights/workspaces/log-analytics-workspace"
},
"serviceHealthAlerts": {
"value": {
"resourceGroupName": "pubsec-service-health",
"incidentTypes": [
"Incident",
"Security"
],
"regions": [
"Global",
"Canada East",
"Canada Central"
],
"receivers": {
"app": [
"alzcanadapubsec@microsoft.com"
],
"email": [
"alzcanadapubsec@microsoft.com"
],
"sms": [
{
"countryCode": "1",
"phoneNumber": "5555555555"
}
],
"voice": [
{
"countryCode": "1",
"phoneNumber": "5555555555"
}
]
},
"actionGroupName": "ALZ action group",
"actionGroupShortName": "alz-alert",
"alertRuleName": "ALZ alert rule",
"alertRuleDescription": "Alert rule for Azure Landing Zone"
}
},
"securityCenter": {
"value": {
"email": "alzcanadapubsec@microsoft.com",
"phone": "5555555555"
}
},
"subscriptionRoleAssignments": {
"value": [
{
"comments": "Built-in Contributor Role",
"roleDefinitionId": "b24988ac-6180-42a0-ab88-20f7382dd24c",
"securityGroupObjectIds": [
"38f33f7e-a471-4630-8ce9-c6653495a2ee"
]
}
]
},
"subscriptionBudget": {
"value": {
"createBudget": true,
"name": "MonthlySubscriptionBudget",
"amount": 1000,
"timeGrain": "Monthly",
"contactEmails": [
"alzcanadapubsec@microsoft.com"
]
}
},
"subscriptionTags": {
"value": {
"ISSO": "isso-tbd"
}
},
"resourceTags": {
"value": {
"ClientOrganization": "client-organization-tag",
"CostCenter": "cost-center-tag",
"DataSensitivity": "data-sensitivity-tag",
"ProjectContact": "project-contact-tag",
"ProjectName": "project-name-tag",
"TechnicalContact": "technical-contact-tag"
}
},
"deployPrivateDnsZones": {
"value": true
},
"rgPrivateDnsZonesName": {
"value": "pubsec-dns-rg"
},
"deployDdosStandard": {
"value": false
},
"rgDdosName": {
"value": "pubsec-ddos-rg"
},
"ddosPlanName": {
"value": "ddos-plan"
},
"bastionName": {
"value": "bastion"
},
"bastionSku": {
"value": "Standard"
},
"bastionScaleUnits": {
"value": 2
},
"rgPazName": {
"value": "pubsec-public-access-zone-rg"
},
"rgMrzName": {
"value": "pubsec-management-restricted-zone-rg"
},
"mrzVnetName": {
"value": "management-restricted-vnet"
},
"mrzVnetAddressPrefixRFC1918": {
"value": "10.18.4.0/22"
},
"mrzMazSubnetName": {
"value": "MazSubnet"
},
"mrzMazSubnetAddressPrefix": {
"value": "10.18.4.0/25"
},
"mrzInfSubnetName": {
"value": "InfSubnet"
},
"mrzInfSubnetAddressPrefix": {
"value": "10.18.4.128/25"
},
"mrzSecSubnetName": {
"value": "SecSubnet"
},
"mrzSecSubnetAddressPrefix": {
"value": "10.18.5.0/26"
},
"mrzLogSubnetName": {
"value": "LogSubnet"
},
"mrzLogSubnetAddressPrefix": {
"value": "10.18.5.64/26"
},
"mrzMgmtSubnetName": {
"value": "MgmtSubnet"
},
"mrzMgmtSubnetAddressPrefix": {
"value": "10.18.5.128/26"
},
"rgHubName": {
"value": "pubsec-hub-networking-rg"
},
"hubVnetName": {
"value": "hub-vnet"
},
"hubVnetAddressPrefixRFC1918": {
"value": "10.18.0.0/22"
},
"hubVnetAddressPrefixRFC6598": {
"value": "100.60.0.0/16"
},
"hubVnetAddressPrefixBastion": {
"value": "192.168.0.0/16"
},
"hubPazSubnetName": {
"value": "PAZSubnet"
},
"hubPazSubnetAddressPrefix": {
"value": "100.60.1.0/24"
},
"hubGatewaySubnetAddressPrefix": {
"value": "10.18.0.0/27"
},
"hubAzureFirewallSubnetAddressPrefix": {
"value": "10.18.1.0/24"
},
"hubAzureFirewallManagementSubnetAddressPrefix": {
"value": "10.18.2.0/26"
},
"hubBastionSubnetAddressPrefix": {
"value": "192.168.0.0/24"
},
"azureFirewallName": {
"value": "pubsecAzureFirewall"
},
"azureFirewallZones": {
"value": [
"1",
"2",
"3"
]
},
"azureFirewallForcedTunnelingEnabled": {
"value": false
},
"azureFirewallForcedTunnelingNextHop": {
"value": "10.17.1.4"
}
}
}