Enterprise-ScaleREADME.md at Main · AzureEnterprise-Scale · GitHub
Open in github.dev Open in a new github.dev tab
t
| ARM Template | Scale without refactoring |
|---|---|
| Deploy To Azure | Yes |
Deploy Enterprise-Scale with hub and spoke architecture
The Enterprise-Scale architecture is modular by design and allow organizations to start with foundational landing zones that support their application portfolios and add hybrid connectivity with ExpressRoute or VPN when required. Alternatively, organizations can start with an Enterprise-Scale architecture based on the traditional hub and spoke network topology if customers require hybrid connectivity to on-premises locations from the beginning.
A hub and spoke network topology allows you to create a central Hub VNet that contains shared networking components (such as Azure Firewall, ExpressRoute and VPN Gateways) that can then be used by spoke VNets, connected to the Hub VNet via VNET Peering, to centralize connectivity in your environment. Gateway transit in VNet peering allows spokes to have connectivity to/from on-premises via ExpressRoute or VPN, and also, transitive connectivity across spokes can be implemented by deploying User Defined Routes (UDR) on the spokes and using Azure Firewall or an NVA in the hub as the transit resource. Hub and spoke network design considerations & recommendations can be found here.
A hub & spoke network topology
This reference implementation also allows the deployment of platform services across Availability Zones (such as Azure Firewall, VPN or ExpressRoute gateways) to increase availability uptime of such services.
Customer profile
This reference implementation is ideal for customers that have started their Enterprise-Scale journey with an Enterprise-Scale foundation implementation and then there is a need to add connectivity on-premises datacenters and branch offices by using a traditional hub and spoke network architecture. This reference implementation is also well suited for customers who want to start with Landing Zones for their net new deployment/development in Azure by implementing a network architecture based on the traditional hub and spoke network topology.
Please refer to the Enterprise-Scale Landing Zones User Guide for detailed information on prerequisites and deployment steps.
How to evolve from Enterprise-Scale foundation
If customer started with a Enterprise-Scale foundation deployment, and if the business requirements changes over time, such as migration of on-premise applications to Azure that requires hybrid connectivity, you will simply create the Connectivity Subscription, place it into the Platform > Connectivity Management Group and assign Azure Policy for the hub and spoke network topology.
Pre-requisites
To deploy this ARM template, your user/service principal must have Owner permission at the Tenant root. See the following instructions on how to grant access.
Optional prerequisites
The deployment experience in Azure portal allows you to bring in existing (preferably empty) subscriptions dedicated for platform management, connectivity and identity. It also allows you to bring existing subscriptions that can be used as the initial landing zones for your applications.
To learn how to create new subscriptions programmatically, please visit this link.
To learn how to create new subscriptions using Azure portal, please visit this link.
How to deploy this reference implementation
Enterprise-Scale landing zones offers a single experience to deploy the different reference implementations. To deploy Enterprise-Scale with hub and spoke architecture, click on the Deploy to Azure button at the top of this page and ensure you select the following options:
- In the Enterprise-Scale core setup blade, select the option for Dedicated (recommended) subscriptions for platform resources.
- In the Network topology and connectivity blade, select either Hub and spoke with Azure Firewall or Hub and spoke with your own third-party NVA network topology options.
The rest of the options across the different blades will depend on your environment and desired deployment settings. For detailed instructions for each of the deployment steps, refer to the Enterprise-Scale Landing Zones user guide.
What will be deployed?
By default, all recommendations are enabled and you must explicitly disable them if you don't want it to be deployed and configured.
- A scalable Management Group hierarchy aligned to core platform capabilities, allowing you to operationalize at scale using centrally managed Azure RBAC and Azure Policy where platform and workloads have clear separation.
- Azure Policies that will enable autonomy for the platform and the landing zones.
- An Azure subscription dedicated for management, which enables core platform capabilities at scale using Azure Policy such as:
- A Log Analytics workspace and an Automation account
- Azure Security Center monitoring
- Azure Security Center (Standard or Free tier)
- Azure Sentinel
- Diagnostics settings for Activity Logs, VMs, and PaaS resources sent to Log Analytics
- (Optionally) Integrate your Azure environment with GitHub (Azure DevOps will come later), where you provide the PA Token to create a new repository and automatically discover and merge your deployment into Git.
- An Azure subscription dedicated for connectivity, which deploys core Azure networking resources such as:
- A hub virtual network
- Azure Firewall (optional - deployment across Availability Zones)
- ExpressRoute Gateway (optional - deployment across Availability Zones)
- VPN Gateway (optional - deployment across Availability Zones)
- Azure Private DNS Zones for Private Link (optional)
- Azure DDoS Network Protection (optional)
- (Optionally) An Azure subscription dedicated for identity in case your organization requires to have Active Directory Domain Controllers in a dedicated subscription.
- A virtual network will be deployed and will be connected to the hub VNet via VNet peering.
- Landing Zone Management Group for corp connected applications that require connectivity to on-premises, to other landing zones or to the internet via shared services provided in the hub virtual network.
- This is where you will create your subscriptions that will host your corp-connected workloads.
- Landing Zone Management Group for online applications that will be internet-facing, where a virtual network is optional and hybrid connectivity is not required.
- This is where you will create your Subscriptions that will host your online workloads.
- Landing zone subscriptions for Azure native, internet-facing online applications and resources.
- Landing zone subscriptions for corp connected applications and resources, including a virtual network that will be connected to the hub via VNet peering.
- Azure Policies for online and corp-connected landing zones, which include:
- Enforce VM monitoring (Windows & Linux)
- Enforce VMSS monitoring (Windows & Linux)
- Enforce Azure Arc VM monitoring (Windows & Linux)
- Enforce VM backup (Windows & Linux)
- Enforce secure access (HTTPS) to storage accounts
- Enforce auditing for Azure SQL
- Enforce encryption for Azure SQL
- Prevent IP forwarding
- Prevent inbound RDP from internet
- Ensure subnets are associated with NSG
- Associate private endpoints with Azure Private DNS Zones for Azure PaaS services.
For a detailed networking topology diagram for this reference implementation click here. This is also available in Visio format from here
Next steps
From an application perspective
Once you have deployed the reference implementation, you can create new subscriptions, or move an existing subscriptions to the Landing Zones > Online or Corp management group, and finally assign RBAC to the groups/users who should use the landing zones (subscriptions) so they can start deploying their workloads.
Refer to the Create Landing Zone(s) article for guidance to create Landing Zones.