Network Design Ideas for VMs in Azure

I would say that is very strange, but also need to know the back story if there is one. I agree you could obtain the same result with fewer vNets and using subnets. I would see if there is any documentation around the original design and deployment. Any key decisions made, etc. I guess if you guys have a unique requirement from the app\vendors\software running on the VMs then maybe design and build it that way but like the other posts mentioned below it definitely doesn't support the best practices and design that MSFT recommends. I know you posted this a few months ago so would be interested to hear what you found out thus far and if you made any sort of changes yet.

When designing a landing zone architecture in Azure, adopting a hub-and-spoke model is a best practice that can help streamline management, enhance security, and improve scalability. Here’s a refined approach:

Best Practices for Building a Landing Zone Architecture with Hub-and-Spoke Model

1. Centralized Management with Hub VNet:
   • Hub VNet: Acts as a central point for managing and routing traffic. It typically contains shared services like DNS, Active Directory, and firewalls[1].
   • Spoke VNets: Connect to the hub VNet and are used to isolate workloads. Each spoke can represent different environments (e.g., development, testing, production) or different applications[1].
2. Network Security:
   • Network Security Groups (NSGs): Apply NSGs to subnets within the spoke VNets to control inbound and outbound traffic. This ensures that only authorized traffic flows between the hub and spokes[1].
   • Azure Firewall: Deploy Azure Firewall in the hub VNet to provide centralized protection and logging for all traffic between the hub and spokes[1].
3. Scalability and Flexibility:
   • Peering Connections: Use VNet peering to connect the hub and spoke VNets. This allows for low-latency, high-bandwidth connectivity while maintaining isolation[1].
   • Scalable Design: The hub-and-spoke model supports easy addition of new spokes as your environment grows, ensuring scalability[1].
4. Cost Management:
   • Shared Resources: Centralize shared services in the hub VNet to reduce redundancy and cost. This includes services like monitoring, security, and identity management[1].
   • Cost Tracking: Implement tagging and cost management policies to track and optimize spending across your VNets[2].
5. Governance and Compliance:
   • Azure Policy: Use Azure Policy to enforce organizational standards and compliance requirements across all VNets. This ensures that all resources adhere to best practices and regulatory requirements[3].
   • Role-Based Access Control (RBAC): Implement RBAC to control access to resources based on roles, ensuring that users have the minimum necessary permissions[2].

By following these best practices, you can create a robust, scalable, and secure landing zone architecture in Azure using the hub-and-spoke model. This approach not only simplifies management but also enhances security and compliance.

Would you like more details on any specific aspect of this architecture?

References

[1] Hub-spoke network topology in Azure - Azure Architecture Center

[2] From Zero to Hero with Azure Landing Zones | Microsoft Community Hub

[3] Tailor the Azure landing zone architecture to meet requirements

Please referring this:

Azure Virtual Network - Concepts and best practices | Microsoft Learn

Networking architecture design - Azure Architecture Center | Microsoft Learn