Routing Traffic Between Spoke VNets through Hub

Taranjeet Malik 446 Reputation points
2022-03-21T07:36:32.167+00:00

Hi

We are building an Enterprise Scale Azure landing zone as described here https://github.com/Azure/Enterprise-Scale/blob/main/docs/reference/adventureworks/README.md

It has the following subscriptions:

  1. Hub hosting all the networking components (mainly Azure Firewall, VPN/ER Gateway, App Gateway etc.).
  2. IAM subscription hosting DCs and Azure AD DS.
  3. Management subscription that will run management (DSC) and monitoring components.
  4. Application landing zones that will host applications – separate subscriptions for each environment (Prod, Stage, Dev Sandbox)

We’re a federal govt. agency and need to have connectivity to certain central services hosted in common remote (Azure) cloud environment. To enable this, an approved design exists that mandates creating a dedicated subscription (DedicatedSub) in a different region but same geography (depicted as blue box in the image below) that enabled connectivity to those remote central services:

185141-issue-1.jpg

As we know that in an Azure hub-spoke network architecture, additional configuration needs to happen on the VNet peering connections on each side. For example, the spokes VNets would traverse through the hub gateway to communicate with remote networks (on-prem, Internet, and in some cases to other VNets in Azure). To allow this traffic to flow from spoke to hub and connect to remote networks:

  1. Configure the peering connection in the hub to allow gateway transit. 185077-vnet-peering-config-1.png
  2. Configure the peering connection in each spoke to use remote gateways. 185039-vnet-peering-config-2.png
  3. Configure all peering connections to allow forwarded traffic.

Just wanted to ensure that this architecture works and any issues looking at it from traffic routing perspective. Some of the traffic flows in this architecture would be:

  1. Azure Virtual Desktop (AVD) solution running in the DedicatedSub subscription within a separate VNet needs to connect to Azure AD DS instances in the IAM subscription.
  2. Logs (for services like Azure Firewall, AVD) from the DedicatedSub needs to be sent to Log Analytics Workspace in the Management subscription.

Any inputs / feedback pls.?

Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
7,302 questions
Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,202 questions
{count} votes

2 answers

Sort by: Most helpful
  1. GitaraniSharma-MSFT 48,096 Reputation points Microsoft Employee
    2022-03-23T08:46:10.437+00:00

    Hello @Taranjeet Malik ,

    I understand that you are building an Enterprise Scale Azure landing zone as described here and would like to ensure that this architecture works.

    Your shared architecture should work just fine. As it is one of the recommended enterprise-scale architecture implementation.
    Refer : https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/enterprise-scale/implementation

    Azure Virtual Desktop (AVD) solution running in the DedicatedSub subscription within a separate VNet needs to connect to Azure AD DS instances in the IAM subscription.

    Yes, this will work. If you are able to communicate to the Azure AD DS using Vnet peering/VPN, you will be able to join the Azure AD DS domain using your Azure AD credentials.
    Refer : https://learn.microsoft.com/en-us/azure/architecture/example-scenario/wvd/windows-virtual-desktop

    Logs (for services like Azure Firewall, AVD) from the DedicatedSub needs to be sent to Log Analytics Workspace in the Management subscription.

    It will work without any issues as long as you have Vnet peering connectivity and appropriate privileges or access.
    Refer : https://learn.microsoft.com/en-us/azure/network-watcher/traffic-analytics-faq#can-my-azure-storage-account-be-in-one-subscription-and-my-log-analytics-workspace-be-in-a-different-subscription-

    Kindly let us know if the above helps or you need further assistance on this issue.

    ----------------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments

  2. Diogo Maul 1 Reputation point
    2022-09-01T17:34:37.18+00:00

    Hi @Taranjeet Malik , I wonder if you already implemented this?

    I have a very similar scenario:

    • Hub and peered Spoke Vnets
    • Azure Firewall (in HUB)
    • Azure AD Domain Services (in a dedicated spoke)
    • VM's in different spokes (all peered with hub, but not with AADDS)

    I'm struggling to join the VM's that are in different spokes the domain, it seems I can't make the traffic spoke subnet>hub>aadds subnet work as expected.

    I'm using the Azure firewall as DNS for the spoke vnets with DNS Proxy enabled forwarding the requests to my AADDS.

    If you have this working, are you able to tell more about the main points of your implementation?

    0 comments No comments