The most common network design pattern in Azure involves creating a hub-and-spoke virtual network topology in one or more Azure regions, possibly connected to on-premises networks via Azure ExpressRoute or site-to-site virtual private network (VPN) tunnels. public internet.
Most design guidelines focus on moving applications across these virtual networks from internal, local networks, or the Internet (as industry users typically define).North-South traffic, as usually represented by a vertical line in a network diagram). This article highlights the various functions availableeast-west traffic. That is, the communication flow between workloads deployed in an Azure virtual network (either within a region or between regions).
Ensuring that the network design meets the requirements for east-west traffic is critical to providing performance, scalability, and resiliency for applications running on Azure.
possible use case
Speech-to-speech flow can be important in many situations:
- There are different layers of a single application in different virtual networks. For example, a network perimeter server (akaDMZ server) on the perimeter virtual network to communicate with application services on the internal virtual network.
- Application workloads in different environments (development, staging, production) need to replicate data between them.
- Different applications or microservices need to communicate with each other.
- Databases must replicate data across regions to ensure business continuity in the event of a disaster.
- Users reside within an Azure virtual network. For example, they use Azure Virtual Desktop.
Communication patterns and topologies between spokes
There are two main topologies that can be used in Azure plans that span multiple virtual networks:traditional hub-and-spokeandAzure Virtual WAN. In a virtual WAN environment, the Microsoft Admin Center virtual network and everything inside it. In a traditional hub-and-spoke environment, you manage a centralized virtual network.
Both virtual WAN topologies and hub-and-spoke topologies are examples of architectures where workloads run on virtual electronic networks and connectivity to facilities is centralized on a virtual hub network. Many of the concepts explained in this article apply to both hub designs and virtual WANs.
There are two main ways to connect virtual beam networks:
- The rays are connected directly to each other.Create virtual network peering or VPN tunnels between virtual branch networks to provide direct connectivity without traversing the virtual hub network.
- Rays communicate through network devices.Each virtual spoke network is mapped to a virtual WAN or virtual node. The devices direct traffic between spokes. This device can be managed by Microsoft (as with Virtual WAN) or managed by you.
Mode 1: Rays connect directly to each other
Direct connections between spokes typically provide better performance, latency, and scalability than connections through a network virtual device (NVA) in the hub. Sending traffic through NVAs can increase traffic latency if the NVAs are in different Availability Zones and must peer across at least two virtual networks when sending traffic through a hub. There are several options for connecting two-spoke virtual networks directly to each other: virtual network peering, Azure Virtual Network Manager, and VPN tunnels.
Virtual network equalization.The advantages of direct virtual network peering over spokes are:
- Lower cost because fewer virtual peering networks are required.
- Better performance because traffic does not have to traverse network devices that introduce latency or potential bottlenecks.
Other scenarios include cross bearing connections. However, you may need to inspect traffic between virtual spoke networks, which may require sending traffic through a central network device to the virtual hub network.
Azure Virtual Network Manager.In addition to the benefits of virtual network peering, Azure Virtual Network Manager provides management services that allow you to manage virtual network environments and create connections at scale. Using Azure Virtual Network Manager, three types of topologies can be created for existing and new virtual networks across all subscriptions:
The hub and spokes have spokes that are not connected to each other.
Hub and spokes have spokes that connect directly to each other with no jumps between them.
A mesh group of interconnected virtual networks.
GatherAll Visio diagramsin the text.
When you use Azure Virtual Network Manager to create a hub-and-spoke topology (where spokes are interconnected), virtual spoke networks on the same network can be connected directlynetwork groupBidirectional creation is created automatically. Using Azure Virtual Network Manager, you can statically or dynamically make a virtual spoke network a member of a specific network group, which automatically creates connections to any virtual network.
You can create multiple network groups to isolate clusters of virtual spoke networks from direct connections. Each network group provides single-area and multi-area support for spoke-to-spoke connections. Make sure you stay under the maximum limits specified in Azure Virtual Network ManagerFrequently asked questions about Azure Virtual Network Manager.
VPN tunnels that connect virtual networks.You can configure a VPN service to connect virtual branch networks directly using MicrosoftVPN gatewayor a third-party NVA VPN. The advantage of this option is that virtual voice networks can be connected to commercial and mainstream clouds on the same cloud provider or cloud providers. Additionally, if there is a software-defined wide area network (SD-WAN) NVA in each branch office network, this configuration can facilitate the use of a third-party provider's control layer and feature set to manage virtual network connections.
