Azure routes traffic between Azure, on-premises, and Internet resources. Azure automatically creates a route table for each subnet within an Azure virtual network and adds system default routes to the table. You can override some of Azure’s system routes with custom routes, and add additional custom routes to route tables. Azure routes outbound traffic from a subnet based on the routes in a subnet’s route table.
You can a DMZ in Azure Cloud within your subscription or tenant. The concept of a DMZ or perimeter network is not new; DMZ is a layered network security approach to minimize the attack footprint of an application.
A DMZ architecture is comprised with either two layers or three layers of security and protection concept with additional user-defined routes and firewall rules. Azure network traffic to and from resources in a virtual network using network security groups and network virtual appliances.
Workload Placement in simple DMZ:
- Untrusted Network (Layer 1- Frontend NSG) – WAP Server, Non-domain joined computer, Exchange Edge Server
- Trusted Network (Layer 2 – Backend NSG) – Domain Controller, File Server, Print Server, RDS, Database and ADFS Server.
Workloads Placement in advanced DMZ:
- Extranet (Layer 1 – External Public Facing) A Firewall Appliance
- Untrusted Network (Layer 2- Frontend NSG) – WAP Server, Non-domain joined computer, Exchange Edge Server
- Trusted Network (Layer 3 – Backend NSG) – Domain Controller, File Server, Print Server, RDS, Database and ADFS Server.
Example Address Spacing
|Location||vNET||Address Space||Connectivity to other region|
|Azure Australia East||vNET1||10.11.0.0/16
|Azure Australia Southeast
ExpressRoute or S2S VPN
|Australia East On-premises||On-prem||10.41.0.0/16
|S2S VPN to Azure Australia East|
|Azure Australia Southeast||vNET2||10.51.0.0/16
|Azure Australia East
ExpressRoute or S2S VPN
|Australia Southeast On-premises||On-prem||10.100.0.0/16
|S2S VPN to Azure Australia Southeast|
Hybrid Network Workloads Placement
Follow Azure Networking Best Practices. Follow three basic principal of Azure Networking- Segment, Control and Enforce.
- Segment- Multiple Azure Networks within a single vNET with large IP Address space. The private IP address spaces available are in the Class A (10.0.0.0/8), Class B (172.16.0.0/12), and Class C (192.168.0.0/16) ranges. Use Trusted IP Address range (x.x.x.x/22), Untrusted IP Address Range (x.x.x.x/22).
- Control- Create multiple NSGs, associate FrontEnd NSG and Backend NSG with untrusted and trusted network respectively to control to and from Azure. NSGs are simple, stateful packet inspection devices that use the 5-tuple (the source IP, source port, destination IP, destination port, and layer 4 protocol) approach to create allow/deny rules for network traffic.
- Enforce – Enforce user-defined rules to allow only desired TCP & UDP traffic to the vNET, Use Virtual Network Appliance and Perimeter Networks at all times for Enterprise Azure deployment. Disable RDP at the VM level and allow RDP at the FrontEnd NSG. Use a jump box in the DMZ to access workloads.