Essential Hub Subnet Planning for Your Azure Network Architecture
Designing network segments can be aptly compared to slicing a cake
Before creating any Azure services, except for directly adopting PaaS services with Public Access, such as Azure AI Foundry / Azure OpenAI Service, it is necessary to plan the network segment in advance and set up an Azure Virtual Network.
However, according to the design of the Azure Platform Landing Zone, the network architecture should have 2 options:
Both options can help you establish the foundational environment for your first on-premises to Azure migration. Today, we will explore how to segment the Hub role subnet within the Hub-Spoke architecture.
Common Hub Required Subnets and Minimum Subnets
Based on my previously rewritten Virtual Subnet Calculator (Azure Edition), it can be determined that the following common services are placed in the Hub subnet:
| Reserved Subnet Name | min. Size of Subnet | Related Azure Services | Note |
|---|---|---|---|
| GatewaySubnet | /27 | Azure Virtual Network Gateway | ExpressRoute / Active-Active VPN / Active-Passive VPN will all be included in this subnet, and you don't need to separately divide other subnets |
| RouteServerSubnet | /26 | Azure Route Server | |
| AzureBastionSubnet | /26 | Azure Bastion | The size of this subnet will affect the ability to connect simultaneously through Azure Bastion, making it one of the services that requires prior estimation. |
| AzureFirewallSubnet | /26 | Azure Firewall | |
| AzureFirewallManagementSubnet | /26 | Azure Firewall Management | |
| dnspr-in | /28 | Azure Private DNS Resolver (inbound) | Although it is not one of the reserved network segments, if a Private DNS Resolver needs to be set up, it is recommended to plan the network segment in advance |
| dnspr-out | /28 | Azure Private DNS Resolver (outbound) | Although it is not one of the reserved network segments, if a Private DNS Resolver needs to be set up, it is recommended to plan the network segment in advance |
Option 1: Classic Subnet Segmentation
We MUST ensure at least the minimum level of cloud to onpremise connectivity and maintain the activation of the following services:
- Azure Firewall
- Azure Firewall Management
- Azure Virtual Network Gateway (includes ExpressRoute / VPN)
- Azure Private DNS Resolver
Option 2: Suggested Subnet Segementation
If you have two /24 subnets, you can choose the suggested subnet segmentation option. this option can provide you add more Azure Bastion and put Private Endpoint or place Azure VM, such as DC on Azure VM
Phil's Memo
Highly recommend Clair Obscur: Expedition 33 (Original Soundtrack)
This is, after NieR: Automata, the original soundtrack that I feel is of exceptionally high quality.