Azure Landing Zone Review Checklist – Networking

0

Azure has a wide range of services that provide connectivity between Azure resources, connectivity from an on-premises network to Azure resources, and the branch to branch connectivity in Azure – Virtual Network (VNet), ExpressRoute, VPN Gateway, Virtual WAN, Virtual network NAT Gateway, Azure DNS, Azure Peering service, and Azure Bastion etc. ensuring that connectivity posture for your environment is properly planned and this will provide you the comfort of landing any workload. in the Azure environment without any worries.

Plan for IP addressing

Ensure no overlapping IP address spaces across Azure regions and on-premises locationsMediumDo you have an IPAM process, ensuring that there are no overlapping IP addresses?Plan for IP addressing – Cloud Adoption Framework | Microsoft Docs
Ensure to use IP addresses from the address allocation for private internets (RFC 1918).MediumAre you using only RFC1918 compliant IP ranges (Class a, B or C)?Plan for IP addressing – Cloud Adoption Framework | Microsoft Docs
Ensure that IP address space isn’t wasted, don’t create unnecessarily large virtual networks (for example, /16) MediumWhat is the largest IP CIDR block you have allocated?Plan for IP addressing – Cloud Adoption Framework | Microsoft Docs
Ensure no public IP addresses are used inside of VNETMediumAre you using Public IP addresses within the VNET?Plan for IP addressing – Cloud Adoption Framework | Microsoft Docs
Avoid using overlapping IP address ranges for production and DR sites.MediumDo you have a dedicated non overlapping IP Address Range(s) for Production and DR?https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances
For environments where name resolution in Azure is all that’s required, use Azure Private DNS for resolution. Create a delegated zone for name resolution (such as azure.contoso.com).MediumAzure Only – Do you have a DNS strategy for Azure Nam resolution?https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances
For environments where name resolution across Azure and on-premises is required, use existing DNS infrastructure (for example, Active Directory-integrated DNS) deployed onto at least two virtual machines (VMs).
Configure DNS settings in virtual networks to use those DNS servers.
MediumHybrid DNS – Have you configured the required DNS settings on a VNET level – pointing to your Domain Controllers?https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances
Special workloads that require and deploy their own DNS (such as Red Hat OpenShift) should use their preferred DNS solution.MediumSpecific DNS – Have you looked at the vendor guidance?https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances
Enable auto-registration for Azure DNS to automatically manage the lifecycle of the DNS records for the virtual machines deployed within a virtual network. Have you enabled auto registration with Azure DNS? 

Virtual WAN network topology (Microsoft-managed)

Do you have multiple branches and locations that you would like to connect to Azure independently?Medium Azure Virtual WAN Overview | Microsoft Docs
Ensure, for new large or global network deployments in Azure where you need global transit connectivity across Azure regions and on-premises locations, use virtual WANMedium Azure Virtual WAN Overview | Microsoft Docs
Use a Virtual WAN hub per Azure region to connect multiple landing zones together across Azure regions via a common global Azure Virtual WAN.Medium Azure Virtual WAN Overview | Microsoft Docs
Use Virtual Hub Routing features to further segment traffic between VNets and branches.Medium Azure Virtual WAN Overview | Microsoft Docs
Connect Virtual WAN hubs to on-premises datacenters by using ExpressRouteMedium Azure Virtual WAN Overview | Microsoft Docs
Connect branches and remote locations to the nearest Virtual WAN hub via Site-to-Site VPN, or enable branch connectivity to Virtual WAN via an SD-WAN partner solution.Medium Azure Virtual WAN Overview | Microsoft Docs
Connect users to the Virtual WAN hub via a Point-to-Site VPN.Medium Azure Virtual WAN Overview | Microsoft Docs
Follow the principle “traffic in Azure stays in Azure” so that communication across resources in Azure occurs via the Microsoft backbone networkMedium Azure Virtual WAN Overview | Microsoft Docs
For outbound Internet traffic protection and filtering,  deploy Azure FirewallMedium Azure Virtual WAN Overview | Microsoft Docs
When you’re deploying partner networking technologies and NVAs, verify configuration with partner vendor’s guidance to ensure there are no conflicting configurationsMedium Azure Virtual WAN Overview | Microsoft Docs
Ensure that  Azure Virtual WAN and Azure Firewall resources are created in the connectivity subscription.Medium Azure Virtual WAN Overview | Microsoft Docs
Ensure that the network architecture is within the Azure Virtual WAN limits.Medium Azure Virtual WAN Overview | Microsoft Docs
Use Azure Monitor Insights for Virtual WAN to monitor the end-to-end topology of the Virtual WAN as well as status and key metrics.   

