1300 CLD HMR

Introduction

The cloud has made setting up networks and routing between networks accessible and flexible for just about any use case. This blog’s aim to get you to understand and answer considerations into designing your cloud network for your next project. By attempting to answer these questions you will have a good understanding if you are on the right path or if further research and design is required.

As networks in the cloud can come in a variety of different typologies and sizes it is not feasible to address all the ways a network or networks can be setup to achieve your desired outcome. By imposing questions about our design thinking we can constrain but also expose assumptions that may lead to bad design decisions. Networking in Azure will be the focus of this guide, but some of the questions will apply equally to other Cloud Providers.

In my opinion it is better to ask more questions about your design rather than preemptively apply best practices, as a good understanding about what it is required is needed before attempting to look at how you should implement the solution.

Intended Audience

This blog is written for those that have a limited understanding about where to start in making good networking decisions in the cloud.

General Cloud Network Questions

Depending on where you are at in your Cloud journey it is best to look at your cloud network design holistically, and consider how the cloud network will integrate with current and future networking plans. From this high level overview sub-netting and routing decisions can be more easily made.

The main question to ask is ‘are you going to require more than one Virtual Network?‘ Answering this will help inform your overarching network architecture.

If so, what other networks are required and what will be the role of these networks. If your network footprint is likely to grow and need more networks in the future for different teams/projects AND you have shared services that will used by subordinate networks you should consider implementing a hub and spoke topology. Another option is to use a perimeter Virtual Network that is used to provide a hardened ingress/egress point to Virtual Networks connected to this network.

Hub-spoke network topology in Azure

However, if you predominately use cloud SaaS services and want to have physical separation of workloads contained in different networks then simply using individual Virtual Networks with good security controls might be the best option to reduce complexity.

Do you know how you will allocate IP address space?

Having adequate and well documented usage of IP address space will be crucial in ensuring that new networks can be added without overlapping IP ranges.

Network Connectivity Questions

Occasionally, I see clients think of external connectivity as a bridge that will be crossed when they get to it – or no prior thought has been put into this consideration. Understanding how you will connect to your cloud securely is arguably one of the biggest benefits of using the cloud, if done properly. It is therefore necessary to ask how cloud network connectivity options will be used. Options here to consider:

1. Do you intend to have Cloud networks in different regions? Consider: SD-WAN solutions and Global Virtual Network Peering.
2. Do you want secure connectivity to a Cloud Networks from your office? Consider: Site-to-site VPNs or Express route.
3. Do you users require secure access from their homes? Consider Point-to-site VPN solutions.
4. Do you require dedicated and reliable bandwidth to your cloud networks or cloud services? Look at ExpressRoute options.
5. Will your Virtual Networks need to connect to each other? Global Virtual Network Peering or

Network Security Questions

Network Security in your cloud environment should be easy to manage and understand in order to be effective. Cloud Providers aim to give you many network security controls but it is up to you to have a good understanding about how they can best be used to make sure that A) your workloads and data are secure and B) you can easily make changes to improve and monitor your security posture into the future.

At the very minimum you should have a good understanding about how to use Network Security Groups and Application Security Groups to control inbound AND outbound traffic. Importantly, knowing how to test your cloud services after networks security changes are made is required to detect traffic that is accidentally blocked or allowed.

The other network security controls to consider are Network Virtual Appliances offered by Palo-Alto, Cisco or F5, Azure Firewall and Web Application Firewalls associated with Layer-7 Application Gateways. Using these controls are dependent on your budget and the types of workloads you are looking to protect.

When it comes to network security there are many questions you should be asking to protect your services and your user’s data. You should have a good understanding about how to answer the following questions.

1. Are my services or information subject to any regulations, laws or other compliance obligations? Understanding any relevant laws or regulations will inform the network security requirements you must have in operation.
2. How will my workloads communicate to users, other workloads and the internet? Consider having a network security topology diagram that details network flows so you can design NSGs and other security controls.
3. How will inbound traffic be controlled? For web traffic a Web Application Firewall can be used. MFA or Just-In-Time Provisioning should be used for accessing machines via SSH or RDP.
4. How will egress traffic be controlled?

Conclusion

It pays to ask questions and create checklists when embarking on any new project. Not only can this help inform your research and help make better decisions, but also, by answering questions you can get a better understanding of any requirements you have and assumptions you have made.