A well-documented, easy-to-deploy network topology for testing, studying, inventing network configurations
Built with ❤︎ by
nicolgit and
contributors
Download a draw.io file of this schema.
This repo contains a preconfigured Azure hub-and-spoke network topology, aligned to the Azure enterprise-scale landing zone reference architecture, deployable with a click on your subscription, useful for testing and studying network configurations in a controlled, repeatable environment.
As bonus many scenarios with step-by-step solutions for studying and learning are also available.
Read also this blog post for more info on this project.
The "playground" is composed by:
- two hub and spoke network topologies aligned with with Microsoft Enterprise scale landing zone reference architecture
- two simulated on-premise architectures, deployed in 2 different regions, composed by network, client machine(s) and a gateway
You can use the following buttons to deploy the demo environment to your Azure subscription:
| Available playgrounds | ||
|---|---|---|
| 1 | the HUB 01 playground deploys hub-lab-net and spokes 01-02-03 |
|
| 2 | deploys the ON PREMISES (France central) playground | |
| 3 | deploys the ON PREMISES-2 (west central Germany) playground | |
| 4 | deploys ANY-TO-ANY routing and firewall rules requires the HUB playground deployed |
|
| 5 | deploys a S2S VPN between on-prem and HUB requires the HUB and one of the ON-PREMISES playgrounds deployed |
|
| 5 | the HUB 02 playground deploys hub-lab-02-net and spoke 04 05 06 07 08 09 10 |
ARM template hub-01-bicep "the HUB playground" deploys:
- 4 Azure Virtual Networks:
hub-lab-netlocated inwest europewith 4 subnets:- default subnet: this subnet is used to connect the hub-vm-01 machine
- AzureFirewallSubet: this subnet is used by Azure Firewall
- AzureBastionSubnet: this subnet is used bu Azure Bastion
- GatewaySubnet: this subnet is used by Azure Gateway
spoke-01with 2 subnets located inwest europeused to connectspoke-01-vmmachinespoke-02with 2 subnets located inwest europeused to connectspoke-02-vmmachinespoke-03, with 2 subnets and located inNorth Europe, used to connectspoke-03-vmmachine
- An Azure Bastion resource that provides secure and seamless SSH connectivity to the jumpbox virtual machine directly in the Azure portal over SSL
- An Azure Firewall premium resource that provide a con-premiseic inspection.
- An Azure VPN Gateway resource that is used to send encrypted traffic between the hub virtual network to the on-premises simulated location.
hub-vm-01: a Windows Server virtual machine that simulates a server located in the hub locationspoke-01-vm: a Windows Server virtual machine that simulates a server located in thespoke-01vnetspoke-02-vm: a Windows Server virtual machine that simulates a server located in thespoke-02vnetspoke-03-vm: a Linux virtual machine that simulates a server located in thespoke-03vnet
Download a draw.io file of this schema.
ARM template on-prem "ON PREMISES" deploys:
on-prem-net: an Azure Virtual Network located inwest Francewith 3 subnets- default subnet: this subnet is used to connect the w10-onprem-vm machine
- AzureBastionSubnet: this subnet is used bu Azure Bastion
- GatewaySubnet: this subnet is used by Azure Gateway
- An Azure Bastion resource that provides secure and seamless SSH connectivity to the jumpbox virtual machine directly in the Azure portal over SSL
- An Azure VPN Gateway resource that is used to send encrypted traffic between the hub virtual network to the on-premises simulated location.
w10-onprem-vm: A Windows 10 VM with the objective to simulate a desktop client in an on-premise location
Download a draw.io file of this schema.
ARM template on-prem-2 "ON PREMISES 2" deploys:
on-prem-2-net: an Azure Virtual Network located inwest central Germanywith 3 subnets- default subnet: this subnet is used to connect the w10-onprem-vm machine
- AzureBastionSubnet: this subnet is used bu Azure Bastion
- GatewaySubnet: this subnet is used by Azure Gateway
- An Azure Bastion resource that provides secure and seamless SSH connectivity to the jumpbox virtual machine directly in the Azure portal over SSL
- An Azure VPN Gateway resource that is used to send encrypted traffic between the hub virtual network to the on-premises simulated location.
lin-onprem-vm: A linux VM with the objective to simulate a linux client in an on-premise location
Download a draw.io file of this schema.
