Azure Landing Zone Review Checklist – Networking
Azure has a wide range of services that provide connectivity between Azure resources, connectivity from an on-premises network to Azure resources, and the branch to branch connectivity in Azure – Virtual Network (VNet), ExpressRoute, VPN Gateway, Virtual WAN, Virtual network NAT Gateway, Azure DNS, Azure Peering service, and Azure Bastion etc. ensuring that connectivity posture for your environment is properly planned and this will provide you the comfort of landing any workload. in the Azure environment without any worries.
Plan for IP addressing
Ensure no overlapping IP address spaces across Azure regions and on-premises locations | Medium | Do you have an IPAM process, ensuring that there are no overlapping IP addresses? | Plan for IP addressing – Cloud Adoption Framework | Microsoft Docs |
Ensure to use IP addresses from the address allocation for private internets (RFC 1918). | Medium | Are you using only RFC1918 compliant IP ranges (Class a, B or C)? | Plan for IP addressing – Cloud Adoption Framework | Microsoft Docs |
Ensure that IP address space isn’t wasted, don’t create unnecessarily large virtual networks (for example, /16) | Medium | What is the largest IP CIDR block you have allocated? | Plan for IP addressing – Cloud Adoption Framework | Microsoft Docs |
Ensure no public IP addresses are used inside of VNET | Medium | Are you using Public IP addresses within the VNET? | Plan for IP addressing – Cloud Adoption Framework | Microsoft Docs |
Avoid using overlapping IP address ranges for production and DR sites. | Medium | Do you have a dedicated non overlapping IP Address Range(s) for Production and DR? | https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances |
For environments where name resolution in Azure is all that’s required, use Azure Private DNS for resolution. Create a delegated zone for name resolution (such as azure.contoso.com). | Medium | Azure Only – Do you have a DNS strategy for Azure Nam resolution? | https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances |
For environments where name resolution across Azure and on-premises is required, use existing DNS infrastructure (for example, Active Directory-integrated DNS) deployed onto at least two virtual machines (VMs). Configure DNS settings in virtual networks to use those DNS servers. | Medium | Hybrid DNS – Have you configured the required DNS settings on a VNET level – pointing to your Domain Controllers? | https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances |
Special workloads that require and deploy their own DNS (such as Red Hat OpenShift) should use their preferred DNS solution. | Medium | Specific DNS – Have you looked at the vendor guidance? | https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances |
Enable auto-registration for Azure DNS to automatically manage the lifecycle of the DNS records for the virtual machines deployed within a virtual network. | Have you enabled auto registration with Azure DNS? |
Virtual WAN network topology (Microsoft-managed)
Do you have multiple branches and locations that you would like to connect to Azure independently? | Medium | Azure Virtual WAN Overview | Microsoft Docs | |
Ensure, for new large or global network deployments in Azure where you need global transit connectivity across Azure regions and on-premises locations, use virtual WAN | Medium | Azure Virtual WAN Overview | Microsoft Docs | |
Use a Virtual WAN hub per Azure region to connect multiple landing zones together across Azure regions via a common global Azure Virtual WAN. | Medium | Azure Virtual WAN Overview | Microsoft Docs | |
Use Virtual Hub Routing features to further segment traffic between VNets and branches. | Medium | Azure Virtual WAN Overview | Microsoft Docs | |
Connect Virtual WAN hubs to on-premises datacenters by using ExpressRoute | Medium | Azure Virtual WAN Overview | Microsoft Docs | |
Connect branches and remote locations to the nearest Virtual WAN hub via Site-to-Site VPN, or enable branch connectivity to Virtual WAN via an SD-WAN partner solution. | Medium | Azure Virtual WAN Overview | Microsoft Docs | |
Connect users to the Virtual WAN hub via a Point-to-Site VPN. | Medium | Azure Virtual WAN Overview | Microsoft Docs | |
Follow the principle “traffic in Azure stays in Azure” so that communication across resources in Azure occurs via the Microsoft backbone network | Medium | Azure Virtual WAN Overview | Microsoft Docs | |
