Forum Discussion
azure network setup with vpn, vnet and discrete subnets
Our networking / azure needs are pretty simple. We need a single vnet that doesn't span any regions (just uswest) and we need 4 subnets within that vnet for dev, qa, staging and prod which we can allow or deny access to via network security groups. To connect to anything at all you have to be connected to the vpn. We don't want any outside access enabled, you must be connected to the vpn point to site. We do need the names for the resources (databases, app servers, cosmosdb) to resolve to whatever private IP they are given. There is no 'home office' as we are entirely a virtual company so we have no need for any site to site anything.
I contracted an 'azure expert' to set this up for us and now we have a maze of containers, virtual machines, hybrid networks, dns forwarders, privatelinks, etc. Asked chatgpt and it says we don't need most of that but when I talk to the expert he just blows it off saying I don't know anything about this stuff. Initially he setup even a custom vpn server on a virtual machine but I complained enough that he changed it to the azure vpn server.
Given that I want to just use Azure / ms constructs and nothing container/custom/vm, did he set this up correctly or is there a much easier way?
1 Reply
- Hi @AllenIsntSocial
Based on your requirements, it seems that the setup you currently have is more complicated than necessary. Here's a simplified version of what you need:
1. Create a Virtual Network (VNet) in the US West region.
2. Within that VNet, create 4 subnets for dev, qa, staging, and prod.
3. Create Network Security Groups (NSGs) for each subnet, and configure the rules to allow or deny access as needed.
4. Set up an Azure VPN Gateway with Point-to-Site (P2S) VPN configuration, and ensure that users must be connected to the VPN to access resources within the VNet.
5. Configure Azure Private DNS to resolve the names of your resources to their private IP addresses.
Here's a step-by-step guide to achieving the above:
1. Create a Virtual Network:
- Sign in to the Azure portal.
- Click on "Create a resource" and search for "Virtual Network".
- Click "Create" and fill in the required details (name, region, address space, etc.).
- Choose the US West region for your VNet.
2. Create subnets within the VNet:
- Go to your VNet resource in the Azure portal.
- Click on "Subnets" and then "Add" to create a new subnet.
- Create four subnets for dev, qa, staging, and prod with appropriate address ranges.
3. Create and configure Network Security Groups:
- In the Azure portal, click on "Create a resource" and search for "Network Security Group".
- Create an NSG for each subnet (dev, qa, staging, and prod).
- Configure the NSG rules to allow or deny traffic as needed for each subnet.
- Associate the NSGs with their respective subnets.
4. Set up the Azure VPN Gateway:
- In the Azure portal, click on "Create a resource" and search for "VPN Gateway".
- Choose the appropriate VNet, and configure the gateway with a new public IP address.
- Once the VPN Gateway is deployed, configure Point-to-Site VPN by following the instructions in the Azure documentation: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-point-to-site-resource-manager-portal
5. Configure Azure Private DNS:
- In the Azure portal, click on "Create a resource" and search for "Private DNS".
- Create a new private DNS zone.
- Link the private DNS zone to your VNet.
- Add A records (with private IPs) for your resources (databases, app servers, Cosmos DB, etc.).
After completing these steps, your setup should be much simpler and more in line with your requirements. You will be using standard Azure services without any unnecessary customizations, and all access to the resources will be through the VPN.
