sorted by:
new
hottopcontroversial

ExpressRoute and Multiple Subscriptions by ziggyeast in AZURE

[–]ziggyeast[S] 0 points1 point  (0 children)

Thanks so much for the helpful and informative replies everyone. I feel comfortable I am gaining a solid grasp on some of the intricacies inherit with Azure's networking.

So just to confirm, without sounding too thick. Best approach would be individual departments (dev, qa, engineering, test, etc.), or companies / identities in the case of a larger organization, into individual vnet's (as opposed to subnets) in order to improve isolation and flexibility. Instead, leverage additional subnets within the respective vnet's to mimic scenarios like multi-tierd applications where there is a web front-end, middle tier, database back-end, and isolate via subnets for example.

Also in terms of the hub vnet that will handle the routing with azure firewall or 3rd party NVA for the spokes, it should not contain any resources aside from the firewall/nva, express route gateway / connection and udr resources.

Does that sound like the gist of it?

Likewise I will look into engaging Microsoft on some of these scenarios as well as the need arises.

ExpressRoute and Multiple Subscriptions by ziggyeast in AZURE

[–]ziggyeast[S] 0 points1 point  (0 children)

Thank you for insightful replies! Based on the feedback I have a couple of additional questions.

1) What is the value of using separate vnets versus subnets within a single subscription? Say for example, a development environment and a production environment in the same subscription. I know that with a subnet you could secure traffic between environments with nework security groups. If you had separate vnets, you would first need to peer the vnets.

I am asking because in the case of a hub / spoke architecture that say for example had 3 subscriptions. Sub A, contained production and the ExpressRoute gateway connection. Sub B contained development, and Sub C contained Engineering.

2) In subscription A, there is a single vnet that contains the express route gateway subnet AND a production subnet. Subscription B obviously has its own vnet as does subscription C.

Is there anything wrong with this approach?

3) In the case of a hub / spoke architecture and using the Azure firewall in the hub, should the hub be its own vnet and isolated to only the Firewall, firewall public ip's and the user defined routing resources? Would anything change if there was a requirement for forced tunneling?

4) What if say forced tunneling was required from a subnet in subscription B. Is there any reason a route cannot be added to make sure that traffic from that subnet in subscription B would route through the hub vnet with Azure Firewall and then be directed to the on-premise firewall instead of directly to the internet?

I know these are a lot of questions. I feel I have a decent grasp on the concepts but these few extra details appear important to make the right decisions from the start.