Forum Discussion

Galaxy876's avatar
Galaxy876
Copper Contributor
Dec 11, 2024

Network Design Ideas for VMs in Azure

Hello,

 

I am analyzing the current Azure environment at my new job and trying to figure out the architectural choices mostly networking wise. Currently, we have 10 VMs and each VM has its own VNet and they are all in the same region. In my experience so far, I have never seen such network design in Azure before. If all VMs are in the same region, we could have one Vnet and utilize subnets and NSGs to segment the VMs and control the traffic. Having so many different VNets makes it very complex to manage.

Looking for opinions what other people think. Is this just a bad design or just to keep the VMs separate from each other.

azure
virtual machines
virtual network
VNET

6 Replies

Sort By
  • az_in_all's avatar
    az_in_all
    Copper Contributor
    Jun 15, 2025

    Having multiple vNets in an Azure environment would not cost any pricing, but proper planning is essential in having a good network layout for any production, staging or dev environment. Indeed, a Hub and Spoke architecture is recommended, however the more the vNets, the more chances of having any human errors. 

  • Chris_toffer0707's avatar
    Chris_toffer0707
    Iron Contributor
    May 12, 2025

    Really depends on what those 10 VMs are running. 

    If the consist of Active Directory, file, print, SQL and app servers, AVD e.g. you could follow Azure Well-Architected Framework and utilize Azure Landing Zone design to segment your workloads into different landing zone subscriptions. Use Azure Policy on management groups or subscriptions to better control your workloads and future deployments within the landing zones and new subscriptions. 

  • MathieuVandenHautte's avatar
    MathieuVandenHautte
    Steel Contributor
    Mar 25, 2025

    Hi Galaxy876

    For a small business scenario, simplicity is key - keep it straightforward and efficient. I’d recommend opting for a single virtual network with all VMs in one subnet. You can use an NSG on the subnet to segment the VMs as needed. 

  • mshaw's avatar
    mshaw
    Copper Contributor
    Feb 27, 2025

    I would say that is very strange, but also need to know the back story if there is one. I agree you could obtain the same result with fewer vNets and using subnets. I would see if there is any documentation around the original design and deployment. Any key decisions made, etc. I guess if you guys have a unique requirement from the app\vendors\software running on the VMs then maybe design and build it that way but like the other posts mentioned below it definitely doesn't support the best practices and design that MSFT recommends. I know you posted this a few months ago so would be interested to hear what you found out thus far and if you made any sort of changes yet.

  • sachintechie's avatar
    sachintechie
    MCT
    Jan 03, 2025

    When designing a landing zone architecture in Azure, adopting a hub-and-spoke model is a best practice that can help streamline management, enhance security, and improve scalability. Here’s a refined approach:

    Best Practices for Building a Landing Zone Architecture with Hub-and-Spoke Model

    1. Centralized Management with Hub VNet:
      • Hub VNet: Acts as a central point for managing and routing traffic. It typically contains shared services like DNS, Active Directory, and firewalls[1].
      • Spoke VNets: Connect to the hub VNet and are used to isolate workloads. Each spoke can represent different environments (e.g., development, testing, production) or different applications[1].
    2. Network Security:
      • Network Security Groups (NSGs): Apply NSGs to subnets within the spoke VNets to control inbound and outbound traffic. This ensures that only authorized traffic flows between the hub and spokes[1].
      • Azure Firewall: Deploy Azure Firewall in the hub VNet to provide centralized protection and logging for all traffic between the hub and spokes[1].
    3. Scalability and Flexibility:
      • Peering Connections: Use VNet peering to connect the hub and spoke VNets. This allows for low-latency, high-bandwidth connectivity while maintaining isolation[1].
      • Scalable Design: The hub-and-spoke model supports easy addition of new spokes as your environment grows, ensuring scalability[1].
    4. Cost Management:
      • Shared Resources: Centralize shared services in the hub VNet to reduce redundancy and cost. This includes services like monitoring, security, and identity management[1].
      • Cost Tracking: Implement tagging and cost management policies to track and optimize spending across your VNets[2].
    5. Governance and Compliance:
      • Azure Policy: Use Azure Policy to enforce organizational standards and compliance requirements across all VNets. This ensures that all resources adhere to best practices and regulatory requirements[3].
      • Role-Based Access Control (RBAC): Implement RBAC to control access to resources based on roles, ensuring that users have the minimum necessary permissions[2].

    By following these best practices, you can create a robust, scalable, and secure landing zone architecture in Azure using the hub-and-spoke model. This approach not only simplifies management but also enhances security and compliance.

    Would you like more details on any specific aspect of this architecture?


    References

    [1] Hub-spoke network topology in Azure - Azure Architecture Center

    [2] From Zero to Hero with Azure Landing Zones | Microsoft Community Hub

    [3] Tailor the Azure landing zone architecture to meet requirements



Resources