Skip to content

Latest commit

 

History

History
161 lines (126 loc) · 12.8 KB

README.md

File metadata and controls

161 lines (126 loc) · 12.8 KB

The Azure🌍 hub-and-spoke-playground

A well-documented, easy-to-deploy network topology for testing, studying, inventing network configurations

Built with ❤︎ by nicolgit and contributors

Download a draw.io file of this schema.

This repo contains a preconfigured Azure hub-and-spoke network topology, aligned to the Azure enterprise-scale landing zone reference architecture, deployable with a click on your subscription, useful for testing and studying network configurations in a controlled, repeatable environment.

As bonus many scenarios with step-by-step solutions for studying and learning are also available.

Read also this blog post for more info on this project.

The "playground" is composed by:

  • two hub and spoke network topologies aligned with with Microsoft Enterprise scale landing zone reference architecture
  • two simulated on-premise architectures, deployed in 2 different regions, composed by network, client machine(s) and a gateway

Deploy to Azure

You can use the following buttons to deploy the demo environment to your Azure subscription:

Available playgrounds  
1 the HUB 01 playground
deploys hub-lab-net and spokes 01-02-03
Deploy to Azure
2 deploys the ON PREMISES (France central) playground Deploy to Azure
3 deploys the ON PREMISES-2 (west central Germany) playground Deploy to Azure
4 deploys ANY-TO-ANY routing and firewall rules
requires the HUB playground deployed
Deploy to Azure
5 deploys a S2S VPN between on-prem and HUB
requires the HUB and one of the ON-PREMISES playgrounds deployed
Deploy to Azure
5 the HUB 02 playground
deploys hub-lab-02-net and spoke 04 05 06 07 08 09 10
Deploy to Azure

Architecture

ARM template hub-01-bicep "the HUB playground" deploys:

  • 4 Azure Virtual Networks:
    • hub-lab-net located in west europe with 4 subnets:
      • default subnet: this subnet is used to connect the hub-vm-01 machine
      • AzureFirewallSubet: this subnet is used by Azure Firewall
      • AzureBastionSubnet: this subnet is used bu Azure Bastion
      • GatewaySubnet: this subnet is used by Azure Gateway
    • spoke-01 with 2 subnets located in west europe used to connect spoke-01-vm machine
    • spoke-02 with 2 subnets located in west europe used to connect spoke-02-vm machine
    • spoke-03, with 2 subnets and located in North Europe, used to connect spoke-03-vm machine
  • An Azure Bastion resource that provides secure and seamless SSH connectivity to the jumpbox virtual machine directly in the Azure portal over SSL
  • An Azure Firewall premium resource that provide a con-premiseic inspection.
  • An Azure VPN Gateway resource that is used to send encrypted traffic between the hub virtual network to the on-premises simulated location.
  • hub-vm-01: a Windows Server virtual machine that simulates a server located in the hub location
  • spoke-01-vm: a Windows Server virtual machine that simulates a server located in the spoke-01 vnet
  • spoke-02-vm: a Windows Server virtual machine that simulates a server located in the spoke-02 vnet
  • spoke-03-vm: a Linux virtual machine that simulates a server located in the spoke-03 vnet

hub-01

Download a draw.io file of this schema.

ARM template on-prem "ON PREMISES" deploys:

  • on-prem-net: an Azure Virtual Network located in west France with 3 subnets
    • default subnet: this subnet is used to connect the w10-onprem-vm machine
    • AzureBastionSubnet: this subnet is used bu Azure Bastion
    • GatewaySubnet: this subnet is used by Azure Gateway
  • An Azure Bastion resource that provides secure and seamless SSH connectivity to the jumpbox virtual machine directly in the Azure portal over SSL
  • An Azure VPN Gateway resource that is used to send encrypted traffic between the hub virtual network to the on-premises simulated location.
  • w10-onprem-vm: A Windows 10 VM with the objective to simulate a desktop client in an on-premise location

on-premises

Download a draw.io file of this schema.

ARM template on-prem-2 "ON PREMISES 2" deploys:

  • on-prem-2-net: an Azure Virtual Network located in west central Germany with 3 subnets
    • default subnet: this subnet is used to connect the w10-onprem-vm machine
    • AzureBastionSubnet: this subnet is used bu Azure Bastion
    • GatewaySubnet: this subnet is used by Azure Gateway
  • An Azure Bastion resource that provides secure and seamless SSH connectivity to the jumpbox virtual machine directly in the Azure portal over SSL
  • An Azure VPN Gateway resource that is used to send encrypted traffic between the hub virtual network to the on-premises simulated location.
  • lin-onprem-vm: A linux VM with the objective to simulate a linux client in an on-premise location

on-premises-2

Download a draw.io file of this schema.

