Azure Networking Infra setup

1. Overview

This document provides a step-by-step guide to setting up a basic Azure infrastructure using the Hub-and-Spoke network topology. This model helps centralize network security and routing in the Hub while allowing Spokes to connect securely.

2. Resources to be Created

• 3 Resource Groups:

  • Hub-RG

  • Spoke1-RG

  • Spoke2-RG

• 3 Virtual Networks (VNets):

  • Hub-VNet (10.10.0.0/16)

  • Spoke1-VNet (172.16.0.0/16)

  • Spoke2-VNet (172.17.0.0/16)

• Subnets in Each VNet:

  • Hub-VNet:

    • AzureFirewallSubnet (10.10.1.0/24) (This subnet must be named exactly as AzureFirewallSubnet for the firewall to function properly.)

    • Management Subnet(10.10.1.0/24)(This is to provision bastion host machine to connect to hosts in spoke vnet`s)

  • Spoke1-VNet:

    • Workload Subnet (172.16.1.0/24)

  • Spoke2-VNet:

    • Workload Subnet (172.17.1.0/24)

• 3 Linux Virtual Machines:

  • One VM in each of the workload subnets (Spoke1 & Spoke2)

  • One VM in the management subnet (Hub-VNet)

3. VNet Peering

• Peer Hub-VNet with Spoke1-VNet

• Peer Hub-VNet with Spoke2-VNet

• Ensure that traffic is allowed between VNets via peering settings.

4. Deploying the Azure Firewall in the Hub

What is Azure Firewall? Azure Firewall is a managed cloud-based network security service that provides threat protection and enforces network security policies across Azure VNets. It acts as a centralized security checkpoint in a Hub-and-Spoke model, ensuring that traffic between the Spokes and outbound traffic to the internet follows security policies.

Why do we need Azure Firewall?

• It provides centralized security controls.

• It allows secure internet access from Spoke VNets.

• It enforces application and network-level policies to allow or block traffic.

Deployment Steps:

• Deploy Azure Firewall in the Hub-VNet within the AzureFirewallSubnet (which must be named exactly as AzureFirewallSubnet).

• Assign a static public IP to the firewall.

• Configure firewall rules to control traffic flow.

5. Define Routes and Route Tables

Why are we defining routes? By default, Azure allows direct routing between VNets, but in a Hub-and-Spoke model, we need to enforce security by directing traffic through the Hub firewall. This ensures that all outbound and inter-Spoke traffic is inspected and controlled.

Steps to Create Route Tables:

• Create a route table in Spoke1-VNet and Spoke2-VNet.

• Define routes:

  • Default Route: Direct all internet-bound traffic (0.0.0.0/0) to the Azure Firewall's private IP.

  • Inter-Spoke Traffic: Ensure that communication between Spokes is routed through the firewall.

• Associate these route tables with the respective workload subnets.

Impact on Private IPs of Spoke VMs:

• Once the route is applied, all outbound traffic from the Spoke VMs is routed through the firewall.

• The public IPs of the Spoke VMs become irrelevant for external communication since all traffic is NATed through the firewall’s public IP.

• The firewall ensures that only allowed outbound traffic can access the internet, adding a layer of security.

6. Configuring Firewall Rules

• NAT Rules:

  • Define rules to allow inbound traffic from specific sources.

• Application Rules:

  • Allow/Deny application-specific traffic based on policies.

• Network Rules:

  • Manage inter-VNet traffic flow.

7. Validation

• Test connectivity between VMs across Spokes via the Hub.

• Verify that the firewall enforces the defined security rules.

• Ensure internet-bound traffic from the Spokes passes through the firewall.

8. Summary

This setup establishes a secure and scalable Hub-and-Spoke architecture, ensuring controlled communication between workloads while enforcing centralized security policies using Azure Firewall.