Skip to content

[User Guide] Connectivity Resources

github-actions edited this page Nov 28, 2022 · 6 revisions

Overview

The module provides an option to enable deployment of network topology and connectivity resources from the conceptual architecture for Azure landing zones into the current subscription context. It also ensures that the specified subscription is placed in the right management group.

This capability enables deployment of multiple hub networks based on any combination of traditional Azure networking topology (hub and spoke), and Virtual WAN network topology (Microsoft-managed).

The module can also create and link DDoS Protection Standard to Virtual Networks, and manage centralized public and private DNS zones.

NOTE: The module currently only configures the hub network(s), and other recommended resources for the connectivity Subscription. To ensure the right balance of managing resources via Terraform vs. Azure Policy, we are still working on how best to handle the creation and peering of spoke Virtual Networks. Improving this story is on our backlog for development.

Resource types

Traditional Azure networking topology (hub and spoke)

The module can optionally deploy one or more hub networks based on the traditional Azure networking topology (hub and spoke).

Overview of the Azure landing zones connectivity resources using a traditional Azure networking topology (hub and spoke)

NOTE: The module currently configures only the networking hub and dependent resources for the connectivity subscription. Although there's an option to enable outbound virtual network peering from hub to spoke, users still need to initiate peering from spoke to hub. This is due to limitations in how the AzureRM provider targets a specific subscription for deployment.

When you deploy resources based on a traditional Azure networking topology (hub and spoke), the module deploys and manages the following resource types (depending on configuration):

Resource Azure resource type Terraform resource type
Resource groups Microsoft.Resources/resourceGroups azurerm_resource_group
Virtual networks Microsoft.Network/virtualNetworks azurerm_virtual_network
Subnets Microsoft.Network/virtualNetworks/subnets azurerm_subnet
Virtual network gateways Microsoft.Network/virtualNetworkGateways azurerm_virtual_network_gateway
Azure firewalls Microsoft.Network/azureFirewalls azurerm_firewall
Public IP addresses Microsoft.Network/publicIPAddresses azurerm_public_ip
Virtual network peerings Microsoft.Network/virtualNetworks/virtualNetworkPeerings azurerm_virtual_network_peering

For more information about how to use this capability, see the Deploy Connectivity Resources wiki page.

Virtual WAN network topology (Microsoft-managed)

The module can optionally deploy one or more hub networks based on the Virtual WAN network topology (Microsoft-managed).

Overview of the Azure landing zones connectivity resources using a Virtual WAN network topology (Microsoft-managed)

NOTE: Due to the different capabilities of Virtual WAN network resources over traditional, peering for Virtual WAN spokes is bi-directional when using this capability.

When you deploy resources based on a Virtual WAN network topology (Microsoft-managed), the module deploys and manages the following resource types (depending on configuration):

Resource Azure resource type Terraform resource type
Resource Groups Microsoft.Resources/resourceGroups azurerm_resource_group
Virtual WANs Microsoft.Network/virtualWans azurerm_virtual_wan
Virtual Hubs Microsoft.Network/virtualHubs azurerm_virtual_hub
Express Route Gateways Microsoft.Network/expressRouteGateways azurerm_express_route_gateway
VPN Gateways Microsoft.Network/vpnGateways azurerm_vpn_gateway
Azure Firewalls Microsoft.Network/azureFirewalls azurerm_firewall
Azure Firewall Policies Microsoft.Network/firewallPolicies azurerm_firewall_policy
Virtual Hub Connections Microsoft.Network/virtualHubs/hubVirtualNetworkConnections azurerm_virtual_hub_connection

For more information about how to use this capability, see the Deploy Virtual WAN Resources With Custom Settings wiki page.

DDoS Protection plan

The module can optionally deploy DDoS Network Protection, and link Virtual Networks to the plan if needed.

NOTE: Due to platform limitations, DDoS protection plans can only be enabled for traditional virtual networks. Virtual Hub support is not currently available.

IMPORTANT: The Azure landing zones guidance recommends enabling DDoS Network Protection to increase protection of your Azure platform. To prevent unexpected costs in non-production and MVP deployments, this capability is disabled in the Azure landing zones Terraform module due to the cost associated with this resource.

For production environments, we strongly recommend enabling this capability.

When you enable deployment of deployment of DDoS protection plan resources, the module deploys and manages the following resource types (depending on configuration):

Resource Azure resource type Terraform resource type
Resource groups Microsoft.Resources/resourceGroups azurerm_resource_group
DDoS protection plans Microsoft.Network/ddosProtectionPlans azurerm_network_ddos_protection_plan

DNS

The module can optionally deploy Private DNS zones to support Private Endpoints and link them to hub and/or spoke Virtual Networks. User-specified public and private DNS zones can also be deployed and linked as needed.

When you enable deployment of deployment of DNS resources, the module deploys and manages the following resource types (depending on configuration):

Resource Azure resource type Terraform resource type
Resource Groups Microsoft.Resources/resourceGroups azurerm_resource_group
DNS Zones Microsoft.Network/dnsZones azurerm_dns_zone
Private DNS Zones Microsoft.Network/privateDnsZones azurerm_private_dns_zone
Private DNS Zone Virtual Network Link Microsoft.Network/privatednszones/virtualnetworklinks azurerm_private_dns_zone_virtual_network_link

Next steps

Please refer to the following for examples showing how to use this capability:

Clone this wiki locally