– Hub-Spoke topology is recommend network design using for workload running on Azure. The hub virtual network acts as a central point of connectivity to many spoke virtual networks. The hub can also be used as the connectivity point to your on-premises networks. The spoke virtual networks peer with the hub and can be used to isolate workloads.

– Example network design with multiple spoke Vnet using for isolating production/UAT VM workload

– In this network design VNet using for Production and UAT workload will have different address space and on each VNet has multiple subnet for different role of VM (App,DB,Web,…). An Azure Firewall and Azure Bastion host are also deployed for central routing/NAT out/in traffic with policy and providing remote access to VMs in VNet.

1/Create resource group for deployment:

2/Create hub VNet:

– Add subnet for putting Bastion and Azure Firewall into:

3/Create 2 spoke VNet for Prodution and UAT workload:

4/Configure peering between hub and 2 spoke VNet:

– Click on hub-vnet > Peerings

– Click Add

5/Deploy resource VM on 2 spoke VNet:

– VM Prod App:


6/Create and configure Azure Firewall resource:

– Click on new created Firewall > Rules

*Create rule for using DNS query and NTP

* Create rule for accessing internet for VMs in VNet

– Add rule for client access Application on subnet app

– Add rule for Remote desktop using by Bastion and ICMP

– Add rule deny all with high priority

– Check private IP of Azure Firewall

7/Create custom route table and add new route:

– Click on new created route table > Route > Add

– On route table > Subnet > Associate 4 subnets of 2 spoke vnet

8/Deploy Bastion Server On Hub VNet:

9/Test Azure Firewall Policy all rules are working:

– On VM connect using Bastion

– Testing access Internet with rule HTTPS and DNS

10/Create DNAT rule on Azure Firewall for public application:

– On App VM deploy IIS Web Server

– Create DNAP rule on Azure Firewall

– Browsing to public IP of Azure Firewall for testing DNAT rule

Tags : AutomationContainerDevOpsK8sKubernetesLinux-Unix

Leave a Response

error: Content is protected !!