Network topology and connectivity

The network topology and connectivity design area is critical for establishing a foundation for your cloud network design.

Design area review

Involved roles or functions: This design area probably requires support from one or more cloud platform and cloud center of excellence functions to make and implement decisions.

Scope: The goal of network design is to align your cloud network design with overall cloud adoption plans. If your cloud adoption plans include hybrid or multicloud dependencies, or if you need connectivity for other reasons, your network design should also incorporate those connectivity options and expected traffic patterns.

Out of scope: This design area establishes the foundation for networking. It doesn't address compliance-related issues like advanced network security or automated enforcement guardrails. That guidance comes when you review the security and governance compliance design areas. Postponing security and governance discussions lets the cloud platform team address initial networking requirements before they expand their audience for more complex topics.

New (greenfield) cloud environment: To start your cloud journey with a small set of subscriptions, see Create your initial Azure subscriptions. Also, consider using Bicep deployment templates in building out your new Azure landing zones. For more information, see Azure Landing Zones Bicep - Deployment Flow.

Existing (brownfield) cloud environment: Consider the following if you are interested in applying proven-practice Azure virtual network (VNet) design principles to existing Azure environments:

  • Review our best practices for planning, deploying, and maintaining Azure VNet hub and spoke topologies
  • Consider Azure Virtual Network Manager (Preview) to centralize network security group (NSG) security rules across multiple VNets
  • Azure Virtual WAN unifies networking, security, and routing to help businesses build hybrid cloud architectures safer and faster
  • Access Azure data services privately with Azure Private Link. The Private Link service ensures your users and applications communicate with key Azure services by using the Azure backbone network and private IP addresses instead of using the public Internet.

The Azure Landing Zones Bicep - Deployment Flow repository contains a number of Bicep deployment templates that can accelerate your greenfield and brownfield Azure landing zone deployments. These templates already have Microsoft proven-practice network design and configuration guidance integrated within them.

For instance, the Azure Landing Zones Bicep - Deployment Flow - Hub and Spoke workflow includes Bicep modules to accelerate Azure virtual network hub-and-spoke architectures.

For more information on working in brownfield cloud environments, see Brownfield environment considerations.

Design area overview

Network topology and connectivity are fundamental for organizations that are planning their landing zone design. Networking is central to almost everything inside a landing zone. It enables connectivity to other Azure services, external users, and on-premises infrastructure. Network topology and connectivity are in the environmental group of Azure landing zone design areas. This grouping is based on their importance in core design and implementation decisions.

This series of articles examines key design considerations and best practices around networking and connectivity to, from, and within Azure.

Topology

Network topology is a critical element of landing zone architecture because it defines how applications communicate with each other. This section focuses on two core approaches: topologies based on Azure Virtual WAN and traditional topologies.

Connectivity

Network security

  • Plan for inbound and outbound internet connectivity describes recommended connectivity models to and from the public internet.
  • Plan for landing zone network segmentation explores key recommendations for highly secure internal network segmentation within a landing zone to support a zero-trust network implementation.
  • Define network encryption requirements explores key recommendations for network encryption between on-premises and Azure and across Azure regions.
  • Plan for traffic inspection explores key considerations and recommended approaches for mirroring or tapping traffic in Azure Virtual Network. Many organizations require Azure traffic to be mirrored to a network packet collector for deep inspection and packet analysis. This requirement typically focuses on inbound and outbound internet traffic.

Resources