Skip to content

Commit

Permalink
Adding Multi-Region Network Deployment (#1608)
Browse files Browse the repository at this point in the history
Co-authored-by: Jack Tracey <[email protected]>
  • Loading branch information
brsteph and jtracey93 authored Jun 18, 2024
1 parent d31d985 commit 6d8b116
Show file tree
Hide file tree
Showing 23 changed files with 3,456 additions and 257 deletions.
23 changes: 23 additions & 0 deletions docs/wiki/Deploying-ALZ-BasicSetup.md
Original file line number Diff line number Diff line change
Expand Up @@ -46,13 +46,18 @@ On the *Azure Core setup* blade you will:

- **Provide a prefix** that will be used to name your management group hierarchy **and** platform resources.
- Choose between using dedicated subscriptions or a single subscription to host platform resources.
- Choose between deploying in a single region, or in two regions.

**Please Note:** A dedicated platform subscriptions is in general recommended. However, some Customers have the requirement to host their platform and applications within a single subscription. This tutorial is aimed at Customers with this requirement.

Select **Single** and **provide a dedicated (empty) subscription** that will be used to host your Platform resources.

![ESLZ-Company-Prefix](./media/ESLZ-Company-Prefix-singlesubscription.jpg)

Next, select if you wish to **Deploy in a secondary region**. If this is left as *Yes*, then you will receive additional inputs later in the process to deploy resources in a secondary region.

![ALZ-Secondary-Region](./media/ALZ-secondaryregion-singlesubscription.jpg)

Click **Next: Platform management, security, and governance>**.

![coreSetupTab-next](./media/ESLZ-Company-Prefix-2-singlesubscription.jpg)
Expand Down Expand Up @@ -208,6 +213,24 @@ On the *Network topology and connectivity* blade you will configure your core ne

![networkTab-fwSubnet](./media/clip_image036b-10-singlesubscription.png)

### Deploying networking resources in a second region

If you selected **Deploy in a secondary region** in the Core steps, you will also configure a secondary region for networking platform resource in this blade. This secondary platform network deployment prepares you you to take advantage of capacity in multiple regions, and for recovery or multi-region high availability.

The deployment will use the same deployment type as the primary region - either two hub and spokes with Azure firewall, two hub and spokes with your own-third party NVA, or an additional virtual WAN hub.

![img](./media/clip_image080.png)

You will need to specify the additional region to deploy to, and then you will be given the option to deploy and configure your gateways and (if applicable) your Azure firewall.

![img](./media/clip_image081.png)

For best results, use similar inputs to make sure that your regional deployments can both support the same architecture. However, if you want to forgo deploying a gateway or firewall in the second region, you can select the appropriate options.

Once deployed, your regional hubs will be peered together and have routing tables assigned to the firewall subnets to handle routing to each other. You can add routes to this route table later, as you add spoke networks. If you have deployed DDoS protection in the primary region, it will be applied to the secondary region as well.

Your Private DNS zones will be deployed in a resource group linked to your primary region, and will be assigned to both regions. See [Private Link and DNS integration at scale](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/private-link-and-dns-integration-at-scale) for more information.

Click **Next: Identity>** once you had configured your network setup.

![networkTab-next](./media/clip_image036b-13-singlesubscription.png)
Expand Down
27 changes: 26 additions & 1 deletion docs/wiki/Deploying-ALZ-HubAndSpoke.md
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,10 @@ Provide a prefix that will be used to create the management group hierarchy and

![ESLZ-Company-Prefix](./media/ESLZ-Company-Prefix.JPG)

Next, select if you wish to **Deploy in a secondary region**. If this is left as *Yes*, then you will receive additional inputs later in the process to deploy resources in a secondary region.

