This site is under development and subject to change. Please do not rely on the information contained here. Look out for some exciting updates to Azure Landing Zones coming in 2025!
Azure Landing Zones Documentation
Home GitHub Issue Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage
  1. Azure Landing Zones Documentation
  2. /
  3. Accelerator
  4. /
  5. Starter modules
  6. /
  7. Terraform - Azure Verified Modules for Platform Landing Zone (ALZ)
  8. /
  9. Scenario - Multi-Region Virtual WAN with Azure Firewall
Edit page

Scenario - Multi-Region Virtual WAN with Azure Firewall

A full platform landing zone deployment with Virtual WAN network connectivity using Azure Firewall in multiple regions.

Resources

The following resources are deployed by default in this scenario:

Management

Management Groups

  • Management Groups
  • Policy Definitions
  • Policy Set Definitions
  • Policy Assignments
  • Policy Assignment Role Assignments

Management Resources

  • Log Analytics Workspace
  • Log Analytics Data Collection Rules for AMA
  • User Assigned Managed Identity for AMA
  • Automation Account

Connectivity

Azure DDOS Protection Plan

  • DDOS Protection Plan

Azure Virtual WAN

  • Virtual WAN homed in the primary region
  • Virtual Hubs in each region

Azure Virtual Networks

  • Sidecar Virtual Networks
  • Sidecar to Virtual Hub peering
  • Subnets for Bastion, and Private DNS Resolver in each region

Azure Firewall

  • Azure Firewall per region
  • Azure Firewall public IP per region
  • Azure Firewall policy per region

Azure Bastion

  • Azure Bastion per region
  • Azure Bastion public IP per region

Azure Private DNS

  • Azure Private DNS Resolver per region
  • Azure non-regional Private Link Private DNS zones in primary region
  • Azure regional Private Link Private DNS zones per region
  • Azure Virtual Machine auto-registration Private DNS zone per region
  • Azure Private Link DNS zone virtual network links per region

Azure Virtual Network Gateways

  • Azure ExpressRoute Virtual Network Gateway per region
  • Azure VPN Virtual Network Gateway per region

Configuration

The following relevant configuration is applied:

Azure DNS

Private DNS is configured ready for using Private Link and Virtual Machine Auto-registration. Spoke Virtual Networks should use the Azure Firewall IP Address in the same region as their DNS configuration.

  • Azure Firewall is configured as DNS proxy
  • Azure Firewall forwards DNS traffic to the Private DNS resolver
  • Azure Private DNS Resolver has an inbound endpoint from the sidecar network
  • Azure Private Link DNS zones are linked to all hub sidecar Virtual Networks
gdoc_arrow_left_alt Scenario - Multi-Region Hub and Spoke Virtual Network with Azure Firewall Scenario - Multi-Region Hub and Spoke Virtual Network with Network Virtual Appliance (NVA) gdoc_arrow_right_alt