SOLVED

VNet & Subnet Architecture for Greenfield environment

%3CLINGO-SUB%20id%3D%22lingo-sub-321379%22%20slang%3D%22en-US%22%3EVNet%20%26amp%3B%20Subnet%20Architecture%20for%20Greenfield%20environment%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-321379%22%20slang%3D%22en-US%22%3EImplementing%20Greenfield%20in%20Azure%20with%20Non-prod%20and%20Prod%20subscription%20in%20a%20Azure%20Tenant.%3CBR%20%2F%3E%3CBR%20%2F%3EI%20have%203%20subnet%20ranges%20for%20each%20Environment.%3CBR%20%2F%3ELooking%20for%20assistance%20to%20understand%20does%20it%20make%20sense%20to%20design%20the%20VNET%20in%20a%20Resource%20group%20(RG)%20and%20later%20as%20per%20requirements%20host%20multiple%20applications%20in%20its%20own%20RG%20with%20VNET%20part%20of%20another%20RG.%3CBR%20%2F%3E%3CBR%20%2F%3EFound%20so%2C%20I%20can%20lay%20down%20my%20VNET%20n%20subnet.%3CBR%20%2F%3E%3CBR%20%2F%3EPlease%20guide.%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-321379%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ENetworking%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-325045%22%20slang%3D%22en-US%22%3ERe%3A%20VNet%20%26amp%3B%20Subnet%20Architecture%20for%20Greenfield%20environment%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-325045%22%20slang%3D%22en-US%22%3E%3CP%3EHi.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYes%20that's%20absolutely%20fine.%20%26nbsp%3BAs%20I%20mentioned%20the%20advantage%20of%20grouping%20similar%20resources%20into%20their%20own%20RG%20is%20to%20ease%20the%20administration%20of%20applying%20security.%20%26nbsp%3BSo%20a%20network%20team%20as%20an%20example%20can%20have%20access%20only%20to%20the%20'network'%20RG.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-323898%22%20slang%3D%22en-US%22%3ERe%3A%20VNet%20%26amp%3B%20Subnet%20Architecture%20for%20Greenfield%20environment%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-323898%22%20slang%3D%22en-US%22%3EThanks%20for%20your%20response.%3CBR%20%2F%3E%3CBR%20%2F%3EI'm%20thinking%20to%20have%20Seperate%20RG%20for%20network%20that%20will%20have%20all%20VNet%2C%20subnet%20for%20that%20subscription.%20Later%20app%20based%20RG%20to%20use%20the%20VNET%20defined%20in%20RG%20VNET.%3CBR%20%2F%3EI%20was%20not%20sure%20if%20this%20is%20supported%3F%3CBR%20%2F%3EAlso%2C%20can't%20find%20any%20blog%20%2F%20article%20on%20it.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-323574%22%20slang%3D%22en-US%22%3ERe%3A%20VNet%20%26amp%3B%20Subnet%20Architecture%20for%20Greenfield%20environment%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-323574%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20think%20the%20general%20resource%20group%20%2F%20subscription%20design%20comes%20down%20to%20how%20you%20wish%20to%20manage%20and%20secure%20your%20resources.%26nbsp%3B%20I%20would%20recommend%20the%20following%20as%20a%20starting%20point%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1.%20Design%20a%20naming%20convention%20for%20your%20resources%2C%20this%20is%20good%20practice%20to%20get%20right%20at%20the%20start%20as%20you%20build%20out%20100's%20of%20resource%20components.%26nbsp%3B%20It%20can%20be%20difficult%20or%20sometimes%20impossible%20to%20rename%20resources%20without%20re-deployment.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E2.%20Resource%20Location%20-%20Where%20are%20your%20resources%20going%20to%20be%20accessed%20from%2C%20what%20dependency%20resources%20are%20there%20and%20where%20are%20they%20located.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E3.%20Resource%20Tagging%20-%20Tag%20your%20resources%20it%20makes%20reporting%20and%20management%20easier%20down%20the%20line.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E4.%20Think%20about%20your%20vnet%20design%2C%20do%20you%20need%20separate%20vnets%20with%20peering%20enabled%20or%20simply%20different%20subnets.%26nbsp%3B%20Is%20there%20an%20on%20prem%20vpn%20gateway%2C%20are%20you%20going%20to%20forward%20traffic%20etc%20etc.%26nbsp%3B%20Its%20important%20to%20think%20about%20these%20configurations%20with%20security%20and%20access%20at%20the%20forefront%20of%20the%20discussion.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E5.%20Administration%20%2F%20Security%20Access%20-%20How%20are%20you%20going%20to%20manage%20the%20resources%20and%20who%20has%20access.%26nbsp%3B%20Do%20you%20have%20a%20separate%20network%2C%20dba%20or%20infrastructure%20team%2C%20do%20you%20have%20DevOps.%20%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EUnderstanding%20who%20needs%20to%20administer%20the%20resources%20helps%20guide%20how%20you%20design%20your%20resource%20groups%20and%20what%20goes%20into%20them.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20a%20customer%20as%20an%20example%20who%20have%20a%20networks%20team%20who%20manage%20all%20the%20network%20components%2C%20vnets%2C%20gateways%2C%20load%20balancers%20etc.%26nbsp%3B%20So%20all%20the%20network%20components%20are%20in%20a%20Network%20RG%20and%20the%26nbsp%3B%20network%20administrators%20only%20have%20access%20to%20that%20RG.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOther%20organisations%20may%20deploy%20specific%20solutions%20that%20are%20managed%20by%20a%20single%20team%20so%20it%20makes%20sense%20for%20them%20to%20build%20all%20the%20resources%20in%20a%20solution%20RG%20and%20set%20the%20appropriate%20security%20for%20that%20team.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAll%20the%20best%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-323495%22%20slang%3D%22en-US%22%3ERe%3A%20VNet%20%26amp%3B%20Subnet%20Architecture%20for%20Greenfield%20environment%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-323495%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ewhat%20about%20this%20template%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2Fazure-quickstart-templates%2Ftree%2Fmaster%2F101-vnet-two-subnets%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2FAzure%2Fazure-quickstart-templates%2Ftree%2Fmaster%2F101-vnet-two-subnets%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20will%20create%20a%20vnet%20with%20two%20subnet%20as%20your%20first%20requirement.%20(Just%20add%20another%20subnet)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENext%2C%20as%20far%20as%20I%20know%2C%20there%20is%20no%20limitation%20in%20creating%20a%20VNET%20in%20one%20RG%20and%20then%20creating%20a%20resource%20(nic%2FIP)%20in%20a%20different%20RG%20that%20is%20using%20this%20VNET.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Frequent Contributor
Implementing Greenfield in Azure with Non-prod and Prod subscription in a Azure Tenant.

