Read also this blog post for more info on this project.
This repo contains a preconfigured Azure hub-and-spoke environment, aligned to the Azure enterprise-scale landing zone reference architecture, deployable with a click on your subscription, useful for testing and studying network configurations in a controlled, repeatable environment.
The "playground" is composed by:
- an hub and spoke network topology aligned with with Microsoft Enterprise scale landing zone reference architecture
- two simulated on-premise architectures, deployed in 2 different regions, composed by network, client machine(s) and a gateway
You can use the following button to deploy the demo to your Azure subscription:
| playground parts | ย |
|---|---|
deploys the HUB playground (hub-lab-net and spokes 01-02-03) |
|
| deploys the ON PREMISES (France) playground | |
| deploys the ON PREMISES-2 (Germany) playground | |
| deploys any-to-any routing via firewall on HUB playground | |
deploys the HUB 02 playground (hub-lab-02-net and spoke 04) |
This diagrams shows the overall architecture:
Download a Visio file of this architecture.
the ARM template cloud-deploy deploys:
- 4 Azure Virtual Networks:
hub-lab-netwith 4 subnets:- default subnet: this subnet is used to connect the hub-vm-01 machine
- AzureFirewallSubet: this subnet is used by Azure Firewall
- AzureBastionSubnet: this subnet is used bu Azure Bastion
- GatewaySubnet: this subnet is used by Azure Gateway
spoke-01with 2 subnets used to connect spoke-01-vm machinespoke-02with 2 subnets used to connect spoke-02-vm machinespoke-03, with 2 subnets and located in North Europe, used to connect spoke-03-vm machine
- An Azure Bastion resource that provides secure and seamless SSH connectivity to the jumpbox virtual machine directly in the Azure portal over SSL
- An Azure Firewall premium resource that provide a con-premiseic inspection.
- An Azure VPN Gateway resource that is used to send encrypted traffic between the hub virtual network to the on-premises simulated location.
hub-vm-01: a Windows Server virtual machine that simulates a server located in the hub locationspoke-01-vm: a Windows Server virtual machine that simulates a server located in the spoke-01 landing zonespoke-02-vm: a Windows Server virtual machine that simulates a server located in the spoke-02 landing zonespoke-03-vm: a Linux virtual machine that simulates a server located in the spoke-01 landing zone
The ARM template on-prem-deploy deploys:
on-prem-net: an Azure Virtual Network located in France with 3 subnets- default subnet: this subnet is used to connect the w10-onprem-vm machine
- AzureBastionSubnet: this subnet is used bu Azure Bastion
- GatewaySubnet: this subnet is used by Azure Gateway
- An Azure Bastion resource that provides secure and seamless SSH connectivity to the jumpbox virtual machine directly in the Azure portal over SSL
- An Azure VPN Gateway resource that is used to send encrypted traffic between the hub virtual network to the on-premises simulated location.
w10-onprem-vm: A Windows 10 VM with the objective to simulate a desktop client in an on-premise location
The ARM template on-prem-deploy-2 deploys:
on-prem-2-net: an Azure Virtual Network located in Germany with 3 subnets- default subnet: this subnet is used to connect the w10-onprem-vm machine
- AzureBastionSubnet: this subnet is used bu Azure Bastion
- GatewaySubnet: this subnet is used by Azure Gateway
- An Azure Bastion resource that provides secure and seamless SSH connectivity to the jumpbox virtual machine directly in the Azure portal over SSL
- An Azure VPN Gateway resource that is used to send encrypted traffic between the hub virtual network to the on-premises simulated location.
lin-onprem-vm: A linux VM with the objective to simulate a linux client in an on-premise location
The ARM template any-to-any deploys:
- 2 routing tables that forward all spoke traffic to the firewall
- 1 IPgroup and one Azure Firewall policy that:
- allows spoke-to-spoke communication
- block certain sites (Facebook, Twitter and 3 web categories (nudity, dating, pornography)
- allows all remaining HTTP(S) outbound traffic
the ARM template hub-02 deploys:
- 2 Azure Virtual Networks:
hub-lab-02-netwith 4 subnets:- default subnet: this subnet is empty
- AzureFirewallSubet: this subnet is used by Azure Firewall
- AzureBastionSubnet: this subnet is used bu Azure Bastion
- GatewaySubnet: this subnet is used by Azure Gateway
spoke-04with 2 subnet used to connect spoke-04-vm machine
- An Azure Bastion resource that provides secure and seamless SSH connectivity to the jumpbox virtual machine directly in the Azure portal over SSL
- An Azure Firewall standard resource that provide a con-premiseic inspection.
- An Azure VPN Gateway resource that is used to send encrypted traffic between the hub virtual network to the on-premises simulated location.
spoke-04-vm: a Windows Server virtual machine that simulates a server located in the spoke-01 landing zone
The site to site VPN connection shown in the architecture is not automatically deployed and configure: its configuration is covered by one of the playground scenarios.est solution All machines have the same account parameters (as following):
- username:
nicola - password:
password.123
Here there is a list of tested scenarios usable on this playground.
For each scenario you have:
- prerequisites: component to deploy required to implement the solution (only the hub, also one on-prem playground or both)
- solution: a step-by-step sequence to implement the solution
- test solution: a procedure to follow, to verify if the scenario is working as expected
| scenario description | solution | |
|---|---|---|
| 1 | Configure the environment to allow VM in any spoke to communicate with any VM in any other spoke | solution using azure firewall solution using azure virtual gateway |
| 2 | Expose on a public IP, through the Firewall, spoke-01-vm and spoke-02-vm RDP port (3389) |
solution using azure firewall dnat |
| 3 | Connect on-prem-net with hub-lab-net using a vNet-to-vNet Azure Gateway's Connection |
solution on-premise vnet-to-vnet solution on-premise2 vnet-to-vnet-2 |
| 4 | Connect on-prem-net with hub-lab-net using a Site-to-Site (IPSec) Connection |
solution with gateway-ipsec solution with gateway-ipsec active-active solution with gateway-ipsec in dual redundancy solution with multiple VPN devices [ * DRAFT * ] |
| 5 | Configure a DNS on the cloud, so that all machines are reachable via FQDN | solution with azure-dns |
| 6 | Configure and use Azure Firewall logs for troubleshooting | configure log-analytics-on-firewall |
| 7 | Install a test web server on spoke-03-vm |
install web-server |
| 8 | Connect on-prem-net and on-prem2-net to hub-lab-net via S2S IPSEC and allow cross-on-premises communication |
solution cross-on-premise-routing |
| 9 | Use Azure Firewall for traffic inspection between on-prem-net and spoke-01 networks (North/South Traffic Inspection) |
solution north-south-inspection |
| 10 | Use Network Watcher for logging and network troubleshooting | solution network watcher |
| 11 | Resolve from on-prem, names of all cloud machines | solution with Azure Firewall |
| 12 | Secure a WEB workload with both Azure Firewall Premium and Azure Web Application Firewall | Solution with Azure Firewall and WAF |
| 13 | Configure a P2S VPN | Solution with Certificate Authentication Solution with CA and always-on |
| 14 | Routing cross hubs with BGP | Solution using Azure Virtual Network Gateway |
| 15 | Routing cross hubs without BGP | Solution with Azure Firewall |
Scenarios I will implement in the future:
- Resolve from on-prem, names of all cloud machines, and vice-versa
- configure firewall so that (1) traffic outbound from spoke01 goes hrough public IP1 (traffic outbound from spoke02 goes through public IP2
Whould you like to see more scenarios? Open an issue!
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent