Private Networking for Azure Services

Stephen Hill 6 Reputation points
2021-11-19T01:28:09.973+00:00

Advised to post here by our account manager for feedback from the fast track team.

Requirements

  • We want to improve our network security by denying public (internet) access to services such as SQL Server, Storage Accounts, CosmosDB and Key Vault.
  • We would prefer to deny all Azure Services access expect via private link or specific network.
  • We want to create network separation for our test and production applications when accessing services. For example, a test web app (app service) should not be able to connect to a production database, even if it is using a connection string with credentials.

We have come up with a proposed network design (below) by referring to the article https://learn.microsoft.com/en-us/azure/architecture/example-scenario/private-web-app/private-web-app

This will be a big change from our current situation, so we are seeking some feedback on our proposed approach before we commence work.

Current Networking for App Services (see diagram)

  • Azure Front Door or Application Gateway sits in front of some web apps and services. Most apps are accessed directly.
  • Web apps and services connect to Azure services (SQL Server, Storage Acccounts, CosmosDB, Key Vault and Service Bus) over the Internet, using secure protocols and connection strings / keys
  • Azure services allow public (internet) access with no network restrictions or private links.

150796-current-networking-for-app-services.png

Proposed Networking for App Services (see diagram)

  • Azure Front Door or Application Gateway sits in front of all web apps and services. We haven't done this previously due to cost. However, if we can reduce the cost by sharing AFD / App Gateway across multiple apps, it might be feasible.
  • Use VNet integration for all web apps and services to a dedicated subnet in our VNet hub.
  • Establish Private Links from the VNet Hub to each Azure Service (SQL Server, Storage Acccounts, CosmosDB, Key Vault and Service Bus).
  • Configure Azure Services to deny public (internet) access. Only connections over private links are allowed.
  • We use Service bus standard, which does not support VNet integration and Service bus premium is outside our budget. Apps would still need to connect to service bus over the internet.

150797-proposed-networking-for-app-services.png

Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,149 questions
Azure FastTrack
Azure FastTrack
Azure: A cloud computing platform and infrastructure for building, deploying and managing applications and services through a worldwide network of Microsoft-managed datacenters.FastTrack: This tag is no longer in use. Please use 'Azure Startups' instead.
75 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Luke Murray 10,526 Reputation points MVP
    2023-10-15T00:25:28.53+00:00

    Looks good to me; the only thing I will add is:

    • DNS Zones, you may need DNS zones for your services to talk to each other over the private link. DNS Resolver can help here.
    • Also make sure you make use of the NSGs at the subnets to further control traffic where you want it.