Microsoft Azure Hub-Spoke Architecture
This Enterprise reference architecture shows how to implement a hub-spoke topology in Azure. The hub is a virtual network (VNet) in Azure that acts as a central point of connectivity to your on-premises network. The spokes are VNets that peer with the hub, and can be used to isolate workloads. Traffic flows between the on-premises datacenter and the hub through an ExpressRoute or VPN gateway connection.
We only use the Azure Private peering
For this Hybrid Cloud Strategy we made four Microsoft Azure Subscriptions via the EA Portal :
- Azure HUB Subscription for the connectivity via Azure ExpressRoute to On-premises Datacenter.
- Azure Spoke 1 for Production workload and Cloud Services
- Azure Spoke 2 for Test and Acceptance Cloud Services
- Azure Spoke 3 for Future plans
The naming convention rules and restrictions for Azure resources and a baseline set of recommendations for naming conventions. You can use these recommendations as a starting point for your own conventions specific to your needs.
The choice of a name for any resource in Microsoft Azure is important because:
- It is difficult to change a name later.
- Names must meet the requirements of their specific resource type.
Consistent naming conventions make resources easier to locate. They can also indicate the role of a resource in a solution.The key to success with naming conventions is establishing and following them across your applications and organizations.
Azure connectivity and RBAC Identity
This tenant is federated with via ADFS and Azure Connect to Office 365. Identity management is provisioned
via Microsoft Identity Manager 2016 (MIM2016). With this already in place, we can Configure Microsoft Azure RBAC in the subscriptions.
Access management for cloud resources is a critical function for any organization that is using the cloud. Role-based access control (RBAC) helps you manage who has access to Azure resources, what they can do with those resources, and what areas they have access to.
RBAC is an authorization system built on Azure Resource Manager that provides fine-grained access management of resources in Azure.
For Business Development we have a separated Active Directory in one forest and also federated via ADFS to Microsoft Office 365. For this environment we build one Azure subscription with a temporary Site-to-Site VPN connection to On-premises datacenter for the “Lift and Shift” migration via Azure-Site-Recovery (ASR)
Azure Virtual Networks
Next step is to build the connections between the Azure HUB Subscription and the Azure Spoke subscription(s) when every Microsoft Azure subscription has It’s own Virtual Network (VNET). This is called VNET peering.
Virtual network peering enables you to seamlessly connect two Azure virtual networks. Once peered, the virtual networks appear as one, for connectivity purposes. The traffic between virtual machines in the peered virtual networks is routed through the Microsoft backbone infrastructure, much like traffic is routed between virtual machines in the same virtual network, through private IP addresses only. Azure supports:
- VNet peering – connecting VNets within the same Azure region
- Global VNet peering – connecting VNets across Azure regions
Here you see my step-by-step VNET peering creation from HUB to Spoke 1 :
Go to the VNET of the Azure HUB Subscription. and then to Peerings => Add.
Here you make the connection with Spoke 1 Azure subscription.
For Azure HUB is Peering to Spoke 1 Done.
Now we go to the VNET of Azure Subscription Spoke 1 to make the connection.
Go to VNET => Peerings => Click on Add in the Azure Spoke 1 Subscription
Connect here to the Azure HUB
The VNET Peering between Azure HUB subscription and Spoke 1 is Connected.
In this order you have to make the other VNET Peerings from the Azure HUB subscription to the other Spoke Subscriptions so that the network connectivity between VNETs is working. Because we have the Azure Internet Edge in the HUB for the other subscriptions.
In the Azure Reference Architecture we also do Security by Design in the Cloud with Firewall and Azure Network Security Groups (NSG) and every Azure component get it’s own Tag for Security Groups and Billing – Usage.
In every Microsoft Azure Subscription (HUB and Spoke ) we created a Storage Account. You can choose for different kind of storage in Microsoft Azure.
Durable and highly available. Redundancy ensures that your data is safe in the event of transient hardware failures. You can also opt to replicate data across datacenters or geographical regions for additional protection from local catastrophe or natural disaster. Data replicated in this way remains highly available in the event of an unexpected outage.
