Azure Transit VNET Single Arm Deployment Architecture

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.
L2 Linker

Azure Transit VNET Single Arm Deployment Architecture.png

 

Cloud deployments have been evolving over time as the Cloud Providers provide new options for integration. A very popular AWS deployment is the GWLB which in its simplest deployment model is a single armed deployment. There have been requests for a similar architecture for Azure. After putting in some thought and lab time, I was able to find the following architecture that can handle all the flow patterns in a one arm security deployment.

 

To create this environment, I started with the Panorama automated deployment plugin and deployed the inbound stack:

 

Artm6.jpg

 

Post deployment, I shut down the trust interface in the template stack and changed my NATs in the NAT policy to a Source NAT inbound traffic with the untrust interface (versus the trust) and deployed an Application Gateway. The result was the following architecture:

 

arm1.jpg

 

 


The following set of diagrams walk through the various flows for this deployment. Requests are Green and the server responses are in Red. Each step in the flow is also numbered. The first flow is using the Azure Public Load Balancer and is often deployed for non-HTTP traffic. In this flow the backend targets for the Public Load Balancer are the VM-Series NGFWs.

 

 

A2.jpg


The following flow depicts inbound web application traffic through an Application Gateway. There is a UDR on the subnet that App Gateway is deployed in that redirects spoke VNET traffic to the Internal Load balancer. After inspection the traffic is routed via normal VNet Peering to the target. A UDR for the App Gateway subnet is on the spoke VNet with a next hop of the internal load balancer.

 

 

Arm3.jpg

 

Outbound traffic is handled by a default route UDR on the spoke subnets. This UDR sends traffic to the internal Standard Load Balancer. The traffic is sent to a VM-Series NGFW and processed. It is then affected by an outbound NAT policy and forwarded to the internet. The response is sent back to the NGFW and forwarded directly to the origin server in the spoke VNET.

 

 

Arm4.jpg


The next diagram shows the traffic flow for east west traffic between separate VNet spokes within a transit VNet architecture. Subnets in both spokes have a UDR with a default route that points to the internal load balancer. Since this is a standard load balancer, there is no need to SNAT the traffic on the VM-Series FW. In this case a NAT negate policy is used to keep East West traffic from getting affected by an outbound SNAT rule.

 

 

Arm5.jpg

 

There are multiple methods to deploying the VM-Series in an Azure VNET architecture. Every design has nuances. The goal with this article is to provide another option for customers to choose from.

 

4 Comments
  • 5507 Views
  • 4 comments
  • 1 Likes
Register or Sign-in
Labels
Top Liked Authors