For outbound Internet traffic protection and filtering, deploy Azure Firewall | Medium | Azure Virtual WAN Overview | Microsoft Docs | |
When you’re deploying partner networking technologies and NVAs, verify configuration with partner vendor’s guidance to ensure there are no conflicting configurations | Medium | Azure Virtual WAN Overview | Microsoft Docs | |
Ensure that Azure Virtual WAN and Azure Firewall resources are created in the connectivity subscription. | Medium | Azure Virtual WAN Overview | Microsoft Docs | |
Ensure that the network architecture is within the Azure Virtual WAN limits. | Medium | Azure Virtual WAN Overview | Microsoft Docs | |
Use Azure Monitor Insights for Virtual WAN to monitor the end-to-end topology of the Virtual WAN as well as status and key metrics. |
Traditional Azure networking topology
Consider a network design based on the traditional hub-and-spoke network topology for the following scenarios: | Medium | https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/enterprise-scale/network-topology-and-connectivity | |
A network architecture deployed within a single Azure region. | |||
A network architecture spans multiple Azure regions, and there’s no need for transitive connectivity between virtual networks for landing zones across regions. | |||
A network architecture spans multiple Azure regions, and global VNet peering can be used to connect virtual networks across Azure regions. | |||
There’s no need for transitive connectivity between VPN and ExpressRoute connections. | |||
The main hybrid connectivity method in place is ExpressRoute, and the number of VPN connections is less than 30 per VPN gateway. | |||
There’s a dependency on centralized NVAs and granular routing. | |||
Use the topology of multiple virtual networks connected with multiple ExpressRoute circuits when one of these conditions is true: | Medium | Extend an on-premises network using ExpressRoute – Azure Architecture Center | Microsoft Docs | |
You need a high level of isolation. | |||
You need dedicated ExpressRoute bandwidth for specific business units. | Have you got a mechanism for testing your maximum bandwidth needed or used at this moment in time? | ||
You’ve reached the maximum number of connections per ExpressRoute gateway (refer to the ExpressRoute limits article for the maximum number). | |||
Ensure that shared services, including ExpressRoute gateways, VPN gateways, and Azure Firewall or partner NVAs in the central-hub virtual network. If necessary, also deploy Active Directory domain controllers and DNS servers. | Medium | Are you following a shared services model, with key infrasturcture and networking deployed in a central location? | https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/enterprise-scale/network-topology-and-connectivity |
When you’re deploying partner networking technologies or NVAs, follow the partner vendor’s guidance to ensure that: | Medium | Network Virtual Appliances | Microsoft Azure | |
The vendor supports deployment. | |||
The guidance is designed for high availability and maximal performance. | |||
There are no conflicting configurations with Azure networking. | |||
Don’t deploy L7 inbound NVAs such as Azure Application Gateway as a shared service in the central-hub virtual network. Instead, deploy them together with the app in their respective landing zones. | Medium | Network Virtual Appliances | Microsoft Azure | |
Ensure no transit in Azure between ExpressRoute and VPN gateways, isn’t supported. | Medium | FAQ – Azure ExpressRoute | Microsoft Docs | |
For network architectures with multiple hub-and-spoke topologies across Azure regions, use global virtual network peering to connect landing-zone virtual networks when a small number of landing zones need to communicate across regions. | Medium | FAQ – Azure ExpressRoute | Microsoft Docs | |
When you deploy a hub-and-spoke network architecture in two Azure regions and transit connectivity between all landing zones across regions is required, use ExpressRoute with dual circuits to provide transit connectivity for landing-zone virtual networks across Azure regions. | Medium | FAQ – Azure ExpressRoute | Microsoft Docs | |
Use Azure Monitor for Networks to monitor the end-to-end state of the networks on Azure. | Medium | Do you have a monitoring solution for your Azure Networking components? | Azure Monitor Network Insights – Azure Monitor | Microsoft Docs |
