Forum Discussion
Azure IaaS DMZ architecture for multi-project
Hello
I working to desing the network architecture on Azure for our needs. I would like to know your suggestions regarding the best appraoch for dmz zone when you needs to host ressources for differents projects/customers. What is you design recommandation ?
If I create a vNet "DMZ_Public" (/16) splitted with in differents subnets :
- Subnet dmzdsi_web and subnet dmzdsi_data for IT Corporate needs (only dmzdsi_Web will be reachable from Internet, dmzdsi_data is for APP/BDD servers used by Web servers)
- Subnet dmzprojA_web and subnet dmzprojA_data for ProjectA needs (only dmzprojA_Web will be reachable from Internet, dmzprojA_data is for APP/BDD servers used by Web servers)
- Subnet dmzprojB_web and subnet dmzprojB_data for ProjectB needs (only dmzprojB_Web will be reachable from Internet, dmzprojB_data is for APP/BDD servers used by Web servers)
- Subnet dmz_sharedServices for servers used by all DMZ subnet such as AD DS, DNS, Patch Management. This zone is to avoid to have traffic from dmz_web into internal network
The vNet DMZ-Public will communicate with my Hub (where is my Palo Alto firewall) via vNet Peering
Is-it correct for you ? Or do you have suggestion or best architecture to cover my needs ?
Regards
Jerome
2 Replies
- I also recommend that you make use of custom defined route tables so that everything enters or leaves through the Vnet Hub.
- Undoubtedly, one of the best ways that Microsoft indicates as the best practice is the use of the Hub-Spoke Virtual networks model, where you concentrate services accessible from other networks in a Hub network and connect the networks to this Hub through Peering
