A collection of BICEP/ARM templates that deploys on Azure a hub & spoke net topology aligned with Microsoft Enterprise scale landing zone ref architecture to use as playground for test and study. As bonus many scenarios with step-by-step solutions for studying and learning are also available
Download a draw.io file of this schema.
This repo contains a preconfigured Azure hub-and-spoke network topology, aligned to the Azure enterprise-scale landing zone reference architecture, deployable with a click on your subscription, useful for testing and studying network configurations in a controlled, repeatable environment.
As bonus many scenarios with step-by-step solutions for studying and learning are also available.
Read also this blog post for more info on this project.
The "playground" is composed by:
You can use the following buttons to deploy the demo environment to your Azure subscription:
ARM template hub-01-bicep "the HUB playground" deploys:
hub-lab-net
located in west europe
with 4 subnets:
spoke-01
with 2 subnets located in west europe
used to connect spoke-01-vm
machinespoke-02
with 2 subnets located in west europe
used to connect spoke-02-vm
machinespoke-03
, with 2 subnets and located in North Europe
, used to connect spoke-03-vm
machinehub-vm-01
: a Windows Server virtual machine that simulates a server located in the hub locationspoke-01-vm
: a Windows Server virtual machine that simulates a server located in the spoke-01
vnetspoke-02-vm
: a Windows Server virtual machine that simulates a server located in the spoke-02
vnetspoke-03-vm
: a Linux virtual machine that simulates a server located in the spoke-03
vnetDownload a draw.io file of this schema.
ARM template on-prem "ON PREMISES" deploys:
on-prem-net
: an Azure Virtual Network located in west France
with 3 subnets
w10-onprem-vm
: A Windows 10 VM with the objective to simulate a desktop client in an on-premise locationDownload a draw.io file of this schema.
ARM template on-prem-2 "ON PREMISES 2" deploys:
on-prem-2-net
: an Azure Virtual Network located in west central Germany
with 3 subnets
lin-onprem-vm
: A linux VM with the objective to simulate a linux client in an on-premise locationDownload a draw.io file of this schema.
ARM template hub-02 "the HUB 02 playground" deploys:
hub-lab-02-net
located in north europe
with 4 subnets:
spoke-04
located in north europe
with 2 subnet used to connect spoke-04-vm
machinespoke-05
... 10
additional spokes, located in north europe
, with 2 subnets eachspoke-04-vm
: a Windows Server virtual machine that simulates a server located in the spoke-04
landing zoneDownload a draw.io file of this schema.
The ARM template any-to-any deploys:
The site to site VPN connection shown in the architecture is not automatically deployed and configure: its configuration is covered by one of the playground scenarios.est solution All machines have the same account parameters (as following):
nicola
password.123
Here there is a list of tested scenarios usable on this playground.
For each scenario you have:
scenario description | step-by-step solution | |
---|---|---|
1 | Configure the environment to allow VM in any spoke to communicate with any VM in any other spoke | solution using azure firewall solution using azure virtual gateway solution using azure virtual network manager |
2 | Expose on a public IP, through the Firewall, spoke-01-vm and spoke-02-vm RDP port (3389) |
solution using azure firewall dnat |
3 | Connect on-prem-net with hub-lab-net using a vNet-to-vNet Azure Gateway's Connection |
solution on-premise vnet-to-vnet solution on-premise2 vnet-to-vnet-2 |
4 | Connect on-prem-net with hub-lab-net using a Site-to-Site (IPSec) Connection |
solution with gateway-ipsec solution with gateway-ipsec active-active solution with gateway-ipsec in dual redundancy solution with multiple VPN devices [ * DRAFT * ] |
5 | Configure a DNS on the cloud, so that all machines are reachable via FQDN | solution with azure-dns |
6 | Configure and use Azure Firewall logs for troubleshooting | configure log-analytics-on-firewall |
7 | Install a test web server on spoke-03-vm |
install web-server |
8 | Connect on-prem-net and on-prem2-net to hub-lab-net via S2S IPSEC and allow cross-on-premises communication |
solution cross-on-premise-routing |
9 | Use Azure Firewall for traffic inspection between on-prem-net and spoke-01 networks (North/South Traffic Inspection) |
solution north-south-inspection |
10 | Use Network Watcher for logging and network troubleshooting | solution network watcher |
11 | DNS resolution Configure a DNS on the cloud, and be sure that all machines are reachable via FQDN also from on-premise |
solution with Azure Firewall solution with Private DNS resolver |
12 | Secure a WEB workload with both Azure Firewall Premium and Azure Web Application Firewall | Solution with Azure Firewall and WAF |
13 | Configure a P2S VPN | Solution with Certificate Authentication Solution with CA and always-on |
14 | Routing cross hubs with BGP | Solution using Azure Virtual Network Gateway |
15 | Routing cross hubs without BGP | Solution with Azure Firewall |
16 | Publish internal web app via Azure Application Gateway on private and public IPs in HTTPS | Solution with Azure Application Gateway |
17 | Publish internal SFTP endpoint via Azure Firewall | Solution with Azure Firewall |
18 | deploy an Azure OpenAI service in an hub-and-spoke network topology and publish it internally via a private Azure API Management | Solution with APIM and AOAI |
Whould you like to see a scenario not listed? Open an issue!