Network topology and connectivity

The network topology and connectivity design area is critical for establishing a foundation for your cloud network design.

Design area review

Involved roles or functions: This design area probably requires support from one or more cloud platform and cloud center of excellence functions to make and implement decisions.

Scope: The goal of network design is to align your cloud network design with overall cloud adoption plans. If your cloud adoption plans include hybrid or multicloud dependencies, or if you need connectivity for other reasons, your network design should also incorporate those connectivity options and expected traffic patterns.

Out of scope: This design area establishes the foundation for networking. It doesn't address compliance-related issues like advanced network security or automated enforcement guardrails. That guidance comes when you review the security and governance compliance design areas. Postponing security and governance discussions lets the cloud platform team address initial networking requirements before they expand their audience for more complex topics.

New (greenfield) cloud environment: To start your cloud journey with a small set of subscriptions, see Create your initial Azure subscriptions. Also, consider using Bicep deployment templates in building out your new Azure landing zones. For more information, see Azure Landing Zones Bicep - Deployment Flow.

Existing (brownfield) cloud environment: Consider the following if you are interested in applying proven-practice Azure virtual network (VNet) design principles to existing Azure environments:

• Review our best practices for planning, deploying, and maintaining Azure VNet hub and spoke topologies
• Consider Azure Virtual Network Manager (Preview) to centralize network security group (NSG) security rules across multiple VNets
• Azure Virtual WAN unifies networking, security, and routing to help businesses build hybrid cloud architectures safer and faster
• Access Azure data services privately with Azure Private Link. The Private Link service ensures your users and applications communicate with key Azure services by using the Azure backbone network and private IP addresses instead of using the public Internet.

The Azure Landing Zones Bicep - Deployment Flow repository contains a number of Bicep deployment templates that can accelerate your greenfield and brownfield Azure landing zone deployments. These templates already have Microsoft proven-practice network design and configuration guidance integrated within them.

For instance, the Azure Landing Zones Bicep - Deployment Flow - Hub and Spoke workflow includes Bicep modules to accelerate Azure virtual network hub-and-spoke architectures.

For more information on working in brownfield cloud environments, see Brownfield environment considerations.

Design area overview

Network topology and connectivity are fundamental for organizations that are planning their landing zone design. Networking is central to almost everything inside a landing zone. It enables connectivity to other Azure services, external users, and on-premises infrastructure. Network topology and connectivity are in the environmental group of Azure landing zone design areas. This grouping is based on their importance in core design and implementation decisions.

This series of articles examines key design considerations and best practices around networking and connectivity to, from, and within Azure.

Topology

Network topology is a critical element of landing zone architecture because it defines how applications communicate with each other. This section focuses on two core approaches: topologies based on Azure Virtual WAN and traditional topologies.

• Define an Azure network topology explores technologies and topology approaches for Azure deployments.
• Traditional Azure networking topology explores the option of implementing a traditional Azure networking topology.
• Virtual WAN network topology (Microsoft-managed) explores the option of implementing a Virtual WAN network topology.
• Plan for IP addressing provides guidance on planning IP addressing for a hybrid implementation. Your organization's IP address space shouldn't overlap across on-premises locations and Azure regions.

Connectivity

• Connectivity to Azure expands on network topology to consider recommended models for connecting on-premises locations to Azure.
• Connectivity to Azure platform as a service (PaaS) builds on previous connectivity sections to explore recommended connectivity approaches for Azure PaaS services.
• Limit cross-tenant private endpoint connections explores how to limit cross-tenant private endpoint connections to prevent data leakage and meet security and compliance goals.
• Connectivity to other cloud providers describes different connectivity approaches to integrate an Azure enterprise-scale landing zone architecture with other cloud providers.
• Connectivity to Oracle Cloud Infrastructure (OCI) evaluates key design considerations and different approaches to integrate Azure enterprise-scale landing zone architecture to OCI.
• Plan for application delivery explores key recommendations to deliver secure, scalable, and highly available internal- and external-facing applications.

Network security

• Plan for inbound and outbound internet connectivity describes recommended connectivity models to and from the public internet.
• Plan for landing zone network segmentation explores key recommendations for highly secure internal network segmentation within a landing zone to support a zero-trust network implementation.
• Define network encryption requirements explores key recommendations for network encryption between on-premises and Azure and across Azure regions.
• Plan for traffic inspection explores key considerations and recommended approaches for mirroring or tapping traffic in Azure Virtual Network. Many organizations require Azure traffic to be mirrored to a network packet collector for deep inspection and packet analysis. This requirement typically focuses on inbound and outbound internet traffic.

Resources

• Azure Private Link and Domain Name System (DNS) integration at scale describes how to integrate Private Link for PaaS services with Azure Private DNS zones in hub-and-spoke network architectures.
• Configure DNS and name resolution for on-premises and Azure resources explores guidance on planning DNS and name resolution for hybrid implementations. DNS is a critical design topic in enterprise-scale architecture. Some organizations might want to use their existing investments in DNS. Others might see cloud adoption as an opportunity to modernize their internal DNS infrastructure and use native Azure capabilities.
• Plan for virtual machine remote access describes how to securely connect into Azure virtual machines.