When connecting spoke virtual networks to the central hub virtual network, there are two limits that must be considered: | Medium | Hub-spoke network topology in Azure – Azure Reference Architectures | Microsoft Docs | |
The maximum number of virtual network peering connections per virtual network. | |||
The maximum number of prefixes advertised from Azure to on-premises via ExpressRoute with private peering. |
Connectivity to Azure
Ensure that you have investigated the possibility to use ExpressRoute as the primary connection to Azure. | Medium | Azure ExpressRoute: Routing requirements | Microsoft Docs | |
When you use multiple ExpressRoute circuits, optimize ExpressRoute routing via BGP local preference and AS-PATH prepending. | Medium | Azure ExpressRoute: Routing requirements | Microsoft Docs | |
Ensure that you’re using the right SKU for the ExpressRoute/VPN gateways based on bandwidth and performance requirements. | Medium | About ExpressRoute virtual network gateways – Azure | Microsoft Docs | |
Deploy a zone-redundant ExpressRoute gateway in the supported Azure regions. | Medium | Azure networking documentation | Microsoft Docs | |
For scenarios that require bandwidth higher than 10 Gbps or dedicated 10/100-Gbps ports, use ExpressRoute Direct. | Medium | Do you need more bandwidth than 10Gbps or dedicated 100Gbps? | Azure ExpressRoute: Routing requirements | Microsoft Docs |
When low latency is required, or throughput from on-premises to Azure must be greater than 10 Gbps, enable FastPath to bypass the ExpressRoute gateway from the data path. | Medium | Do you need a very low latency latency or higher than 10Gbps from on-premises? | Azure ExpressRoute: Routing requirements | Microsoft Docs |
Use VPN gateways to connect branches or remote locations to Azure. For higher resilience, deploy zone-redundant gateways (where available). | Medium | Are you using Zone redundant (where applicable) VPN gateways to connect branches or remote locations to Azure? | Azure networking documentation | Microsoft Docs |
Use ExpressRoute Global Reach to connect large offices, regional headquarters, or datacenters connected to Azure via ExpressRoute. | Medium | Do you need to connect large offices or regional headquarters to Azure with a connection with an SLA? | Azure networking documentation | Microsoft Docs |
When traffic isolation or dedicated bandwidth is required, such as for separating production and nonproduction environments, use different ExpressRoute circuits. It will help you ensure isolated routing domains and alleviate noisy-neighbor risks. | Medium | Are you separating production and non-production and Using ExpressRoute? Are you using multiple ExpressRoutes? | Azure networking documentation | Microsoft Docs |
Proactively monitor ExpressRoute circuits by using Network Performance Monitor. | Medium | Are you using NPM to Minotr your ExpressRoute? | Azure networking documentation | Microsoft Docs |
Don’t explicitly use ExpressRoute circuits from a single peering location. This creates a single point of failure and makes the organization susceptible to peering location outages. | Medium | Are you using only one peering location? Have you created a single point of failure? | Azure networking documentation | Microsoft Docs |
Connectivity to Azure PaaS Services
Use virtual network injection for supported Azure services to make them available from within the virtual network. | Medium | Networking features – Azure App Service | Microsoft Docs | |
Azure PaaS services that have been injected into a virtual network still perform management plane operations by using public IP addresses. Ensure that this communication is locked down within the virtual network by using UDRs and NSGs. | Medium | Networking features – Azure App Service | Microsoft Docs | |
Use Private Link, where available, for shared Azure PaaS services. | Medium | Networking features – Azure App Service | Microsoft Docs | |
Access Azure PaaS services from on-premises via ExpressRoute private peering. This method avoids transiting over the public internet. | Medium | Networking features – Azure App Service | Microsoft Docs | |
Use virtual network service endpoints to secure access to Azure PaaS services from within the virtual network, but only when Private Link isn’t available and there are no data exfiltration concerns. To address data exfiltration concerns with service endpoints, use NVA filtering or use virtual network service endpoint policies for Azure Storage. | Medium | Networking features – Azure App Service | Microsoft Docs | |
