DEV Community

Cover image for Building a Secure Network Architecture in Azure: A Step-by-Step Guide
Isaiah Izibili
Isaiah Izibili

Posted on

Building a Secure Network Architecture in Azure: A Step-by-Step Guide

#skillsch #mslearn #cloud #cloudcomputing

As organizations increasingly migrate applications to the cloud, designing a secure and scalable network architecture becomes critical. In this article, we walk through the process of setting up a hub-and-spoke architecture in Microsoft Azure, tailored for a web-based application deployment.

Scenario overview
Your organization is migrating a web-based application to Azure. The first step is to establish the foundational networking components:

  • Two virtual networks: app-vnet and hub-vnet, simulating a hub-and-spoke topology.
  • app-vnet will host the application, split into: frontend-subnet for web servers backend-subnet for database servers
  • hub-vnet will contain a single firewall-subnet for centralized security.
  • Both networks must be securely peered to allow private communication.
  • All resources will reside in the same Azure region.

Architecture diagram

Task Diagram

Step 1: Create hub and spoke virtual networks and subnets

An Azure virtual network enables many types of Azure resources to securely communicate with each other, the internet, and on-premises networks. All Azure resources in a virtual network are deployed into subnets within the virtual network.

  1. Sign in to the Azure portal - https://portal.azure.com.
  2. Search for and select Virtual Networks.

virtuat network seach
3. Select + Create and complete the configuration of the app-vnet. This virtual network requires two subnets, frontend and backend.

Property            Value
Resource group           RG1
Virtual network name     app-vnet
Region                   West US 3
IPv4 address space   10.1.0.0/16
Subnet name          frontend
Subnet address range     10.1.0.0/24
Subnet name          backend
Subnet address range     10.1.1.0/24
Enter fullscreen mode Exit fullscreen mode

Note:Leave all other settings as their defaults. When finished select “Review + create and then Create.

Inside each virtual network, you carve out subnets:
_In app-vnet:

  • frontend-subnet: for web servers that handle user traffic.
  • backend-subnet: for database servers that store and process data.
  • In hub-vnet: firewall-subnet: for deploying Azure Firewall or other security appliances.

Why its important:
Subnets help organize resources and apply security rules. For example, you can restrict access so only the frontend talks to the backend, and all traffic flows through the firewall.

Basic

frontsubnet

Backsubnet

4. Create the Hub-vnet virtual network configuration. This virtual network has the firewall subnet.

Property           Value
Resource group         RG1
Name                   hub-vnet
Region                 West US 3
IPv4 address space     10.0.0.0/16
Subnet name        AzureFirewallSubnet
Subnet address range   10.0.0.0/26
Enter fullscreen mode Exit fullscreen mode

hubvnet

hub

5. Once the deployments are complete, search for and select your ‘virtual networks`.
6. Verify your virtual networks and subnets were deployed.

Vnetwork

Note: we created two separate virtual networks:

  • app-vnet: where your application lives.
  • hub-vnet: where shared services like firewalls or VPN gateways reside.

Why It Matters:
This separation allows you to centralize security and routing in the hub, while keeping application workloads isolated in the spoke. It’s scalable, secure, and mirrors enterprise-grade architecture.

Step 2: Configure Virtual Network Peering

Virtual network peering enables you to seamlessly connect two or more Virtual Networks in Azure. SO the the virtual network peering between app-vnet and hub-vnet allows them to communicate privately over Azure’s backbone network.

  1. Search for and select the app-vnet virtual network.
  2. In the Settings blade, select Peerings.
  3. + Add a peering between the two virtual networks.

add peering

Property Value
Remote peering link name app-vnet-to-hub
Virtual network hub-vnet
Local virtual network peering link name hub-to-app-vnet

Note: Leave all other settings as their defaults. Select “Add” to create the virtual network peering.

peering

4. Once the deployment completes, verify the Peering status is Connected.

connected

Why It Matters:
Peering avoids the need for public IPs or VPNs. It’s fast, secure, and cost-effective. You can control traffic flow and even route it through the firewall in the hub.

Key takeaways
Congratulations on completing the exercise. Here are the main takeaways:

  • Azure virtual networks (VNets) provide a secure and isolated network environment for your cloud resources. You can create multiple virtual networks per region per subscription.
  • When designing virtual networks make sure the VNet address space (CIDR block) doesn’t overlap with your organization’s other network ranges.
  • A subnet is a range of IP addresses in the VNet. You can segment VNets into different size subnets, creating as many subnets as you require for organization and security within the subscription limit. Each subnet must have a unique address range.
  • Certain Azure services, such as Azure Firewall, require their own subnet.
  • Virtual network peering enables you to seamlessly connect two Azure virtual networks. The virtual networks appear as one for connectivity purposes.

Top comments (0)