%3CLINGO-SUB%20id%3D%22lingo-sub-1455574%22%20slang%3D%22en-US%22%3EAzure%20Scaffold%20Templates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1455574%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20term%20%E2%80%98Azure%20Scaffolding%E2%80%99%20for%20Cloud%20essentially%20refers%20to%20creating%20Cloud%20design%20to%20establish%20an%20architecture%20foundation%20that%20supports%20a%20scalable%2C%20reliable%2C%20flexible%2C%20dynamic%2C%20and%20redundant%20architecture.%20In%20this%20blog%2C%20I%20will%20focus%20on%20the%20%E2%80%98Azure%20Scaffold%E2%80%99%20and%20how%20to%20deploy%20Azure%20Scaffold%20in%20a%20programmatic%20way%20within%20your%20subscriptions%20to%20start%20your%20Azure%20Cloud%20Journey.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBefore%20we%20start%20with%20%E2%80%98Azure%20Scaffold%E2%80%99%2C%20I%E2%80%99d%20like%20to%20provide%20context%20on%20%E2%80%98Cloud%20Adoption%20Framework%20for%20Azure%E2%80%99%2C%20because%20Azure%20architecture%20deployed%20through%20Azure%20Scaffold%20templates%20consists%20of%20guidance%2C%20best%20practices%2C%20and%20recommendations%20covered%20under%20CAF%20framework.%20In%20summary%2C%20CAF%20for%20Azure%20covers%20multiple%20elements%2C%20like%20strategy%2C%20readiness%20plan%2C%20available%20assets%2C%20innovation%2C%20governance%2C%20management%2C%20and%20optimisation%20etc.%20which%20is%20essentially%20a%20complete%20Cloud%20Lifecycle%20or%20%E2%80%98Cloud%20Journey%E2%80%99.%20CAF%20Framework%20helps%20throughout%20your%20transformational%20journey%20from%20physical%20On-Premise%20DC%20to%20Azure%20Public%20Cloud%2C%20by%20providing%20methodology%20that%20covers%20specific%20approaches%2C%20practices%2C%20tools%2C%20and%20techniques%20to%20prevent%20common%20blockers%2C%20based%20on%20best%20practices%20from%20Microsoft%2C%20partners%2C%20and%20customers.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ENow%2C%20let%E2%80%99s%20switch%20our%20thought%20process%20towards%20%E2%80%98Azure%20Scaffold%E2%80%99%20now%20%E2%80%93%20the%20key%20question%20is%20%E2%80%98How%20to%20setup%20an%20Azure%20foundation%20that%20is%20scalable%2C%20flexible%2C%20dynamic%2C%20secured%2C%20and%20leverages%20the%20CAF%20framework%20for%20Azure%3F%E2%80%99%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EDuring%20your%20Cloud%20adoption%20journey%2C%20you%20bring%20your%20technical%20design%20and%20architecture%20experience%2C%20knowledge%2C%20and%20ideas%20around%20Azure%20Scaffold%20after%20strategy%20exercise%20is%20completed.%20i.e.%20after%20all%20business%20or%20organisational%20strategies%20are%20finalised%20and%20you%20are%20ready%20to%20move%20to%20the%20next%20phase%20of%20the%20journey.%3C%2FP%3E%0A%3CP%3EAzure%20Scaffolding%20requires%20business%20and%20architectural%20mindset%20to%20make%20substantial%20decisions%20around%20numerous%20technical%20and%20non-technical%20components%2C%20so%20you%20can%20meet%20current%20and%20future%20technical%20and%20business%20requirements.%20Some%20of%20these%20topics%20are%2C%20making%20decisions%20around%20%23%20of%20subscriptions%2C%20%23%20of%20environments%2C%20network%20traffic%20flow%2C%20Cybersecurity%20principles%2C%20security%20control%2C%20monitoring%2C%20and%20backup%2C%20etc.%20%E2%80%93%20To%20help%20you%20with%20these%20topics%20and%20to%20smooth%20decision-making%2C%20we%20have%20created%20Azure%20Scaffold%20templates%20that%20are%20based%20on%20best%20practices%20and%20guidance%20from%20Microsoft%2C%20Partners%2C%20and%20Customers.%20You%20can%20use%20these%20templates%20to%20kick-off%20discussions%20with%20your%20wider%20team%20%2For%20may%20decide%20to%20simply%20setup%20Azure%20Foundation%20as%20per%20below%20reference%20architecture.%20These%20templates%20are%20readily%20available%20to%20deploy%20recommended%20Hub-Spoke%20Azure%20architecture.