Vnet setup for test/staging /prod

Brett Ludwig 6 Reputation points
2021-01-05T22:39:39.637+00:00

Hi, I'm creating a web app and have the following setup:

3 resources per stage. The 3 stages are test, staging & production.

CLIENT
Azure Static Web App

SERVER
Azure Web App

DB
Azure Cosmos (MongoDB)

I'm trying to restrict the apps from interacting with eachother. So, only the test SERVER can talk to the test DB, staging SERVER can talk to staging DB.

I've searched for best practices for Vnet setup for multiple stage web apps but haven't found anything yet, which surprises me but here I am.

Should these all be on one VNet with different IP ranges? Or should they all be on their own virtual network? What sort of IP settings should I have?

Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,453 questions
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
7,779 questions
{count} vote

2 answers

Sort by: Most helpful
  1. Andreas Baumgarten 109.9K Reputation points MVP
    2021-01-05T23:27:20.043+00:00

    It depends of the required grade of environment isolation/separation:

    One Virtual Network and multiple subnets:
    All subnets in the same Virtual Network are routed to each other.
    You have to use Network Security Groups to get control over the network communication.

    Multiple Virtual Networks and subnets:
    Virtual Networks are not routed/connected with other Virtual Networks by default. You have to implement peering between Virtual Networks to communicate from one vNet to another.

    Most of the test/staging/production environments I am aware of are using Multiple Virtual Networks with multiple subnets.
    No peering between the vNets.

    Virtual Network "Test"

    • Subnet "Client - Test"
    • Subnet "Middle Tier - Test"
    • Subnet "DB Server - Test"

    And the same network infrastructure for staging and production.

    Choose the IP settings like you want. Just make sure you don't use "overlapping" IP ranges.


    (If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

    Regards
    Andreas Baumgarten

    2 people found this answer helpful.

  2. GitaraniSharma-MSFT 49,601 Reputation points Microsoft Employee
    2021-01-06T12:06:04.557+00:00

    Hello @Brett Ludwig ,

    If your requirement is to restrict the apps from interacting with each other, so only the test SERVER can talk to the test DB, staging SERVER can talk to staging DB. Then multiple virtual networks (without Vnet peering) with multiple subnets should be the best approach.

    Azure creates a route with an address prefix that corresponds to each address range defined within the address space of a virtual network. If the virtual network address space has multiple address ranges defined, Azure creates an individual route for each address range. Azure automatically routes traffic between subnets using the routes created for each address range. So a single Vnet with multiple subnets or different IP ranges will not be of help unless you specifically restrict the access for each subnet which will be cumbersome.
    Please refer : https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview

    The best approach is to create separate Vnet as different Vnets cannot talk to each other unless they are connected via Vnet peering or VPN. So they are completely isolated.
    Please refer : https://learn.microsoft.com/en-us/azure/networking/networking-overview#vnet

    Regarding best practices, you can refer the below articles:
    https://learn.microsoft.com/en-us/azure/virtual-network/concepts-and-best-practices
    https://learn.microsoft.com/en-us/azure/security/fundamentals/network-best-practices#logically-segment-subnets

    Kindly let us know if the above helps or you need further assistance on this issue.

    ----------------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.