Don’t enable virtual network service endpoints by default on all subnets. | Medium | Networking features – Azure App Service | Microsoft Docs | |
Don’t use virtual network service endpoints when there are data exfiltration concerns unless you use NVA filtering. | Medium | Networking features – Azure App Service | Microsoft Docs | |
Don’t implement forced tunneling to enable communication from Azure to Azure resources. | Medium | Networking features – Azure App Service | Microsoft Docs |
Plan for inbound and outbound internet connectivity
Use Azure Firewall to govern: | Medium | Azure Firewall documentation | Microsoft Docs | |
Azure outbound traffic to the internet. | |||
Non-HTTP/S inbound connections. | |||
East/west traffic filtering (if the organization requires it). | |||
Use Firewall Manager with Virtual WAN to deploy and manage Azure firewalls across Virtual WAN hubs or in hub virtual networks. Firewall Manager is now in general availability for both Virtual WAN and regular virtual networks. | Medium | Azure Firewall documentation | Microsoft Docs | |
Create a global Azure Firewall policy to govern security posture across the global network environment and assign it to all Azure Firewall instances. Allow for granular policies to meet requirements of specific regions by delegating incremental firewall policies to local security teams via Azure role-based access control. | Medium | Azure Firewall documentation | Microsoft Docs | |
Configure supported partner SaaS security providers within Firewall Manager if the organization wants to use such solutions to help protect outbound connections. | Medium | Azure Firewall documentation | Microsoft Docs | |
Use WAF within a landing-zone virtual network for protecting inbound HTTP/S traffic from the internet. | Medium | What is Azure Web Application Firewall on Azure Application Gateway? – Azure Web Application Firewall | Microsoft Docs | |
Use Azure Front Door and WAF policies to provide global protection across Azure regions for inbound HTTP/S connections to a landing zone. | Medium | What is Azure Web Application Firewall on Azure Application Gateway? – Azure Web Application Firewall | Microsoft Docs | |
When you’re using Azure Front Door and Azure Application Gateway to help protect HTTP/S apps, use WAF policies in Azure Front Door. Lock down Azure Application Gateway to receive traffic only from Azure Front Door. | Medium | What is Azure Web Application Firewall on Azure Application Gateway? – Azure Web Application Firewall | Microsoft Docs | |
If partner NVAs are required for east/west or south/north traffic protection and filtering: | Medium | Network Virtual Appliances | Microsoft Azure | |
For Virtual WAN network topologies, deploy the NVAs to a separate virtual network (for example, NVA virtual network). Then connect it to the regional Virtual WAN hub and to the landing zones that require access to NVAs. This article describes the process. | |||
For non-Virtual WAN network topologies, deploy the partner NVAs in the central-hub virtual network. | |||
If partner NVAs are required for inbound HTTP/S connections, deploy them within a landing-zone virtual network and together with the apps that they’re protecting and exposing to the internet. | Medium | Network Virtual Appliances | Microsoft Azure | |
Use Azure DDoS Protection Standard protection plans to help protect all public endpoints hosted within the virtual networks. | Medium | Azure DDoS Protection Standard Overview | Microsoft Docs |
Plan for app delivery
Perform app delivery within landing zones for both internal-facing and external-facing apps. | Medium | Have you got a method to cater to internal and external traffic with your application? | Organize your Azure resources effectively – Cloud Adoption Framework | Microsoft Docs |
For secure delivery of HTTP/S apps, use Application Gateway v2 and ensure that WAF protection and policies are enabled. | Medium | Are you suing http/s and Application Gateway 2 with WAF enabled? | What is Azure Web Application Firewall on Azure Application Gateway? – Azure Web Application Firewall | Microsoft Docs |
Use a partner NVA if you can’t use Application Gateway v2 for the security of HTTP/S apps. | Medium | Are you using an NVA if the above cant is used? | What is Azure Web Application Firewall on Azure Application Gateway? – Azure Web Application Firewall | Microsoft Docs |
