Cloud services bring flexibility and access to innovation. But their network security is key. In the previous article, How to Secure Your Infrastructure in Microsoft Azure, you learned about the typical cyber threats that occur in a Microsoft Azure environment and how to protect against them.
However, when designing the architecture of a data solution (not only) on Azure Cloud, it is also necessary to consider the network topology and related terms such as Vnet, P2S, S2S, Express Route and Hub-to-Spoke. What do these terms mean and how do they affect cloud infrastructure design?
Virtual Network (Vnet)
The virtual network is the cornerstone of the network infrastructure on Azure. Individual Nets segment the address space and thus limit the availability of individual endpoints (database, server, web application, etc.). Segmenting the address space at the physical layer helps, in the form of isolation, to ensure the security of data traffic between different virtual networks and ensures efficient management of network resources. Sublevels of Vnets are Subnets, which divide the Vnet into smaller spaces. A suitable application is, for example, the virtual separation of DEV/TEST/PROD environments into separate Vnets.
The diagram above shows an example of a virtual network that contains 4 Subnets that already have their specific focus and purpose.
Communication between components (VMs, Azure SQL Database, Azure Data Factory, Function App) within a single Vnet is already taking place on the internal Azure network. This means that data transfer is not exposed to threats as when data is transferred over the public Internet.
Virtual Network Gateway
It is a cloud service that allows you to create secure connections between on-premises networks and Azure Vnets or between Vnets from different regional zones in the Azure cloud. The Virtual Network Gateway can be configured as a VPN Gateway (enabling S2S and P2S services see below) or ExpressRoute Gateway depending on various factors such as the required transfer rate or security level. Overall, the component provides hybrid on-premise networking and multi-cloud connectivity.
Point-to-site (P2S)
The P2S service enables secure communication of individual devices (work computer, mobile phone) with endpoints located in the virtual network.
VMs work in the background of this service, receiving encrypted communication to a public IP address (there are two public IPs for better availability, active-active mode) and then routing it with the assigned private IP address to the virtual network. The communication is over the public Internet and is secured by a tunnel between the virtual network and the on-premise device. The service currently supports OpenVPN, SSTP, IKEv2, or a combination of each. The choice should be made based on the support of the devices that will use the VPN. Data transfer performance is based on the level of SKU selected (from 100Mbps to 10Gbps). d 100Mbps až 10Gbps).
Site-to-Site (S2S)
S2S is a service that uses the same component as P2S, the VPN Gateway, for the connection. Unlike the previous case, where the communication of each device occurs separately (using a VPN client), in S2S a tunnel is created between the on-premise VPN device and the Azure VPN Gateway. Thus, a reference representing the on-premise VPN device must be created in the cloud to establish a connection between the on-premise network and the virtual network on the cloud.
When designing S2S, it is important to avoid overlapping address spaces between on-premise and cloud, otherwise problems can occur during tracing. The data transfer performance is based, as in the previous case, on the level of the selected SKU (from 100Mbps to 10Gbps). 00Mbps až 10Gbps).
Express Route
Express Route is a service that allows you to create a private connection between an on-premise network and a virtual network in the cloud without using the public Internet. The service allows you to establish a private connection through a network provider (typically an ISP) partnered with Microsoft.
ExpressRoute provides guaranteed throughput and low latency through direct connectivity to Azure data centers (bandwidth ranges from 50 Mbps to 100 Gbps). This is important for applications that require consistent performance and reliability. Higher overall performance and reliability goes hand in hand with cost growth, which is why Express Route is primarily used only in areas with a high guarantee of stable traffic.
Hub-to-Spoke model
(Loosely translated to HUB-Centre and SPOKE-Rameno)
This architectural pattern, known as “Hub and Spoke”, is a network topology used in the design of network infrastructures that allows the separation of key components (VPN, Firewall, Bastion) from other components (SQL Database, Managed Instance, VMs, etc.).
In this way, virtual networks are segmented, with one central virtual network, called a HUB, integrating major network elements such as Virtual Network Gateway, Azure Firewall and Bastion. The other virtual networks, referred to as “SPOKES” (Shoulders), are connected to this hub. Each arm can be specialized for a specific part of the application or department of the organization (e.g., DEV/TEST/PROD). This approach allows for centralized management and security of network resources while providing flexibility for the organization and scalability as needed.
Reference
https://learn.microsoft.com/en-us/azure/virtual-network/
https://learn.microsoft.com/en-us/azure/vpn-gateway/point-to-site-about
https://learn.microsoft.com/en-us/azure/vpn-gateway/design#s2smulti
https://learn.microsoft.com/en-us/azure/expressroute/expressroute-introduction
https://learn.microsoft.com/en-us/azure/architecture/networking/architecture/hub-spoke?tabs=cli
The author of this article is a Microsoft Azure specialist Matouš Vondál from Ness Czech.