Traditional Azure networking topology

Consider a network design based on the traditional hub-and-spoke network topology for the following scenarios:Medium https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/enterprise-scale/network-topology-and-connectivity
A network architecture deployed within a single Azure region.   
A network architecture spans multiple Azure regions, and there’s no need for transitive connectivity between virtual networks for landing zones across regions.   
A network architecture spans multiple Azure regions, and global VNet peering can be used to connect virtual networks across Azure regions.   
There’s no need for transitive connectivity between VPN and ExpressRoute connections.   
The main hybrid connectivity method in place is ExpressRoute, and the number of VPN connections is less than 30 per VPN gateway.   
There’s a dependency on centralized NVAs and granular routing.   
    
Use the topology of multiple virtual networks connected with multiple ExpressRoute circuits when one of these conditions is true:Medium Extend an on-premises network using ExpressRoute – Azure Architecture Center | Microsoft Docs
You need a high level of isolation.   
You need dedicated ExpressRoute bandwidth for specific business units. Have you got a mechanism for testing your maximum bandwidth needed or used at this moment in time? 
You’ve reached the maximum number of connections per ExpressRoute gateway (refer to the ExpressRoute limits article for the maximum number).   
    
Ensure that shared services, including ExpressRoute gateways, VPN gateways, and Azure Firewall or partner NVAs in the central-hub virtual network. If necessary, also deploy Active Directory domain controllers and DNS servers.MediumAre you following a shared services model, with key infrasturcture and networking deployed in a central location?https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/enterprise-scale/network-topology-and-connectivity
    
When you’re deploying partner networking technologies or NVAs, follow the partner vendor’s guidance to ensure that:Medium Network Virtual Appliances | Microsoft Azure
The vendor supports deployment.   
The guidance is designed for high availability and maximal performance.   
There are no conflicting configurations with Azure networking.   
    
Don’t deploy L7 inbound NVAs such as Azure Application Gateway as a shared service in the central-hub virtual network. Instead, deploy them together with the app in their respective landing zones.Medium Network Virtual Appliances | Microsoft Azure
Ensure no transit in Azure between ExpressRoute and VPN gateways, isn’t supported.Medium FAQ – Azure ExpressRoute | Microsoft Docs
For network architectures with multiple hub-and-spoke topologies across Azure regions, use global virtual network peering to connect landing-zone virtual networks when a small number of landing zones need to communicate across regions. Medium FAQ – Azure ExpressRoute | Microsoft Docs
When you deploy a hub-and-spoke network architecture in two Azure regions and transit connectivity between all landing zones across regions is required, use ExpressRoute with dual circuits to provide transit connectivity for landing-zone virtual networks across Azure regions. Medium FAQ – Azure ExpressRoute | Microsoft Docs
    
Use Azure Monitor for Networks to monitor the end-to-end state of the networks on Azure.MediumDo you have a monitoring solution for your Azure Networking components?Azure Monitor Network Insights – Azure Monitor | Microsoft Docs
    
When connecting spoke virtual networks to the central hub virtual network, there are two limits that must be considered: Medium Hub-spoke network topology in Azure – Azure Reference Architectures | Microsoft Docs
The maximum number of virtual network peering connections per virtual network.   
The maximum number of prefixes advertised from Azure to on-premises via ExpressRoute with private peering.   

Connectivity to Azure

Ensure that you have investigated the possibility to use ExpressRoute as the primary connection to Azure.Medium Azure ExpressRoute: Routing requirements | Microsoft Docs
When you use multiple ExpressRoute circuits,¬†optimize ExpressRoute routing via BGP local preference and AS-PATH prepending.Medium Azure ExpressRoute: Routing requirements | Microsoft Docs
Ensure that you’re using the right SKU for the ExpressRoute/VPN gateways based on bandwidth and performance requirements.Medium About ExpressRoute virtual network gateways – Azure | Microsoft Docs
Deploy a zone-redundant ExpressRoute gateway in the supported Azure regions.Medium Azure networking documentation | Microsoft Docs
For scenarios that require bandwidth higher than 10 Gbps or dedicated 10/100-Gbps ports, use ExpressRoute Direct.MediumDo you need more bandwidth than 10Gbps or dedicated 100Gbps?Azure ExpressRoute: Routing requirements | Microsoft Docs
When low latency is required, or throughput from on-premises to Azure must be greater than 10 Gbps, enable FastPath to bypass the ExpressRoute gateway from the data path.MediumDo you need a very low latency latency or higher than 10Gbps from on-premises?Azure ExpressRoute: Routing requirements | Microsoft Docs
Use VPN gateways to connect branches or remote locations to Azure. For higher resilience, deploy zone-redundant gateways (where available).MediumAre you using Zone redundant (where applicable) VPN gateways to connect branches or remote locations to Azure?Azure networking documentation | Microsoft Docs
Use ExpressRoute Global Reach to connect large offices, regional headquarters, or datacenters connected to Azure via ExpressRoute.MediumDo you need to connect large offices or regional headquarters to Azure with a connection with an SLA?Azure networking documentation | Microsoft Docs
When traffic isolation or dedicated bandwidth is required, such as for separating production and nonproduction environments, use different ExpressRoute circuits. It will help you ensure isolated routing domains and alleviate noisy-neighbor risks.MediumAre you separating production and non-production and Using ExpressRoute? Are you using multiple ExpressRoutes?Azure networking documentation | Microsoft Docs
Proactively monitor ExpressRoute circuits by using Network Performance Monitor.MediumAre you using NPM to Minotr your ExpressRoute?Azure networking documentation | Microsoft Docs
Don’t explicitly use ExpressRoute circuits from a single peering location. This creates a single point of failure and makes the organization susceptible to peering location outages.MediumAre you using only one peering location? Have you created a single point of failure?Azure networking documentation | Microsoft Docs