Deploy Azure Application Gateway v2 or partner NVAs used for inbound HTTP/S connections within the landing-zone virtual network and with the apps that they’re securing. | Medium | Are you using Azure Application Gateway or an NVA to secure traffic between vNets and apps? | What is Azure Web Application Firewall on Azure Application Gateway? – Azure Web Application Firewall | Microsoft Docs |
Use a DDoS standard protection plan for all public IP addresses in a landing zone. | Medium | Are you using the DDoS standard? | Azure DDoS Protection Standard Overview | Microsoft Docs |
Use Azure Front Door with WAF policies to deliver and help protect global HTTP/S apps that span Azure regions. | Medium | Are you using Azure Front with WAF for multi-region app deployment? | What is Azure Web Application Firewall on Azure Application Gateway? – Azure Web Application Firewall | Microsoft Docs |
When you’re using Front Door and Application Gateway to help protect HTTP/S apps, use WAF policies in Front Door. Lockdown Application Gateway to receive traffic only from Front Door. | Medium | If you are using Azure Front door; Have you locked down the Application Gateway to only receive traffic from Azure Front Door? | What is Azure Web Application Firewall on Azure Application Gateway? – Azure Web Application Firewall | Microsoft Docs |
Use Traffic Manager to deliver global apps that span protocols other than HTTP/S. | Medium | Are you using Traffic Manager for multi-region deployment for protocols other than http/s? | What is Azure Web Application Firewall on Azure Application Gateway? – Azure Web Application Firewall | Microsoft Docs |
Plan for landing zone network segmentation
Delegate subnet creation to the landing zone owner. | Medium | Organize your Azure resources effectively – Cloud Adoption Framework | Microsoft Docs | |
Use NSGs to help protect traffic across subnets, as well as east/west traffic across the platform (traffic between landing zones). | Medium | Network security group – how it works | Microsoft Docs | |
The application team should use application security groups at the subnet-level NSGs to help protect multitier VMs within the landing zone. | Medium | Network security group – how it works | Microsoft Docs | |
Use NSGs and application security groups to micro-segment traffic within the landing zone and avoid using a central NVA to filter traffic flows. | Medium | Network security group – how it works | Microsoft Docs | |
Enable NSG flow logs and feed them into Traffic Analytics to gain insights into internal and external traffic flows. | Medium | Network security group – how it works | Microsoft Docs | |
Use NSGs to selectively allow connectivity between landing zones. | Medium | Network security group – how it works | Microsoft Docs | |
For Virtual WAN topologies, route traffic across landing zones via Azure Firewall if the organization requires filtering and logging capabilities for traffic flowing across landing zones. | Medium | Azure Firewall documentation | Microsoft Docs |
Define network encryption requirements
When you’re using ExpressRoute Direct, configure MACsec in order to encrypt traffic at the layer-two level between the organization’s routers and MSEE. The diagram shows this encryption in flow B. | Medium | About Azure ExpressRoute Direct | Microsoft Docs | |
If traffic between Azure regions must be encrypted, use global VNet peering to connect virtual networks across regions. | Medium | Azure Virtual Network peering | Microsoft Docs | |
For Virtual WAN scenarios where MACsec isn’t an option (for example, not using ExpressRoute Direct), use a Virtual WAN VPN gateway to establish IPsec tunnels over ExpressRoute private peering. | Medium | Azure Virtual WAN Overview | Microsoft Docs |
Plan for traffic inspection
Use Network Watcher packets to capture despite the limited capture window. | Medium | Azure Network Watcher | Microsoft Docs | |
Evaluate whether the latest version of NSG flow logs provides the level of detail that you need. | Medium | Network security group – how it works | Microsoft Docs | |
Use partner solutions for scenarios that require deep packet inspection. | Medium | Use Azure Firewall to inspect traffic destined to a private endpoint – Azure Private Link | Microsoft Docs | |
Don’t develop a custom solution to mirror traffic. Although this approach might be acceptable for small-scale scenarios, we don’t encourage it at scale because of complexity and the supportability issues that might arise. | Medium | Plan for traffic inspection – Cloud Adoption Framework | Microsoft Docs |
See you in the next area of the landing zone.