2 - Multi-Region Virtual WAN with Azure Firewall
A full platform landing zone deployment with Virtual WAN network connectivity using Azure Firewall in multiple regions.
- Example platform landing zone configuration file: full-multi-region/virtual-wan.tfvars
The following resources are deployed by default in this scenario:
- Management Groups
- Policy Definitions
- Policy Set Definitions
- Policy Assignments
- Policy Assignment Role Assignments
- Log Analytics Workspace
- Log Analytics Data Collection Rules for AMA
- User Assigned Managed Identity for AMA
- Automation Account
- DDOS Protection Plan
- Virtual WAN homed in the primary region
- Virtual Hubs in each region
- Sidecar Virtual Networks
- Sidecar to Virtual Hub peering
- Subnets for Bastion, and Private DNS Resolver in each region
- Azure Firewall per region
- Azure Firewall public IP per region
- Azure Firewall policy per region
- Azure Bastion per region
- Azure Bastion public IP per region
- Azure Private DNS Resolver per region
- Azure non-regional Private Link Private DNS zones in primary region
- Azure regional Private Link Private DNS zones per region
- Azure Virtual Machine auto-registration Private DNS zone per region
- Azure Private Link DNS zone virtual network links per region
- Azure ExpressRoute Virtual Network Gateway per region
- Azure VPN Virtual Network Gateway per region
The following relevant configuration is applied:
Private DNS is configured ready for using Private Link and Virtual Machine Auto-registration. Spoke Virtual Networks should use the Azure Firewall IP Address in the same region as their DNS configuration.
- Azure Firewall is configured as DNS proxy
- Azure Firewall forwards DNS traffic to the Private DNS resolver
- Azure Private DNS Resolver has an inbound endpoint from the sidecar network
- Azure Private Link DNS zones are linked to all hub sidecar Virtual Networks