Connectivity to Azure PaaS Services

Use virtual network injection for supported Azure services to make them available from within the virtual network.Medium Networking features – Azure App Service | Microsoft Docs
Azure PaaS services that have been injected into a virtual network still perform management plane operations by using public IP addresses. Ensure that this communication is locked down within the virtual network by using UDRs and NSGs.Medium Networking features – Azure App Service | Microsoft Docs
Use Private Link, where available, for shared Azure PaaS services.Medium Networking features – Azure App Service | Microsoft Docs
Access Azure PaaS services from on-premises via ExpressRoute private peering. This method avoids transiting over the public internet.Medium Networking features – Azure App Service | Microsoft Docs
Use virtual network service endpoints to secure access to Azure PaaS services from within the virtual network, but only when Private Link isn’t available and there are no data exfiltration concerns.
To address data exfiltration concerns with service endpoints, use NVA filtering or use virtual network service endpoint policies for Azure Storage.
Medium Networking features – Azure App Service | Microsoft Docs
Don’t enable virtual network service endpoints by default on all subnets.Medium Networking features – Azure App Service | Microsoft Docs
Don’t use virtual network service endpoints when there are data exfiltration concerns unless you use NVA filtering.Medium Networking features – Azure App Service | Microsoft Docs
Don’t implement forced tunneling to enable communication from Azure to Azure resources.Medium Networking features – Azure App Service | Microsoft Docs

Plan for inbound and outbound internet connectivity

Use Azure Firewall to govern:Medium Azure Firewall documentation | Microsoft Docs
Azure outbound traffic to the internet.   
Non-HTTP/S inbound connections.   
East/west traffic filtering (if the organization requires it).   
Use Firewall Manager with Virtual WAN to deploy and manage Azure firewalls across Virtual WAN hubs or in hub virtual networks. Firewall Manager is now in general availability for both Virtual WAN and regular virtual networks.Medium Azure Firewall documentation | Microsoft Docs
Create a global Azure Firewall policy to govern security posture across the global network environment and assign it to all Azure Firewall instances.
 Allow for granular policies to meet requirements of specific regions by delegating incremental firewall policies to local security teams via Azure role-based access control.
Medium Azure Firewall documentation | Microsoft Docs
Configure supported partner SaaS security providers within Firewall Manager if the organization wants to use such solutions to help protect outbound connections.Medium Azure Firewall documentation | Microsoft Docs
Use WAF within a landing-zone virtual network for protecting inbound HTTP/S traffic from the internet.Medium What is Azure Web Application Firewall on Azure Application Gateway? – Azure Web Application Firewall | Microsoft Docs
Use Azure Front Door and WAF policies to provide global protection across Azure regions for inbound HTTP/S connections to a landing zone.Medium What is Azure Web Application Firewall on Azure Application Gateway? – Azure Web Application Firewall | Microsoft Docs
When you’re using Azure Front Door and Azure Application Gateway to help protect HTTP/S apps, use WAF policies in Azure Front Door. Lock down Azure Application Gateway to receive traffic only from Azure Front Door.Medium What is Azure Web Application Firewall on Azure Application Gateway? – Azure Web Application Firewall | Microsoft Docs
    
If partner NVAs are required for east/west or south/north traffic protection and filtering:Medium Network Virtual Appliances | Microsoft Azure
For Virtual WAN network topologies, deploy the NVAs to a separate virtual network (for example, NVA virtual network). Then connect it to the regional Virtual WAN hub and to the landing zones that require access to NVAs. This article describes the process.   
For non-Virtual WAN network topologies, deploy the partner NVAs in the central-hub virtual network.   
    