I have 3 subnet ranges for each Environment.
Looking for assistance to understand does it make sense to design the VNET in a Resource group (RG) and later as per requirements host multiple applications in its own RG with VNET part of another RG.

Found so, I can lay down my VNET n subnet.

Please guide.
4 Replies
Highlighted

Hi,

 

what about this template? 

 

https://github.com/Azure/azure-quickstart-templates/tree/master/101-vnet-two-subnets

 

This will create a vnet with two subnet as your first requirement. (Just add another subnet)

 

Next, as far as I know, there is no limitation in creating a VNET in one RG and then creating a resource (nic/IP) in a different RG that is using this VNET.

Highlighted
Best Response confirmed by Admin O365 (Frequent Contributor)
Solution

Hi,

 

I think the general resource group / subscription design comes down to how you wish to manage and secure your resources.  I would recommend the following as a starting point:

 

1. Design a naming convention for your resources, this is good practice to get right at the start as you build out 100's of resource components.  It can be difficult or sometimes impossible to rename resources without re-deployment.

 

2. Resource Location - Where are your resources going to be accessed from, what dependency resources are there and where are they located.

 

3. Resource Tagging - Tag your resources it makes reporting and management easier down the line.

 

4. Think about your vnet design, do you need separate vnets with peering enabled or simply different subnets.  Is there an on prem vpn gateway, are you going to forward traffic etc etc.  Its important to think about these configurations with security and access at the forefront of the discussion.

 

5. Administration / Security Access - How are you going to manage the resources and who has access.  Do you have a separate network, dba or infrastructure team, do you have DevOps.  

 

Understanding who needs to administer the resources helps guide how you design your resource groups and what goes into them. 

 

I have a customer as an example who have a networks team who manage all the network components, vnets, gateways, load balancers etc.  So all the network components are in a Network RG and the  network administrators only have access to that RG.

 

Other organisations may deploy specific solutions that are managed by a single team so it makes sense for them to build all the resources in a solution RG and set the appropriate security for that team.

 

All the best

Highlighted
Thanks for your response.

I'm thinking to have Seperate RG for network that will have all VNet, subnet for that subscription. Later app based RG to use the VNET defined in RG VNET.
I was not sure if this is supported?
Also, can't find any blog / article on it.
Highlighted

Hi.

 

Yes that's absolutely fine.  As I mentioned the advantage of grouping similar resources into their own RG is to ease the administration of applying security.  So a network team as an example can have access only to the 'network' RG.