Secure. All data written to Azure Storage is encrypted by the service. Azure Storage provides you with fine-grained control over who has access to your data.
Scalable. Azure Storage is designed to be massively scalable to meet the data storage and performance needs of today’s applications.
Managed. Microsoft Azure handles maintenance and any critical problems for you.
Accessible. Data in Azure Storage is accessible from anywhere in the world over HTTP or HTTPS. Microsoft provides SDKs for Azure Storage in a variety of languages — .NET, Java, Node.js, Python, PHP, Ruby, Go, and others — as well as a mature REST API. Azure Storage supports scripting in Azure PowerShell or Azure CLI. And the Azure portal and Azure Storage Explorer offer easy visual solutions for working with your data.
Azure Storage includes these data services:
Azure Blobs: A massively scalable object store for text and binary data.
Azure Files: Managed file shares for cloud or on-premises deployments.
Azure Queues: A messaging store for reliable messaging between application components.
Azure Tables: A NoSQL store for schemaless storage of structured data.
One of our Architecture Security by Design policy, is to Encrypt all the storage in Azure via Microsoft Azure Key vault.
Deploying Azure IaaS Virtual Machine with ARM Templates
Enterprise organizations with more then ten employees managing IT datacenters are working by process and order to do the job for the business. When they are all using the Azure Portal and deploy Virtual Machines manually you will get a mess and things can go wrong. In Microsoft Azure you have the Azure Resource Manager for deploying JSON ARM Templates. With these Azure Resource Manager Templates you can automate your workload deployments in Microsoft Azure. For example : We build a JSON template to deploy a Windows Server in the right Azure Subscription in the right Azure Resource Group and with the following extensions to it :
- Antimalware agent installed
- Domain joined in the right OU (Active Directory)
- Azure Log analytics agent installed ( Connected to Azure Monitor and SCOM )
- Encryption by default.
Using with our Azure naming conventions and Azure policy we always deploy consistent without making mistakes or by wrong typing in the Azure portal. When you write and make your ARM templates for different workloads, you can store them in Azure DevOps Repo ( Repository) and you can connect your private repo to GitHub.
Making ARM templates works really Awesome with Microsoft Visual Studio Code which is opensource and free of charge. You can add your favorite VSC extensions to work with like Azure Resource Manager.
Azure monitoring and Recovery Service Vault
To manage your Azure Hybrid Cloud environment you have to monitor everything to keep in control of your Virtual Datacenter. And of course you have to plan your business continuity with Azure Recovery Services (Backup) by Design. We made in every Azure Subscription an Azure Recovery Services Vault for making Backups. This is because you don’t want backup traffic over your VNET peering’s. In the Azure HUB subscription we made a second Azure Site Recovery (ASR) Vault for the “Lift & Shift” migration of On-premises Virtual Machines to the landing zone in Azure HUB.
With Microsoft Azure Monitor we use Log Analytics and Service maps and with the same OMS agent on the Virtual Machine, we still can use Microsoft System Center Operation Manager (SCOM) connected to the same agent 🙂
When you have 45 locations, 45.000 students with BYOD and 10.000 Managed workstations, you will monitor 24 x 7 to keep everything running for your Business. Monitoring Express Route with a Backup connection is a must for your Hybrid Virtual Datacenter. Here you have more information about monitoring Express Route Circuit
Monitoring our Express Route
With this all installed in Microsoft Azure by Design, we have the policy Security First !
Microsoft Azure Security Center
Azure Security Center provides unified security management and advanced threat protection across hybrid cloud workloads. With Security Center, you can apply security policies across your workloads, limit your exposure to threats, and detect and respond to attacks.
We are already installing Azure Threat Protection (ATP) for our On-premises Datacenter for Security.
We still have a lot to configure in Microsoft Azure to get the Basic Architecture Design in place. When that is done, I will make three more blogposts about this datacenter transformation :
- “Lift and Shift” migration with ASR for Virtual Machines on Hyper-V and VMware.
- SQL assessment and Data Migration to Azure
- Optimize of all Workloads in Microsoft Azure.
Hope this blogpost will help you too with your Datacenter transition to Microsoft Azure Cloud.