![ALZ-Secondary-Region](./media/ALZ-secondaryregion-multisubscription.jpg)

## 5. Platform management, security, and governance

On the *Platform management, security, and governance* blade, you will configure the core components to enable platform monitoring and security. The options you enable will also be enforced using Azure Policy to ensure resources, landing zones, and configuration are continuously compliant as your deployments scales with business demand. To enable this, you must provide a dedicated (empty) subscription that will be used to host the requisite infrastructure.
Expand Down Expand Up @@ -74,12 +78,33 @@ Depending on your requirements, you may choose to deploy additional network infr

![img](./media/clip_image036b.png)

### Deploying networking resources in a second region

If you selected **Deploy in a secondary region** in the Core steps, you will also configure a secondary region for networking platform resource in this blade. This secondary platform network deployment prepares you you to take advantage of capacity in multiple regions, and for recovery or multi-region high availability.

The deployment will use the same deployment type as the primary region - either two hub and spokes with Azure firewall, two hub and spokes with your own-third party NVA, or an additional virtual WAN hub.

![img](./media/clip_image080.png)

You will need to specify the additional region to deploy to, and then you will be given the option to deploy and configure your gateways and (if applicable) your Azure firewall.

![img](./media/clip_image081.png)

For best results, use similar inputs to make sure that your regional deployments can both support the same architecture. However, if you want to forgo deploying a gateway or firewall in the second region, you can select the appropriate options.

Once deployed, your regional hubs will be peered together and have routing tables assigned to the firewall subnets to handle routing to each other. You can add routes to this route table later, as you add spoke networks. If you have deployed DDoS protection in the primary region, it will be applied to the secondary region as well.

Your Private DNS zones will be deployed in a resource group linked to your primary region, and will be assigned to both regions. See [Private Link and DNS integration at scale](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/private-link-and-dns-integration-at-scale) for more information.

## 8. Identity
On the *Identity* blade you can specify if you want to assign recommended policies to govern identity and domain controllers. If you decide to enable this feature, you do need to provide an empty subscription for this. You can then select which policies you want to get assigned, and you will need to provide the address space for the virtual network that will be deployed on this subscription. Please note that this virtual network will be connected to the hub virtual network via VNet peering.
On the *Identity* blade you can specify if you want to assign recommended policies to govern identity and domain controllers. If you decide to enable this feature, you do need to provide an empty subscription for this. You can then select which policies you want to get assigned, and you will need to provide the address space for the virtual network that will be deployed on this subscription. Please note that this virtual network will be connected to the hub virtual network via VNet peering.

![img](./media/clip_image036c.png)

In addition, you selected **Deploy in a secondary region** and deployed a network topology, you also have the option to deploy an additional Identity virtual network in that region. It will be peered to the hub in your secondary region.

![img](./media/clip_image085.png)

## 9. Landing zone configuration

In the top section you can select which policies you want to assign broadly to all of your application landing zones. You also have the ability to set policies to *Audit only* which will assign the policies for Audit.
Expand Down
18 changes: 18 additions & 0 deletions docs/wiki/Deploying-ALZ-VWAN.md
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,10 @@ Provide a prefix that will be used to create the management group hierarchy and

![ESLZ-Company-Prefix](./media/ESLZ-Company-Prefix.JPG)

Next, select if you wish to **Deploy in a secondary region**. If this is left as *Yes*, then you will receive additional inputs later in the process to deploy resources in a secondary region.

![ALZ-Secondary-Region](./media/ALZ-secondaryregion-multisubscription.jpg)

## 5. Platform management, security, and governance

On the *Platform management, security, and governance* blade, you will configure the core components to enable platform monitoring and security. The options you enable will also be enforced using Azure Policy to ensure resources, landing zones, and more are continuously compliant as your deployments scales and grows. To enable this, you must provide a dedicated (empty) subscription that will be used to host the requisite infrastructure.
Expand Down Expand Up @@ -69,12 +73,26 @@ Depending on your requirements, you may choose to deploy additional network infr

![vwan](./media/clip_image078.jpg)

### Deploying networking resources in a second region

If you selected **Deploy in a secondary region** in the Core steps, you will also configure a secondary region for networking platform resource in this blade. This secondary platform network deployment prepares you you to take advantage of capacity in multiple regions, and for recovery or multi-region high availability.