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20Azure%20Scaffold%20template%20deploys%20a%20secure%20Azure%20environment%20that%20you%20can%20use%20to%20deploy%20application%20servers%20and%20resources.%20As%20part%20of%20this%20scaffold%20environment%2C%20a%20hub%20and%20spoke%20architecture%20is%20deployed%2C%20as%20referenced%20in%20the%20architecture%20diagram%20below.%20The%20hub%20subscription%2C%20encapsulated%20by%20a%20virtual%20network%2C%20is%20the%20sole%20point%20of%20connectivity%20between%20your%20On-Premises%20Network%20and%20the%20spoke%20subscriptions.%20The%20Spoke%20subscriptions%20also%20encapsulated%20as%20individual%20virtual%20networks%20are%20peered%20to%20the%20Hub%20using%20virtual%20network%20peering.%20As%20such%2C%20all%20ingress%20and%20egress%20network%20traffic%20travels%20via%20the%20hub%20and%20this%20isolates%20the%20spoke%20workloads%20to%20only%20have%20connectivity%20via%20the%20Hub%20vNet.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20hub%20and%20spoke%20architecture%20is%20split%20into%20the%20four%20subscriptions%20as%20seen%20in%20the%20following%20diagram%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22sumitkup1_1-1592196981183.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F198771i72095208F707D7F5%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22sumitkup1_1-1592196981183.png%22%20alt%3D%22sumitkup1_1-1592196981183.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20intent%20is%2C%20to%20provide%20Hub-Spoke%20Azure%20Architecture%20templates%20that%20are%20readily%20available%20for%20you%20to%20accelerate%20your%20Cloud%20journey%2C%20support%20architectural%20decision-making%2C%20reduce%20deployment%20efforts%2Fcosts%2C%20minimise%20human%20errors%20and%20build%20a%20secure%20platform.%20You%20may%20decide%20to%20deploy%20the%20same%20Architecture%20as%20described%20in%20the%20diagram%20above%20%2For%20may%20choose%20to%20make%20certain%20changes%20to%20these%20templates.%20For%20e.g.%20you%20may%20want%20to%20remove%20%E2%80%98Pre-Prod%E2%80%99%20%2For%20%E2%80%98Non-Prod%E2%80%99%20subscription%20from%20your%20architecture%20if%20you%20don%E2%80%99t%20need%20them%20or%20you%20may%20choose%20to%20deploy%203%3CSUP%3Erd%3C%2FSUP%3E%20party%20firewall%20to%20meet%20specific%20Cybersecurity%20requirements.%20You%20can%20download%20these%20templates%20and%20make%20changes%2C%20if%2Fwhere%20necessary%2C%20based%20on%20your%20requirements%20to%20expedite%20your%20Azure%20Scaffold%20build.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EGitHub%20Repo%3C%2FSTRONG%3E%20-%20-ERR%3AREF-NOT-FOUND-%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Frajanbhayana%2FAzureScaffoldingHubAndSpokeTemplate%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2Frajanbhayana%2FAzureScaffoldingHubAndSpokeTemplate%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ERefer%20to%20%3CSTRONG%3EReadMe%3C%2FSTRONG%3E%20to%20get%20more%20details%20on%20how%20to%20deploy%20these%20templates%2C%20get%20insight%20on%20template%20Roadmap%2C%20and%20refer%20to%20the%20attached%20document%20in%20the%20repo%20to%20get%20more%20details%20around%20parameters%2C%20resource%20values.%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%26nbsp%3B%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EReference%20Article%3C%2FSTRONG%3E%20-%20Microsoft%20Cloud%20Adoption%20Framework%20for%20Azure%3C%2FP%3E%0A%3CP%3E-ERR%3AREF-NOT-FOUND-%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fcloud-adoption-framework%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fcloud-adoption-framework%2F%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1455574%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Scaffold%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Microsoft

