If you are not familiar with Routing in Azure VNets, I recommend to read this MS Docs Article first.
In this post I will focus on the Azure-Firewall portion - particularly the Routing that comes with it when we don’t use BGP. The NVA adds a second security layer to the architecture. The Azure-Firewall filters traffic among stages as well as inbound traffic from on-premises. The routing within stages shall not pass the Azure-Firewall, the routing among stages has pass the Azure-Firewall and traffic directed to the Internet also has to pass the Azure-Firewall Azure-Firewall Traffic among stages (Dev and Prod) is not allowed, only the Shared-stage can reach everything. Traffic within a stage (intra-stage traffic) is not directed to the Azure-Firewall. Spoke-VNet (Stages)Īll actual network clients are directly connected to a Spoke-VNet. All traffic has to pass the Azure-Firewall (except for intra-stage traffic). It holds the VPN/Express Route (with disabled BGP), the NVA which creates a Site-to-Site (S2S) VPN to another site as well as the Azure Firewall. The Hub-Vnet is the central point for the network activity in Azure. The Architecture itself is quite simple but the Azure Firewall in combination with an NVA makes the routing a little bit more challenging - especially with disabled BGP.īelow, you’ll find the key-facts of the architecture: Hub-VNet (Core) Because we don’t have any capable devices, we cannot use BGP.
The Hub-Vnet (Core) is the central point where everything connects. In this scenario, we have a Hub-Spoke VNet structure.
0 kommentar(er)