ARM template hub-02 "the HUB 02 playground" deploys:
- 8 Azure Virtual Networks:
hub-lab-02-netlocated innorth europewith 4 subnets:- default subnet: this subnet is empty
- AzureFirewallSubet: this subnet is used by Azure Firewall
- AzureBastionSubnet: this subnet is used bu Azure Bastion
- GatewaySubnet: this subnet is used by Azure Gateway
spoke-04located innorth europewith 2 subnet used to connectspoke-04-vmmachinespoke-05...10additional spokes, located innorth europe, with 2 subnets each
- An Azure Bastion resource that provides secure and seamless SSH connectivity to the jumpbox virtual machine directly in the Azure portal over SSL
- An Azure Firewall standard resource that provide a con-premiseic inspection.
- An Azure VPN Gateway resource that is used to send encrypted traffic between the hub virtual network to the on-premises simulated location.
spoke-04-vm: a Windows Server virtual machine that simulates a server located in thespoke-04landing zone
Download a draw.io file of this schema.
The ARM template any-to-any deploys:
- 2 routing tables that forward all spokes traffic to the firewall
- 1 IP Group and one Azure Firewall policy that:
- allows spoke-to-spoke communication
- block certain sites using web categories: nudity, Child Inappropriate, pornography
- allows all remaining HTTP(S) outbound traffic
The site to site VPN connection shown in the architecture is not automatically deployed and configure: its configuration is covered by one of the playground scenarios.est solution All machines have the same account parameters (as following):
- username:
nicola - password:
password.123
Here there is a list of tested scenarios usable on this playground.
For each scenario you have:
- prerequisites: component to deploy required to implement the solution (only the hub, also one on-prem playground or both)
- solution: a step-by-step sequence to implement the solution
- test solution: a procedure to follow, to verify if the scenario is working as expected
| scenario description | step-by-step solution | |
|---|---|---|
| 1 | Configure the environment to allow VM in any spoke to communicate with any VM in any other spoke | solution using azure firewall solution using azure virtual gateway solution using azure virtual network manager |
| 2 | Expose on a public IP, through the Firewall, spoke-01-vm and spoke-02-vm RDP port (3389) |
solution using azure firewall dnat |
| 3 | Connect on-prem-net with hub-lab-net using a vNet-to-vNet Azure Gateway's Connection |
solution on-premise vnet-to-vnet solution on-premise2 vnet-to-vnet-2 |
| 4 | Connect on-prem-net with hub-lab-net using a Site-to-Site (IPSec) Connection |
solution with gateway-ipsec solution with gateway-ipsec active-active solution with gateway-ipsec in dual redundancy solution with multiple VPN devices [ * DRAFT * ] |
| 5 | Configure a DNS on the cloud, so that all machines are reachable via FQDN | solution with azure-dns |
| 6 | Configure and use Azure Firewall logs for troubleshooting | configure log-analytics-on-firewall |
| 7 | Install a test web server on spoke-03-vm |
install web-server |
| 8 | Connect on-prem-net and on-prem2-net to hub-lab-net via S2S IPSEC and allow cross-on-premises communication |
solution cross-on-premise-routing |
| 9 | Use Azure Firewall for traffic inspection between on-prem-net and spoke-01 networks (North/South Traffic Inspection) |
solution north-south-inspection |
| 10 | Use Network Watcher for logging and network troubleshooting | solution network watcher |
| 11 | DNS resolution Configure a DNS on the cloud, and be sure that all machines are reachable via FQDN also from on-premise |
solution with Azure Firewall solution with Private DNS resolver |
| 12 | Secure a WEB workload with both Azure Firewall Premium and Azure Web Application Firewall | Solution with Azure Firewall and WAF |
| 13 | Configure a P2S VPN | Solution with Certificate Authentication Solution with CA and always-on |
| 14 | Routing cross hubs with BGP | Solution using Azure Virtual Network Gateway |
| 15 | Routing cross hubs without BGP | Solution with Azure Firewall |
| 16 | Publish internal web app via Azure Application Gateway on private and public IPs in HTTPS | Solution with Azure Application Gateway |
| 17 | Publish internal SFTP endpoint via Azure Firewall | Solution with Azure Firewall |
| 18 | deploy an Azure OpenAI service in an hub-and-spoke network topology and publish it internally via a private Azure API Management | Solution with APIM and AOAI |
Whould you like to see a scenario not listed? Open an issue!