ARM template hub-02 "the HUB 02 playground" deploys:

  • 8 Azure Virtual Networks:
    • hub-lab-02-net located in north europe with 4 subnets:
      • default subnet: this subnet is empty
      • AzureFirewallSubet: this subnet is used by Azure Firewall
      • AzureBastionSubnet: this subnet is used bu Azure Bastion
      • GatewaySubnet: this subnet is used by Azure Gateway
    • spoke-04 located in north europewith 2 subnet used to connect spoke-04-vm machine
    • spoke-05 ... 10 additional spokes, located in north europe, with 2 subnets each
  • An Azure Bastion resource that provides secure and seamless SSH connectivity to the jumpbox virtual machine directly in the Azure portal over SSL
  • An Azure Firewall standard resource that provide a con-premiseic inspection.
  • An Azure VPN Gateway resource that is used to send encrypted traffic between the hub virtual network to the on-premises simulated location.
  • spoke-04-vm: a Windows Server virtual machine that simulates a server located in the spoke-04 landing zone

hub-02

Download a draw.io file of this schema.

The ARM template any-to-any deploys:

  • 2 routing tables that forward all spokes traffic to the firewall
  • 1 IP Group and one Azure Firewall policy that:
    • allows spoke-to-spoke communication
    • block certain sites using web categories: nudity, Child Inappropriate, pornography
    • allows all remaining HTTP(S) outbound traffic

The site to site VPN connection shown in the architecture is not automatically deployed and configure: its configuration is covered by one of the playground scenarios.est solution All machines have the same account parameters (as following):

  • username: nicola
  • password: password.123

Playground's scenarios

Here there is a list of tested scenarios usable on this playground.

For each scenario you have:

  • prerequisites: component to deploy required to implement the solution (only the hub, also one on-prem playground or both)
  • solution: a step-by-step sequence to implement the solution
  • test solution: a procedure to follow, to verify if the scenario is working as expected
scenario description step-by-step solution
1 Configure the environment to allow VM in any spoke to communicate with any VM in any other spoke solution using azure firewall
solution using azure virtual gateway
solution using azure virtual network manager
2 Expose on a public IP, through the Firewall, spoke-01-vm and spoke-02-vm RDP port (3389) solution using azure firewall dnat
3 Connect on-prem-net with hub-lab-net using a vNet-to-vNet Azure Gateway's Connection solution on-premise vnet-to-vnet
solution on-premise2 vnet-to-vnet-2
4 Connect on-prem-net with hub-lab-net using a Site-to-Site (IPSec) Connection solution with gateway-ipsec
solution with gateway-ipsec active-active
solution with gateway-ipsec in dual redundancy
solution with multiple VPN devices [ * DRAFT * ]
5 Configure a DNS on the cloud, so that all machines are reachable via FQDN solution with azure-dns
6 Configure and use Azure Firewall logs for troubleshooting configure log-analytics-on-firewall
7 Install a test web server on spoke-03-vm install web-server
8 Connect on-prem-net and on-prem2-net to hub-lab-net via S2S IPSEC and allow cross-on-premises communication solution cross-on-premise-routing
9 Use Azure Firewall for traffic inspection between on-prem-net and spoke-01 networks (North/South Traffic Inspection) solution north-south-inspection
10 Use Network Watcher for logging and network troubleshooting solution network watcher
11 DNS resolution
Configure a DNS on the cloud, and be sure that all machines are reachable via FQDN also from on-premise
solution with Azure Firewall
solution with Private DNS resolver
12 Secure a WEB workload with both Azure Firewall Premium and Azure Web Application Firewall Solution with Azure Firewall and WAF
13 Configure a P2S VPN Solution with Certificate Authentication
Solution with CA and always-on
14 Routing cross hubs with BGP Solution using Azure Virtual Network Gateway
15 Routing cross hubs without BGP Solution with Azure Firewall
16 Publish internal web app via Azure Application Gateway on private and public IPs in HTTPS Solution with Azure Application Gateway
17 Publish internal SFTP endpoint via Azure Firewall Solution with Azure Firewall
18 deploy an Azure OpenAI service in an hub-and-spoke network topology and publish it internally via a private Azure API Management Solution with APIM and AOAI
19 create an Azure Elastic SAN and connect it to your Windows Server virtual machine Solution using Azure Elastic SAN

Whould you like to see a scenario not listed? Open an issue.