BlogPost: Network architecture in your enterprise scale framework

Bylaglerh@lagler-gruener.at

Network architecture in your enterprise scale framework

In that blog post, I’ll describe the network decisions that you’ll have when you decide to use the Azure cloud for your workloads.

The Enterprise Scale Framework

The Enterprise Scale Framework is a strategic approach designed to help organizations adopt and scale their cloud environments effectively, particularly within Microsoft Azure.

Why It’s Important to Implement

Scalability: The framework ensures that your cloud environment can grow alongside your business needs, accommodating increasing workloads and users without compromising performance.

Governance: It provides a structured approach to managing resources, and ensuring compliance with organizational policies and regulatory requirements.

Security: By following best practices, the framework helps protect your data and applications from threats, ensuring robust security measures are in place.

Operational Efficiency: It streamlines operations by automating processes and providing clear guidelines, reducing the complexity of managing cloud resources.

Cost Management: Helps optimize costs by providing insights and controls over resource usage, preventing overspending.

The key areas of the Enterprise Scale Framework

The Enterprise Scale Framework key areas are:

  • Landing Zones
  • Identity and Access Management
  • Networking
  • Security
  • Management and Monitoring
  • Governance
  • Cost Management
  • Automation and DevOps

Today, we are focusing on the “Network” area, in the Enterprise Scale Framework. When he has a look at the Framework, it looks like the following:

The main topics for the network design.

It’s important, that you have a good understanding of your requirements and also about the network architecture in Azure. Keep in mind, that any changes in the architecture could be affected by a downtime of your environment.

Define your Network Topology.

First of all, you have to define the right base topology. Depending on your requirements are two options available.

Azure Virtual WAN-based Network Topology

Traditional Azure Networking Topology

There are a lot of questions about the right decision available. I want to shrink it down into two questions.

  • Is there a need for a branch to branch connectivity
  • Is there a need for granular control of connectivity
Planning for IP Addressing

Based on the topology, you have to define an IP address space inside Azure. I strongly recommend using a none overlapping (OnPrem) IP address space in Azure, because it makes everything easier.

Configure DNS

No one wants to connect to an IP Address. We all use DNS resolutions for our applications and connectivity. This is the same in Azure. What we have to decide is the right architecture.

You can use IaaS with a DNS forwarder.

otherwise, you can use the PaaS service “Azure DNS Private Resolver” to fulfill your requirements.

Connectivity to Azure and connectivity to Azure PaaS services

When it’s comming to the connectivity part you have to decide between two available options.

  • Azure Express Route / Azure Express Route Direct Connect
  • Site-to-Site VPN tunnel

When deciding between Azure ExpressRoute and Azure Site-to-Site (S2S) VPN, it’s important to consider various factors to determine which solution best fits your needs.

Pros for ExpressRoute are
  • Performance Requirements
  • Do you need high bandwidth and low latency for your applications?
  • Are you looking for a more reliable and consistent connection compared to the public internet?
  • Security Needs
  • Is a private connection that doesn’t traverse the public internet crucial for your data security?
  • Cost Considerations
  • Are you prepared for the potentially higher costs associated with ExpressRoute compared to VPN solutions?
  • Data Transfer Volumes
  • Will you be transferring large volumes of data between your on-premises infrastructure and Azure?
  • Service Availability
  • Is ExpressRoute available in your region and does it support your required connectivity provider?
  • Redundancy and SLA
  • Do you need built-in redundancy and a higher SLA for uptime and performance?
Pro’s for Site-to-Site (S2S) VPN
  • Budget Constraints
  • Are you looking for a more cost-effective solution compared to ExpressRoute?
  • Usage Patterns
  • Is your data transfer volume moderate, and do you have less stringent performance requirements?
  • Security Requirements
  • Are you comfortable with the security provided by a VPN over the public internet?
  • Flexibility and Scalability
  • Do you need a solution that can be quickly set up and scaled as needed?
  • Compatibility
  • Do you have compatible VPN devices and the necessary technical expertise to configure and manage the VPN?
  • Redundancy and Availability
  • Are you okay with the redundancy and availability options provided by Azure VPN Gateway?

For PaaS solutions inside Azure, there are other options available to assign it to the internal network.

An Azure Service Endpoint allows you to extend your virtual network (VNet) identity to Azure services over a direct, secure connection. This means that resources in your VNet can communicate with Azure services without needing to traverse the public internet.

An Azure Private Endpoint is a network interface that connects you privately and securely to a service powered by Azure Private Link. This ensures that traffic between your virtual network (VNet) and the Azure service remains within your private network, without traversing the public internet.

Plan for inbound and outbound internet connectivity and segmentation

Microsoft Azure has recently announced that support for default access to the internet is ending for new virtual machines (VMs) after September 30, 2025. This and many more reasons require a good architecture for outbound connectivity. In my blog post, I want to describe the “Cloud native” way.

You can use the Azure Firewall to fulfill the outbound connectivity requirements.

Azure Firewall is a managed, cloud-based network security service that protects your Azure Virtual Network resources. It provides a centralized way to manage and enforce network security policies across multiple subscriptions and virtual networks.

There are different offerings available, and based on your requirements, you can choose between them.

  • Basic: Ideal for SMBs with moderate security needs and lower throughput requirements.
  • Standard: Suitable for most enterprise scenarios, providing a balance of performance and security features.
  • Premium: Best for high-security environments needing advanced threat protection and higher performance.
Plan for traffic inspection

If you have applications inside your Landing Zones that are available over the Internet, I strongly recommend using a Layer 7 Web Application Firewall to secure your Application. In combination with the Internal segmentation firewall (Azure Firewall), we archive a two-layer security for your environment.

Azure provides several Layer 7 Web Application Firewall (WAF) solutions designed to protect your web applications from common threats and vulnerabilities. Here is a list of cloud-native solutions.

  • Azure Application Gateway WAF
  • Functionality: Operates at Layer 7, providing centralized protection for your web applications.
  • Features: Includes built-in rules to protect against the OWASP Top 10 vulnerabilities, custom rules, and bot protection.
  • Use Cases: Ideal for scenarios where you need to manage web traffic and protect applications hosted in Azure.
  • Azure Front Door WAF
  • Functionality: Also operates at Layer 7, integrated with Azure Front Door to provide global load balancing and application acceleration.
  • Features: Offers similar protection as Application Gateway WAF, with additional capabilities for global routing and performance optimization.
  • Use Cases: Suitable for applications that require global reach and high availability.
  • Azure CDN WAF
  • Functionality: Provides Layer 7 protection for content delivered through Azure Content Delivery Network (CDN).
  • Features: Protects against common web exploits and vulnerabilities, ensuring secure content delivery.
    Use Cases: Best for scenarios where you need to secure static content distributed globally.

As you can see, the network architecture decision is a huge project and requires a lot of service and architecture designs. I recommend, thinking about your requirements, defining a good, cloud-native architecture, and bringing it into your environment. Also, review your decisions continually.

Finally

I want to say thank you to

for the community event organization, and thanks to the sponsors

Get more information on my channels

Feel free to write me an E-Mail or ping me on the social channels listed below.

Similar Posts

Organize: Experts Live Cafe September 2021

Organize: Experts Live Cafe September 2021

ByHannes Lagler-Gruener

Hi folks, I’m really happy to officially announce, that I’m the organizer of the event Experts Live Cafe (Security) in September 2021. The conference itself is an “In-Person/Virtual/Hybrid” event and is hosted in Austria. Here you can get more information about that conference (URL). We have special guests, who mainly focus on Microsoft Azure and…