How to create a Virtual Network in DMZ in Azure?

Yaser Barhom 20 Reputation points
2023-11-27T06:46:52.3666667+00:00

We're new to Azure and I know that things in Azure work little deferent than on-prem.

I was reading the Azure CAF, and Foundational Landing Zone, we're interested in creating two Hubs, one in a DMZ for Public traffic and another Hub for internal traffic between spokes.

Can someone explain how to execute such a model ? Is using Azure firewall is going to be sufficient? We use Paloalto on-prem, but management want to use Azure native solutions.

Thanks

Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,762 questions
0 comments No comments
{count} votes

Accepted answer
  1. Adam Zachary 2,936 Reputation points
    2023-11-27T07:00:37.62+00:00

    Hi Yaser,

    Creating a Virtual Network in a DMZ (Demilitarized Zone) in Azure involves setting up a secure hybrid network that extends an on-premises network to Azure. This setup typically includes a perimeter network between the on-premises network and the Azure virtual network, with all inbound and outbound traffic passing through Azure Firewall. Here's how to execute such a model, considering your requirements:

    Implement a DMZ Architecture:

    Establish a secure hybrid network by creating a DMZ between your on-premises network and Azure virtual network​​.

    Utilize Azure Firewall to manage and control all inbound and outbound traffic​​.

    --> External Hub (Public-Facing):

    • This hub serves as the connection point to the on-premises environment, potentially through a Site-to-Site (S2S) VPN.
    • It includes an advanced or premium Azure Firewall for robust security and traffic management.
    • All external traffic, including internet-facing services, is managed through this hub.

    --> Internal Hub (Private Traffic):

    • Dedicated to internal traffic management between Azure spokes.
    • Equipped with a basic firewall for standard security needs.
    • Acts as a second layer of defense, filtering traffic from the spokes before it reaches the external hub and on-premises network.

    --> Traffic Flow:

    • Traffic from individual spokes first reaches the internal hub, where it is filtered through the basic firewall.
    • After initial filtering, the traffic is directed to the external hub, where the Azure Firewall provides advanced security measures.
    • Finally, the traffic is routed to the on-premises network via the S2S VPN.

    Configure Networking and Routing:

    • Set up virtual network routes and user-defined route tables.
    • Add a Destination Network Address Translation (DNAT) rule to Azure Firewall for accepting inbound internet traffic.
    • Force-tunnel outbound internet traffic through your on-premises network for added security and compliance​​.

    Security and Network Management:

    • Employ Network Security Groups (NSGs) to control traffic within the virtual network.
    • Use Azure DDoS Protection for enhanced defense against DDoS attacks.
    • Azure Virtual Network Manager (AVNM) can be used to create and manage security rule baselines, offering prioritization and control over network traffic​​.

    As for your question about Azure Firewall:

    • Azure Firewall can be a sufficient solution for your DMZ, offering robust firewall capabilities as a managed service.
    • If you prefer Azure-native solutions, Azure Firewall, in combination with other Azure security services like NSGs and DDoS Protection, can provide comprehensive security coverage.

    Hope this helps


0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.