Azure Landing Zones Documentation
Home GitHub Issue Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage
  1. Azure Landing Zones Documentation
  2. /
  3. Accelerator
  4. /
  5. Starter Modules
  6. /
  7. Terraform - Azure Verified Modules for Platform Landing Zone (ALZ)
  8. /
  9. Scenarios
  10. /
  11. 1 - Multi-Region Hub and Spoke Virtual Network with Azure Firewall
Edit page

1 - Multi-Region Hub and Spoke Virtual Network with Azure Firewall

A full platform landing zone deployment with hub and spoke Virtual Network connectivity using Azure Firewall in multiple regions.

Resources

The following resources are deployed by default in this scenario:

Management

Management Groups

  • Management Groups
  • Policy Definitions
  • Policy Set Definitions
  • Policy Assignments
  • Policy Assignment Role Assignments

Management Resources

  • Log Analytics Workspace
  • Log Analytics Data Collection Rules for AMA
  • User Assigned Managed Identity for AMA
  • Automation Account

Connectivity

Azure DDOS Protection Plan

  • DDOS Protection Plan

Azure Virtual Networks

  • Hub virtual networks in each region
  • Hub virtual network peering
  • Subnets for Firewall, Gateway, Bastion, and Private DNS Resolver in each region
  • Azure Route table for Firewall per region
  • Azure Route table for other subnets and spokes per region

Azure Firewall

  • Azure Firewall per region
  • Azure Firewall public IP per region
  • Azure Firewall policy per region

Azure Bastion

  • Azure Bastion per region
  • Azure Bastion public IP per region

Azure Private DNS

  • Azure Private DNS Resolver per region
  • Azure non-regional Private Link Private DNS zones in primary region
  • Azure regional Private Link Private DNS zones per region
  • Azure Virtual Machine auto-registration Private DNS zone per region
  • Azure Private Link DNS zone virtual network links per region

Azure Virtual Network Gateways

  • Azure ExpressRoute Virtual Network Gateway per region
  • Azure VPN Virtual Network Gateway per region

Configuration

The following relevant configuration is applied:

Azure DNS

Private DNS is configured ready for using Private Link and Virtual Machine Auto-registration. Spoke Virtual Networks should use the Azure Firewall IP Address in the same region as their DNS configuration.

  • Azure Firewall is configured as DNS proxy
  • Azure Firewall forwards DNS traffic to the Private DNS resolver
  • Azure Private DNS Resolver has an inbound endpoint from the hub network
  • Azure Private Link DNS zones are linked to all the hub Virtual Networks

Azure Routing

Route tables are pre-configured for spoke virtual networks in each region. Assign the user subnet route table to any subnets created in spokes.

  • Azure Firewall in relevant region as next hop in Route Table
gdoc_arrow_left_alt Scenarios 2 - Multi-Region Virtual WAN with Azure Firewall gdoc_arrow_right_alt