Azure • Security

Creating secure spoke virtual networks in Azure cloud

Brett Borschel • May 4, 2022 • 2 min read

← Back to blog

Creating traditional firewall-centric enterprise network architectures in the cloud has always been troublesome. When compared to the extreme granularity of on-prem Layer 7 NGFW segmented networks, the flat any-to-any Layer 4 NSG-secured cloud has been lacking for a long time. Not anymore.

Armed with the right cloud design and some recently added Microsoft features, we can now create very secure network topologies in the cloud. In this article I'll explain the detailed steps for creating secure spoke virtual networks in Azure.

Requirements

We want our secure spoke networks to have the following characteristics:

Traffic sourced from outside the spoke will not be allowed to reach the spoke without traveling through the hub firewall.

Traffic from inside the spoke will not be allowed to reach any destination without traveling through the hub firewall.

Step by step

  1. Create a spoke virtual network.
  2. Create a subnet inside the spoke virtual network.
  3. Peer the spoke VNet to the hub VNet. Make sure to enable "Use the remote virtual network's gateway or Route Server" on the spoke side, and "Allow gateway or Route Server to forward traffic" on the hub side.
  4. Create a UDR on the spoke subnet that points 0.0.0.0/0 at the NVA firewall ILB. Set "Propagate gateway routes" to No.
  5. Create a UDR on the hub VNet's GatewaySubnet that points the spoke network at the NVA firewall ILB. Set "Propagate gateway routes" to Yes.
  6. Apply an NSG to the spoke subnet blocking direct internet access. This NSG is not designed to secure the resources in the subnet — that's the job of the NVA firewall in the hub. It's designed to prevent traffic from accessing the internet through local public IPs, forcing all traffic through the hub NVA.
  7. Create a rule on the NVA firewall to permit desired traffic to the spoke. These rules depend on the make and model of your NVA, but since we're not using NSGs for resource protection, make them as restrictive as possible.

Final thoughts

Note that setting up BGP peering from the NVA firewall to Azure Route Server is a prerequisite to these steps, so that the NVA firewall is aware of how to route the peered spoke and on-prem routes.

Additional reading