[User Guide] Connectivity Resources

Overview

The module provides an option to enable deployment of network topology and connectivity resources from the conceptual architecture for Azure landing zones into the current subscription context. It also ensures that the specified subscription is placed in the right management group.

This capability enables deployment of multiple hub networks based on any combination of traditional Azure networking topology (hub and spoke), and Virtual WAN network topology (Microsoft-managed).

The module can also create and link DDoS Protection Standard to Virtual Networks, and manage centralized public and private DNS zones.

NOTE: The module currently only configures the hub network(s), and other recommended resources for the connectivity Subscription. To ensure the right balance of managing resources via Terraform vs. Azure Policy, we are still working on how best to handle the creation and peering of spoke Virtual Networks. Improving this story is on our backlog for development.

Resource types

Traditional Azure networking topology (hub and spoke)

The module can optionally deploy one or more hub networks based on the traditional Azure networking topology (hub and spoke).

NOTE: The module currently configures only the networking hub and dependent resources for the connectivity subscription. Although there's an option to enable outbound virtual network peering from hub to spoke, users still need to initiate peering from spoke to hub. This is due to limitations in how the AzureRM provider targets a specific subscription for deployment.

When you deploy resources based on a traditional Azure networking topology (hub and spoke), the module deploys and manages the following resource types (depending on configuration):

Resource	Azure resource type	Terraform resource type
Resource groups	Microsoft.Resources/resourceGroups	azurerm_resource_group
Virtual networks	Microsoft.Network/virtualNetworks	azurerm_virtual_network
Subnets	Microsoft.Network/virtualNetworks/subnets	azurerm_subnet
Virtual network gateways	Microsoft.Network/virtualNetworkGateways	azurerm_virtual_network_gateway
Azure firewalls	Microsoft.Network/azureFirewalls	azurerm_firewall
Public IP addresses	Microsoft.Network/publicIPAddresses	azurerm_public_ip
Virtual network peerings	Microsoft.Network/virtualNetworks/virtualNetworkPeerings	azurerm_virtual_network_peering

For more information about how to use this capability, see the Deploy Connectivity Resources wiki page.

Virtual WAN network topology (Microsoft-managed)

The module can optionally deploy one or more hub networks based on the Virtual WAN network topology (Microsoft-managed).

NOTE: Due to the different capabilities of Virtual WAN network resources over traditional, peering for Virtual WAN spokes is bi-directional when using this capability.

When you deploy resources based on a Virtual WAN network topology (Microsoft-managed), the module deploys and manages the following resource types (depending on configuration):

Resource	Azure resource type	Terraform resource type
Resource Groups	Microsoft.Resources/resourceGroups	azurerm_resource_group
Virtual WANs	Microsoft.Network/virtualWans	azurerm_virtual_wan
Virtual Hubs	Microsoft.Network/virtualHubs	azurerm_virtual_hub
Express Route Gateways	Microsoft.Network/expressRouteGateways	azurerm_express_route_gateway
VPN Gateways	Microsoft.Network/vpnGateways	azurerm_vpn_gateway
Azure Firewalls	Microsoft.Network/azureFirewalls	azurerm_firewall
Azure Firewall Policies	Microsoft.Network/firewallPolicies	azurerm_firewall_policy
Virtual Hub Connections	Microsoft.Network/virtualHubs/hubVirtualNetworkConnections	azurerm_virtual_hub_connection

For more information about how to use this capability, see the Deploy Virtual WAN Resources With Custom Settings wiki page.

DDoS Protection plan

The module can optionally deploy DDoS Network Protection, and link Virtual Networks to the plan if needed.

NOTE: Due to platform limitations, DDoS protection plans can only be enabled for traditional virtual networks. Virtual Hub support is not currently available.

IMPORTANT: The Azure landing zones guidance recommends enabling DDoS Network Protection to increase protection of your Azure platform. To prevent unexpected costs in non-production and MVP deployments, this capability is disabled in the Azure landing zones Terraform module due to the cost associated with this resource.

For production environments, we strongly recommend enabling this capability.

When you enable deployment of deployment of DDoS protection plan resources, the module deploys and manages the following resource types (depending on configuration):

Resource	Azure resource type	Terraform resource type
Resource groups	Microsoft.Resources/resourceGroups	azurerm_resource_group
DDoS protection plans	Microsoft.Network/ddosProtectionPlans	azurerm_network_ddos_protection_plan

DNS

The module can optionally deploy Private DNS zones to support Private Endpoints and link them to hub and/or spoke Virtual Networks. User-specified public and private DNS zones can also be deployed and linked as needed.

When you enable deployment of deployment of DNS resources, the module deploys and manages the following resource types (depending on configuration):

Resource	Azure resource type	Terraform resource type
Resource Groups	Microsoft.Resources/resourceGroups	azurerm_resource_group
DNS Zones	Microsoft.Network/dnsZones	azurerm_dns_zone
Private DNS Zones	Microsoft.Network/privateDnsZones	azurerm_private_dns_zone
Private DNS Zone Virtual Network Link	Microsoft.Network/privatednszones/virtualnetworklinks	azurerm_private_dns_zone_virtual_network_link

Next steps

Please refer to the following for examples showing how to use this capability:

• Deploy Connectivity Examples (Hub and Spoke)
• Deploy Connectivity Examples (Virtual WAN)
• Configure hub networks (Hub and Spoke)
• Configure hub networks (Virtual WAN)
• Configure DDoS Protection settings
• Configure DNS settings