The deployment will deploy an additional virtual hub in the secondary region that you specify.

You will need to provide the configuration for the virtual hub, same as the primary region.

![img](./media/clip_image084.png)

## 8. Identity

On the *Identity* blade you can specify if you want to assign recommended policies to govern identity and domain controllers. If you decide to enable this feature, you do need to provide an empty subscription for this. You can then select which policies you want to get assigned, and you will need to provide the address space for the virtual network that will be deployed on this subscription. Please note that this virtual network will be connected to the hub virtual network via VNet peering.

![img](./media/clip_image036c.png)

In addition, you selected **Deploy in a secondary region** and deployed a network topology, you also have the option to deploy an additional Identity virtual network in that region. It will be connected to the hub in your secondary region.

![img](./media/clip_image085.png)

## 9. Landing zone configuration

In the top section you can select which policies you want to assign broadly to all of your application landing zones. You also have the ability to set policies to *Audit only* which will assign the policies for Audit.
Expand Down
11 changes: 11 additions & 0 deletions docs/wiki/Whats-new.md
Original file line number Diff line number Diff line change
Expand Up @@ -144,6 +144,17 @@ Special Note: Existing consumers of ALZ will notice that some "assigned by defau
#### Documentation

- Archived the readme content in the eslzArm folder as it is no longer relevant. Please refer to the [ALZ Wiki](https://aka.ms/alz/wiki) for the latest information on how to deploy Enterprise-Scale Landing Zones. To view the content that was previously here, refer to the [archive](https://github.com/Azure/Enterprise-Scale/blob/45d5c2bd8c1a9e19b1a46a3a0dabb311e5320b64/eslzArm/README.md).
- Added new instructions for deploying hub and spoke network topology in [multiple regions](./Deploying-ALZ-HubAndSpoke#deploying-networking-resources-in-an-additional-region).
- Added new instructions for deploying additional vWAN hubs in [multiple regions](./Deploying-ALZ-HubAndSpoke#deploying-networking-resources-in-an-additional-region).

#### Tooling

- Added functionality to deploy platform resources into multiple regions. In the Core settings, you will have the option to deploy resources in a secondary region. If you select **Yes** you will have new options:
- In the **Networking topology and connectivity** tab:
- If you select *Hub and spoke with Azure Firewall* you will deploy a second hub in a secondary region. You can configure the IP space, VPN Gateway settings, ExpressRoute Gateway settings, and Azure Firewall settings for this region. Both of the hubs will be peered, with routing for the hubs to the Azure Firewalls being deployed. If you select DDoS protection or to select the creation of Azure Private DNS Zones, these will be linked to the second hub as well.
- If you select *Hub and spoke with your third-party NVA* you will deploy a second hub in a secondary region. You can configure the IP space, VPN Gateway settings, and ExpressRoute Gateway settings for this region. Both of the hubs will be peered, but no routing configured. If you select DDoS protection or to select the creation of Azure Private DNS Zones, these will be linked to the second hub as well.
- If you select *Virtual WAN* you will deploy a second virtual hub in a secondary region, as part of your virtual WAN deployment. You can configure the IP space, VPN Gateway settings, ExpressRoute Gateway settings, and Azure Firewall settings for this region. Both of the hubs will be peered, with routing for the hubs to the Azure Firewalls being deployed.
- In the **Identity** tab, if you have selected a topology to deploy, you will have the option to deploy an Identity virtual network to the secondary region, peered to the hub in that region.

### April 2024

Expand Down
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/wiki/media/clip_image080.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/wiki/media/clip_image081.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/wiki/media/clip_image082.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/wiki/media/clip_image083.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/wiki/media/clip_image084.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/wiki/media/clip_image085.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading

0 comments on commit 6d8b116

Please sign in to comment.