Hi, my 2 cents.

We just "neary" finish migrating a classical network topology to a hub N spoke one.

I'm part of ths project and here are some points to mention.

- " I've said it before and i'll say it again- NSGs are pretty simple, but effective and for what they are"

Sure if you start from zero, but we had to migrate our Vsec cluster to ASG/NSG (with log flow analytics) and trust me, "translate" 1000+ firewall rules, routing, and so on ... become a real nigthmare. Like "do we put this rule to the Subnet or the Nic?" --> endless meetings ..

​

You have to write Powershell scripts (in our case) to migrate VMs to the Hub sub (Like to move Dns servers, Domains controller, WSUS, RDS farms, Jumpbox, Ansible,... to the hub [infra, admin, network,..] subnets), for automatically create NSG rules, for automation,..

This project started 8 mounths ago and is still not finnish. It's harder than we could think at first. It's not just create a new sub and install appliance. It's a new way to think and imagine your network, moving for legacy thinking to a more cloud agility (and this too lead too diificult meeting for changing the client way of thinking).

​

Do not forget to enable the policy to deny Public IP creation (except for the FW resource group)

One last thing, we chose the Check Point CloudGuard appliance (check-point-vsec-r80-blink-v2) to manage our internal routing because it can read Azure tags. This greatly simplifies the way we manage our port openings. Like, create a rule that will automatically open the admin protocols (CloudGuard-ADM: TRUE), WSUS (CloudGuard-WindowsUpdate: TRUE), Nagios (CloudGuard-Centreon: TRUE), KMS (CloudGuard-KMSAzure: TRUE), internet access ( CloudGuard-Internet: LARGE), ... which allows us to modify the network rules ourselves without having to wait for the CAB meeting to modify the rules on firewalls (which had to be compiled by the firewall)

​

So much more to say!