Azure Network Topology Document Extracts and Notes

Azure Network Topology

• Two core approaches: traditional and Azure Virtual WAN
• The above document has a topology diagram for each model.

Feature	Traditional Azure Network Topology	Azure Virtual WAN Network Topology
Highlights	Customer-managed routing and security An Azure subscription can create up to 50 vnets across all regions. Vnet Peering links two vnets either in the same region or in different regions and enables you to route traffic between them using private IP addresses (carry a nominal charge). Inbound and outbound traffic is charged at both ends of the peered networks. Network appliances such as VPN Gateway and Application Gateway that are run inside a virtual network are also charged. Azure Virtual Network Pricing	A Microsoft-managed networking service providing optimized and automated branch to branch connectivity through Azure. Virtual WAN allows customers to connect branches to each other and Azure, centralizing their network and security needs with virtual appliances such as firewalls and Azure network and security services. Azure Virtual WAN Pricing
Deployment	Customized deployment with routing and security managed by the customer Virtual Network documentation – Plan virtual networks – Tutorial: Filter network traffic with a network security group using the Azure portal	Microsoft-managed service Virtual WAN documentation – Tutorial: Create an ExpressRoute association to Virtual WAN – Azure portal – Other tutorials include site-to-site and point-to-site connections
Interconnectivity	Traffic between two virtual networks across two different Azure regions is expected. Full mesh network across all Azure regions is not required.	Global connectivity between vnets in these Azure regions and multiple on-premises locations.
IPsec Tunnels	Fewer than 30 IPsec Site-to-Site tunnels are needed.	More than 30 branch sites for native IPsec termination.
Routing Policy	Full control and granularity for manually configuring your Azure network routing policy.	Not applicable
Data Collection	Collects data from servers and Kubernetes clusters.	Collects data from servers and Kubernetes clusters.
Data Storage	Stores data in Log Analytics workspace or customer’s own storage account.	Stores data in Log Analytics workspace or customer’s own storage account.
Data Analysis and Visualization	Uses Log Analytics for analysis and visualization of collected data.	Uses Azure Monitor for analysis and visualization of collected data.

Additional Information

• Hub-spoke network topology in Azure
• Hub-spoke network topology with Azure Virtual WAN
• Patterns for inter-spoke networking

Why Azure Arc

For IT decision makers, here’s why it’s pertinent to consider Azure Arc:

• An integrated management and governance solution that is centralized and unified, providing streamlined control and oversight.
• Securely extending your on-prem and non-Azure resources into Azure Resource Manager (ARM), empowering you to:
  • Define, deploy, and manage resources in a declarative fashion using JSON template for dependencies, configuration settings, policies, etc.
  • Manage Azure Arc-enabled servers, Kubernetes clusters, and databases as if they were running in Azure with consistent user experience.
  • Harness your existing Windows and Azure sysadmin skills honed from on-premises deployment.
• When connecting to Azure Arc-enabled servers, you may perform many operational functions, just as you would with native Azure VMs including these key supported actions:
  • Govern
    • Assign Azure Automanage machine configurations to audit settings inside the machine.
  • Protect
    • Secure non-Azure servers with Microsoft Defender for Endpoint, included through Microsoft Defender for Cloud, for threat detection, vulnerability management, and proactive monitoring for potential security threats. Microsoft Defender for Cloud presents the alerts and remediation suggestions from the threats detected.
  • Configure
    • Use Azure Automation and Update Management for your Windows and Linux servers. (Ref: 1, 2)
  • Monitor
    • Keep an eye on OS, processes, and dependencies along with other resources using VM insights. Additionally collect, store, and analyze OS as well as workload logs, performance data, and events. Which may be injected into Microsoft Sentinel real-time analysis, threat detection, and proactive security measures across the entire IT environment.

Extended Security Updates (ESUs) is enabled by Azure Arc. IT can seamlessly deploy ESUs through Azure Arc in on-premises or multi-cloud environments, right from the Azure portal. In addition to providing a centralized management of security patching, ESUs enabled by Azure Arc is flexible with a pay-as-you-go subscription model compared to the classic ESU offered through the Volume Licensing Center which are purchased in yearly increments.

To test it out, follow Quickstart – Connect hybrid machine with Azure Arc-enabled servers.