This option also helps you meet compliance requirements by encrypting traffic on virtual networks in a single Azure data center that does not haveMACsec encryption. However, this option also presents a number of challenges due to the bandwidth limitations of IPsec tunnels (1.25 Gbps per tunnel) and the design constraints of having virtual network gateways in both the hub and the virtual spoke network: If the virtual network rays has a virtual network. network gateway, cannot connect to a virtual WAN or connect to a local network using the hub's virtual network gateway.
State 1: Single area
Regardless of the technology used to interconnect the virtual branch networks, the network topology for an individual region will look like this:
Mode 1: Multi-area
A plan that connects all virtual branch networks can also be extended to multiple regions. In this topology, Azure Virtual Network Manager is most important to reduce the administrative cost of maintaining the large number of required connections.
noting
When connecting virtual voice networks directly to a region or regions, consider doing this for virtual voice networks in the same environment. Connect e.g. a virtual branch deployment network with another virtual branch deployment network. But avoid connecting the development virtual branch network to the production virtual branch network.
When directly connecting virtual number networks to each other in a full mesh topology, consider that a large number of peer ledger networks may be required. The figure below illustrates the problem. In this case, it is highly recommended to use Azure Virtual Network Manager so that you can create virtual network connections automatically.
Mode 2: Beams communicate through network devices
Instead of connecting branch office virtual networks directly to each other, you can use network devices to relay traffic between branch offices. Network devices provide additional network services such as deep packet inspection and traffic segmentation or monitoring, but if they are not properly sized, they can introduce delays and bottlenecks. These devices are usually located in the virtual hub network to which the spokes are connected. There are several options for using network equipment to forward traffic between branches:
Virtual WAN hub router.The virtual WAN is fully managed by Microsoft and consists of a virtual router that pulls traffic from the branch office and routes it to another virtual network connected to the virtual WAN or locally via ExpressRoute, site-to-site, or point-to-site. site VPN network tunnel. The virtual WAN router automatically scales up and down, so all you have to do is maintain traffic between branch officesVirtual WAN Limitations.
Azure Firewall. Azure FirewallA network device managed by Microsoft that can be deployed in a central virtual network or virtual WAN center that you manage. It can forward IP packets and also inspect them and apply traffic fragmentation rules defined in policies. Provides automatic scaling toAzure Firewall Limitationsto avoid traffic jams. Note that Azure Firewall provides out-of-the-box multi-region functionality only when used with a virtual WAN. Without a virtual WAN, you must implement custom routing for speech-to-voice communication in different regions.
Third-party virtual network devices.If you prefer to use a virtual network appliance from a Microsoft partner to perform network routing and segmentation, you can deploy the virtual network appliance in a hub-and-spoke or virtual WAN topology. For more information, seeImplementer High Availability NVAtheNVA i Virtual WAN Hub. You must ensure that the virtual network device supports the bandwidth generated by voice-to-voice communication.
Azure VPN Gateway.You can use an Azure VPN gateway as the next type of transition for custom routes, but Microsoft does not recommend using a VPN virtual gateway to route radius-to-radius traffic. They are designed to encrypt the traffic of local websites or VPN users. For example, there is no guarantee of the inter-spoke bandwidth that a VPN gateway can route.
fast track.In some configurations, ExpressRoute gateways can advertise routes that attract traffic from spokes, send traffic to Microsoft Edge routers, and route it there to the intended spokes. Microsoft strongly discourages this as it introduces latency by sending traffic to the edge of the trunk and behind Microsoft. More importantly, Microsoft does not recommend this approach due to its single point of failure and long reach. This scenario also introduces more problems due to the additional stress placed on the ExpressRoute infrastructure (gateways and physical routers). This additional pressure can cause packet loss.
In a hub-and-spoke network design with a centralized NVA, devices are typically placed in the center. The exchange of virtual networks between hub-and-spoke virtual networks must be created manually or automatically using Azure Virtual Network Manager:
Manual virtual network mapping.This approach is sufficient when you have a small number of virtual branch networks, but incurs huge management costs.
Azure Virtual Network Manager.As mentioned earlier, Azure Virtual Network Manager provides capabilities for managing virtual network environments and peering at scale. Peering configuration between hub-and-spoke virtual networks automatically configures the network group in both directions.
Azure Virtual Network Manager provides the ability to statically or dynamically add a virtual network subscription to a specific network.network group, which automatically creates peering connections for new members. A spoke virtual network in a network group canConnect using a VPN gateway or ExpressRoute. Make sure you stay below the maxLimitations of Azure Virtual Network Manager.
Mode 2: Single zone
The following diagram shows a hub-and-spoke topology of an area that routes traffic between spokes through an Azure firewall installed on the virtual node network. Traffic is forwarded to the central device at the hub via user-defined routes used for branch subnets.