If partner NVAs are required for inbound HTTP/S connections, deploy them within a landing-zone virtual network and together with the apps that they’re protecting and exposing to the internet.Medium Network Virtual Appliances | Microsoft Azure
Use Azure DDoS Protection Standard protection plans to help protect all public endpoints hosted within the virtual networks.Medium Azure DDoS Protection Standard Overview | Microsoft Docs

Plan for app delivery

Perform app delivery within landing zones for both internal-facing and external-facing apps.MediumHave you got a method to cater to internal and external traffic with your application?Organize your Azure resources effectively – Cloud Adoption Framework | Microsoft Docs
For secure delivery of HTTP/S apps, use Application Gateway v2 and ensure that WAF protection and policies are enabled.MediumAre you suing http/s and Application Gateway 2 with WAF enabled?What is Azure Web Application Firewall on Azure Application Gateway? – Azure Web Application Firewall | Microsoft Docs
Use a partner NVA if you can’t use Application Gateway v2 for the security of HTTP/S apps.MediumAre you using an NVA if the above cant is used?What is Azure Web Application Firewall on Azure Application Gateway? – Azure Web Application Firewall | Microsoft Docs
Deploy Azure Application Gateway v2 or partner NVAs used for inbound HTTP/S connections within the landing-zone virtual network and with the apps that they’re securing.MediumAre you using Azure Application Gateway or an NVA to secure traffic between vNets and apps?What is Azure Web Application Firewall on Azure Application Gateway? – Azure Web Application Firewall | Microsoft Docs
Use a DDoS standard protection plan for all public IP addresses in a landing zone.MediumAre you using the DDoS standard?Azure DDoS Protection Standard Overview | Microsoft Docs
Use Azure Front Door with WAF policies to deliver and help protect global HTTP/S apps that span Azure regions.MediumAre you using Azure Front with WAF for multi-region app deployment?What is Azure Web Application Firewall on Azure Application Gateway? – Azure Web Application Firewall | Microsoft Docs
When you’re using Front Door and Application Gateway to help protect HTTP/S apps, use WAF policies in Front Door. Lockdown Application Gateway to receive traffic only from Front Door.MediumIf you are using Azure Front door; Have you locked down the Application Gateway to only receive traffic from Azure Front Door?What is Azure Web Application Firewall on Azure Application Gateway? – Azure Web Application Firewall | Microsoft Docs
Use Traffic Manager to deliver global apps that span protocols other than HTTP/S.MediumAre you using Traffic Manager for multi-region deployment for protocols other than http/s?What is Azure Web Application Firewall on Azure Application Gateway? – Azure Web Application Firewall | Microsoft Docs

Plan for landing zone network segmentation

Delegate subnet creation to the landing zone owner. Medium Organize your Azure resources effectively – Cloud Adoption Framework | Microsoft Docs
Use NSGs to help protect traffic across subnets, as well as east/west traffic across the platform (traffic between landing zones).Medium Network security group – how it works | Microsoft Docs
The application team should use application security groups at the subnet-level NSGs to help protect multitier VMs within the landing zone.Medium Network security group – how it works | Microsoft Docs
Use NSGs and application security groups to micro-segment traffic within the landing zone and avoid using a central NVA to filter traffic flows.Medium Network security group – how it works | Microsoft Docs
Enable NSG flow logs and feed them into Traffic Analytics to gain insights into internal and external traffic flows.Medium Network security group – how it works | Microsoft Docs
Use NSGs to selectively allow connectivity between landing zones.Medium Network security group – how it works | Microsoft Docs
For Virtual WAN topologies, route traffic across landing zones via Azure Firewall if the organization requires filtering and logging capabilities for traffic flowing across landing zones.Medium Azure Firewall documentation | Microsoft Docs

Define network encryption requirements

When you’re using ExpressRoute Direct, configure MACsec in order to encrypt traffic at the layer-two level between the organization’s routers and MSEE. The diagram shows this encryption in flow B.Medium About Azure ExpressRoute Direct | Microsoft Docs
If traffic between Azure regions must be encrypted, use global VNet peering to connect virtual networks across regions.Medium Azure Virtual Network peering | Microsoft Docs
For Virtual WAN scenarios where MACsec isn’t an option (for example, not using ExpressRoute Direct), use a Virtual WAN VPN gateway to establish IPsec tunnels over ExpressRoute private peering. Medium Azure Virtual WAN Overview | Microsoft Docs

Plan for traffic inspection

Use Network Watcher packets to capture despite the limited capture window.Medium Azure Network Watcher | Microsoft Docs
Evaluate whether the latest version of NSG flow logs provides the level of detail that you need.Medium Network security group – how it works | Microsoft Docs
Use partner solutions for scenarios that require deep packet inspection.Medium Use Azure Firewall to inspect traffic destined to a private endpoint – Azure Private Link | Microsoft Docs
Don’t develop a custom solution to mirror traffic. Although this approach might be acceptable for small-scale scenarios, we don’t encourage it at scale because of complexity and the supportability issues that might arise.Medium Plan for traffic inspection – Cloud Adoption Framework | Microsoft Docs

See you in the next area of the landing zone.

Leave a Reply

Your email address will not be published. Required fields are marked *