The term ‘Azure Scaffolding’ for Cloud essentially refers to creating Cloud design to establish an architecture foundation that supports a scalable, reliable, flexible, dynamic, and redundant architecture. In this blog, I will focus on the ‘Azure Scaffold’ and how to deploy Azure Scaffold in a programmatic way within your subscriptions to start your Azure Cloud Journey.

 

Before we start with ‘Azure Scaffold’, I’d like to provide context on ‘Cloud Adoption Framework for Azure’, because Azure architecture deployed through Azure Scaffold templates consists of guidance, best practices, and recommendations covered under CAF framework. In summary, CAF for Azure covers multiple elements, like strategy, readiness plan, available assets, innovation, governance, management, and optimisation etc. which is essentially a complete Cloud Lifecycle or ‘Cloud Journey’. CAF Framework helps throughout your transformational journey from physical On-Premise DC to Azure Public Cloud, by providing methodology that covers specific approaches, practices, tools, and techniques to prevent common blockers, based on best practices from Microsoft, partners, and customers.

 

Now, let’s switch our thought process towards ‘Azure Scaffold’ now – the key question is ‘How to setup an Azure foundation that is scalable, flexible, dynamic, secured, and leverages the CAF framework for Azure?’

 

During your Cloud adoption journey, you bring your technical design and architecture experience, knowledge, and ideas around Azure Scaffold after strategy exercise is completed. i.e. after all business or organisational strategies are finalised and you are ready to move to the next phase of the journey.

Azure Scaffolding requires business and architectural mindset to make substantial decisions around numerous technical and non-technical components, so you can meet current and future technical and business requirements. Some of these topics are, making decisions around # of subscriptions, # of environments, network traffic flow, Cybersecurity principles, security control, monitoring, and backup, etc. – To help you with these topics and to smooth decision-making, we have created Azure Scaffold templates that are based on best practices and guidance from Microsoft, Partners, and Customers. You can use these templates to kick-off discussions with your wider team /or may decide to simply setup Azure Foundation as per below reference architecture. These templates are readily available to deploy recommended Hub-Spoke Azure architecture.

 

The Azure Scaffold template deploys a secure Azure environment that you can use to deploy application servers and resources. As part of this scaffold environment, a hub and spoke architecture is deployed, as referenced in the architecture diagram below. The hub subscription, encapsulated by a virtual network, is the sole point of connectivity between your On-Premises Network and the spoke subscriptions. The Spoke subscriptions also encapsulated as individual virtual networks are peered to the Hub using virtual network peering. As such, all ingress and egress network traffic travels via the hub and this isolates the spoke workloads to only have connectivity via the Hub vNet.

 

The hub and spoke architecture is split into the four subscriptions as seen in the following diagram:

 

sumitkup1_1-1592196981183.png

 

 

The intent is, to provide Hub-Spoke Azure Architecture templates that are readily available for you to accelerate your Cloud journey, support architectural decision-making, reduce deployment efforts/costs, minimise human errors and build a secure platform. You may decide to deploy the same Architecture as described in the diagram above /or may choose to make certain changes to these templates. For e.g. you may want to remove ‘Pre-Prod’ /or ‘Non-Prod’ subscription from your architecture if you don’t need them or you may choose to deploy 3rd party firewall to meet specific Cybersecurity requirements. You can download these templates and make changes, if/where necessary, based on your requirements to expedite your Azure Scaffold build.

 

GitHub Repo - https://github.com/rajanbhayana/AzureScaffoldingHubAndSpokeTemplate

 

Refer to ReadMe to get more details on how to deploy these templates, get insight on template Roadmap, and refer to the attached document in the repo to get more details around parameters, resource values.

 

Reference Article - Microsoft Cloud Adoption Framework for Azure

https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/

5 Comments
Occasional Visitor

Can't wait to see these in the main Microsoft repo!

Senior Member

I wonder why you put NAT Gateways everywhere ? , what is the need for them ?

Microsoft

Hi @KFahmy  - re. your above query. That is to send all internet outbound traffic using specific static public IP address or addresses. e.g. if you want to send traffic to third party web scanning SaaS service and want to use specific static public ip address or addresses.

Senior Member

@sumitkup1  yea but I think why we standardize it in CAF , I believe it can be 1 scenario in one VNET if you want to send traffic to third party web scanning SaaS service , since the majority of the customers from what I see in the market like to have as much as possible islolated SPOKES no public IPs or internet access except through an FW or NVA , also I believe there are other ways for third party web scanning SaaS service to be done through a unified gateway rather exposing each SPOKE to the internet without protection except NSGs as packet filters ... I hope you got my point .

Microsoft

@KFahmy - Agree, if customer requirement is to keep spokes completely 'private', without any public ips then you can force tunnel traffic from spoke to hub. Please note, to implement that scenario you will have to modify templates that are available in the GitHub repo.