Creating traditional firewall-centric enterprise network architectures in the cloud has always been troublesome. When compared to the extreme granularity of on-prem layer 7 NGFW segmented networks, the flat any-to-any Layer 4 NSG secured cloud has been lacking for a long time. Not any more...
Armed with the right cloud design and some recently added Microsoft features, we can now create very secure network topologies in the cloud.
In this article, I will explain the detailed steps for creating secure spoke virtual networks in Azure cloud.
Let's begin...
We want our secure spoke networks to have the following characteristics:
First, traffic sourced from outside the spoke will not be allowed to reach the spoke without traveling through the hub firewall.
Second, traffic from inside the spoke will not be allowed to reach any destination without traveling through the hub firewall.
In order to meet these requirements, we have to complete the following steps. Refer to the diagram above for a visualization.
1. Create a spoke virtual network.
2. Create a subnet inside the spoke virtual network.
3. Peer the spoke vnet to hub vnet with the following settings.
4. Create UDR on spoke subnet that points 0.0.0.0 at the NVA firewall ILB.
(Propagate gateway routes? No)
5. Create UDR on hub vnet's GatewaySubnet that points spoke network at the NVA firewall ILB.
(Propagate gateway routes? Yes)
6. Apply an NSG to the spoke subnet blocking direct internet access
This NSG is very simple and is not designed to secure the resources in the subnet. That is the job of the NVA firewall in the hub. This NSG is designed to prevent traffic from accessing the internet through local public IPs. This forces traffic from devices in the spoke subnet to go through the hub NVA firewall.
7. Create rule on NVA firewall to permit desired traffic to spoke
These security rules will depend on the make and model of NVA firewall. However, because we are not using NSGs to protect resources, we want to make sure that these rules follow network security best practices and be as restrictive as possible.
Final thoughts...
This step by step guide is designed to work with the hub spoke architecture outlined in my previous article here:
Also, note that setting up BGP peering from the NVA firewall to Azure route server is a prerequisite to these steps so that the NVA firewall is aware of how to route the peered spoke and on-prem routes.