How to create a Virtual Network in DMZ in Azure?

Yaser Barhom 20 Reputation points

We're new to Azure and I know that things in Azure work little deferent than on-prem.

I was reading the Azure CAF, and Foundational Landing Zone, we're interested in creating two Hubs, one in a DMZ for Public traffic and another Hub for internal traffic between spokes.

Can someone explain how to execute such a model ? Is using Azure firewall is going to be sufficient? We use Paloalto on-prem, but management want to use Azure native solutions.


Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,298 questions
0 comments No comments
{count} votes

Accepted answer
  1. Adam Zachary 2,886 Reputation points

    Hi Yaser,

    Creating a Virtual Network in a DMZ (Demilitarized Zone) in Azure involves setting up a secure hybrid network that extends an on-premises network to Azure. This setup typically includes a perimeter network between the on-premises network and the Azure virtual network, with all inbound and outbound traffic passing through Azure Firewall. Here's how to execute such a model, considering your requirements:

    Implement a DMZ Architecture:

    Establish a secure hybrid network by creating a DMZ between your on-premises network and Azure virtual network​​.

    Utilize Azure Firewall to manage and control all inbound and outbound traffic​​.

    --> External Hub (Public-Facing):

    • This hub serves as the connection point to the on-premises environment, potentially through a Site-to-Site (S2S) VPN.
    • It includes an advanced or premium Azure Firewall for robust security and traffic management.
    • All external traffic, including internet-facing services, is managed through this hub.

    --> Internal Hub (Private Traffic):

    • Dedicated to internal traffic management between Azure spokes.
    • Equipped with a basic firewall for standard security needs.
    • Acts as a second layer of defense, filtering traffic from the spokes before it reaches the external hub and on-premises network.

    --> Traffic Flow:

    • Traffic from individual spokes first reaches the internal hub, where it is filtered through the basic firewall.
    • After initial filtering, the traffic is directed to the external hub, where the Azure Firewall provides advanced security measures.
    • Finally, the traffic is routed to the on-premises network via the S2S VPN.

    Configure Networking and Routing:

    • Set up virtual network routes and user-defined route tables.
    • Add a Destination Network Address Translation (DNAT) rule to Azure Firewall for accepting inbound internet traffic.
    • Force-tunnel outbound internet traffic through your on-premises network for added security and compliance​​.

    Security and Network Management:

    • Employ Network Security Groups (NSGs) to control traffic within the virtual network.
    • Use Azure DDoS Protection for enhanced defense against DDoS attacks.
    • Azure Virtual Network Manager (AVNM) can be used to create and manage security rule baselines, offering prioritization and control over network traffic​​.

    As for your question about Azure Firewall:

    • Azure Firewall can be a sufficient solution for your DMZ, offering robust firewall capabilities as a managed service.
    • If you prefer Azure-native solutions, Azure Firewall, in combination with other Azure security services like NSGs and DDoS Protection, can provide comprehensive security coverage.

    Hope this helps

0 additional answers

Sort by: Most helpful