In some cases, it may be beneficial to separate the virtual network devices that handle voice-to-voice and Internet traffic for scalability. You can achieve this separation by:
- Customize routing tables on spokes to send private addresses (those with predefined RFC 1918 routes) to responsible Azure-to-Azure and Azure-to-on-premises traffic (also known aseast-west traffic).
- Direct Internet traffic (with route 0.0.0.0/0) to the other NVA. This NVA is responsible for Azure Internet Traffic (akaNorth-South traffic).
The image below shows this configuration:
noting
Azure Firewall requires only one Azure Firewall resource to deploy in a virtual network. Therefore, a separate core virtual network is required for additional Azure Firewall resources. For NVA scenarios, you can use a single hub virtual network for additional NVA deployments.
Mode 2: Multi-area
You can extend the same configuration to multiple regions. For example, in a hub-and-spoke design using Azure Firewall, an additional routing table must be implemented on the Azure Firewall subnet of each hub at the extreme radius. This configuration ensures that cross-region traffic can be forwarded between Azure firewalls on each virtual node network. Cross-region traffic between virtual branch networks then passes through both Azure firewalls. For more information, seeAzure Firewall for routing multi-node spoke topologies:
In a multi-region hub-and-spoke topology, there are also design variations that have separate Azure firewalls or virtual network appliances to manage north-south and east-west traffic:
noting
Azure Firewall requires only one Azure Firewall resource to deploy in a virtual network. Therefore, a separate core virtual network is required for additional Azure Firewall resources. For NVA scenarios, you can use a single hub virtual network for additional NVA deployments.
Virtual WAN creates a similar topology and takes the complexity out of routing. It does this on both the hub (which is managed by Microsoft) and the spokes (where routes can be injected and don't need to be defined manually in the routing table). Therefore, network administrators only need to connect the virtual branch network to the virtual WAN hub and do not need to worry about forwarding traffic between areas.
blending mode
Many situations require a hybrid approach that combines the two approaches described earlier. In this approach, traffic between some spokes must pass through direct links, but the remaining spokes communicate through a central network device. For example, in a virtual WAN environment, you can directly connect two specific spokes that have high bandwidth and low latency requirements. Another scenario involves branched virtual networks belonging to a single environment. You can e.g. Allow a branch office development virtual network to connect directly to another branch office development virtual network, but force development and production workloads to communicate through a central device.
Another common pattern involves connecting spokes to a region through direct peering over a virtual network or Azure Virtual Network Managerconnection, but allow cross-lane traffic to cross the NVA. The main motivation for this model is usually to reduce the number of peer virtual networks in the architecture. However, a disadvantage that this model introduces compared to the first model (direct links between spokes) is that there are more virtual peering networks for inter-area traffic. These hops increase the cost due to the intersection of multiple virtual peering networks. Another disadvantage is the additional load of all interregional traffic on the central NVA.
The same design applies to virtual WANs. However, one factor to consider is that direct connectivity between branch virtual networks must be manually configured directly between the virtual networks and not through the virtual WAN resource. Azure Virtual Network Manager does not currently support WAN-based virtual architectures. E.g:
noting
For the hybrid approach, it is important to understand that a direct connection via virtual network peering propagates system routes for the virtual network it connects to, which are often more specific than user-defined routes configured through routing tables. Therefore, virtual network peer traffic routes take precedence over user-defined routes that follow the rulesthe longest prefix match routing.
However, in the less common case where both a system route and a user-defined route exist with the same address prefix, the user-defined route overrides the system route (generated automatically by virtual network peering). This behavior causes voice-to-voice virtual network traffic to traverse the virtual node network even though there is a direct voice connection.
contributor
This article is maintained by Microsoft. Originally written by the following contributors.
Main author:
- Li Jie|Senior Project Manager
- Jose Moreno|Customer Manager
- Alejandra Palasios| Senior Customer Engineer, Azure Infrastructure
Other factors:
- Mick Alberts|Writer of technical documents
- Muhammad Hasan| Project manager
- Andrea Michael|Project manager
- Yasukuni Morishima|Customer engineer at second level
- Gisin PP|Customer engineer
To view your private LinkedIn profile, you must be logged in to LinkedIn.
Next step
- Cloud adoption framework: Landing zone network topology and connectivity
- Virtual network equalization
- Azure Virtual Network Manager
- virtual wide area network
- Azure Firewall
- Secure network connections in Azure
- Introduction to Azure Virtual Networks
- Hub-and-Spoke network topology in Azure
- Hub-and-Spoke network topology with Azure Virtual WAN
- Traditional Azure network topology