Azure Navigator
RSS

Optimizing Network Address Space Allocation for Hybrid Cloud Environments

In the evolving landscape of hybrid cloud environments, managing network address space efficiently is paramount. This article delves into best practices and strategic recommendations for allocating network address ranges in Azure and on-premises datacenters. It covers essential topics such as network setup, management groups, VPN and ExpressRoute gateways, address space planning, and the adoption of IPv6. Additionally, it explores advanced configurations like active-active and active-passive gateway setups, multiple regional hubs, and the use of Azure Virtual WAN for global connectivity. By following these guidelines, organizations can ensure seamless connectivity, scalability, and robust network management.

Introduction

Introduction: In today’s hybrid cloud environments, effectively managing network address space is crucial for ensuring seamless connectivity and scalability. This article provides best practices and recommendations for allocating network address ranges in Azure and on-premises datacenters, based on the Cloud Adoption Framework, the Well-Architected Framework, and other relevant sources.

Network Setup: Connectivity Subscription and Individual Spokes

Understanding the network setup is essential for designing a scalable and efficient architecture. This section delves into the hub-and-spoke topology, connectivity subscription, and individual spokes.

Hub-and-Spoke Topology

The hub-and-spoke network topology is a common architecture in Azure. The hub is a central VNet that acts as a connectivity point to on-premises networks and other Azure VNets. The spokes are VNets that peer with the hub and can be used to isolate workloads.

Diagram illustrating Hub-Spoke Architecture on Microsoft Azure. The diagram includes sections for management groups, subscriptions, resource groups, and resources. It outlines processes for organizing resources, managing access and policies, monitoring and reporting, and ensuring security compliance. The hub-spoke topology is highlighted, showing a central hub connected to multiple spokes, simplifying network management and security.
Hub-Spoke Architecture on Microsoft Azure

Connectivity Subscription

The connectivity subscription hosts the hub VNet, which includes shared services such as VPN gateways, ExpressRoute gateways, and Azure Firewall. This subscription is managed centrally to ensure consistent network policies and security controls.

Diagram of networking areas within the Azure landing zone conceptual Management Group Hierarchy, highlighting the roles of Corp and Online management groups and their networking relationships

Individual Spokes

Each spoke VNet is deployed in separate subscriptions, known as application landing zone subscriptions. These spokes are peered with the hub VNet to allow communication between resources in different VNets while maintaining isolation.

This reference architecture illustrates a hub-spoke network pattern with customer-managed hub infrastructure components. It highlights the hub-spoke topology recommended by the Cloud Adoption Framework, explaining its best practice status for many organizations. For a Microsoft-managed hub infrastructure solution, refer to the Hub-spoke network topology with Azure Virtual WAN.
Hub-spoke network pattern with customer-managed hub infrastructure in Azure, featuring Azure Firewall, VPN Gateway, and Azure Bastion

Management Groups and Subscriptions

Properly structuring management groups and subscriptions is crucial for maintaining control and governance. This section explains their roles in organizing and managing resources within an enterprise.

Corp Management Group and Subscriptions

The corp management group is used to manage corporate resources and subscriptions. It includes policies and access controls that apply to all subscriptions under this group.

Example of a management group structure in the Azure landing zone accelerator, detailing the hierarchy and roles of various management groups as defined in the ALZ-Bicep repository

Online Management Group and Subscriptions

The online management group is used to manage online services and applications. Similar to the corp management group, it includes policies and access controls for all subscriptions under this group.

This infographic illustrates the assignment of policy and policy set definitions within the Azure landing zone Management Group hierarchy. It shows that policies are created only at the intermediate management group level (e.g., contoso) and its child groups, avoiding assignments at the tenant root management group scope. This approach aligns with the Cloud Adoption Framework's best practices, ensuring clear delineation of policy application and preventing unintended policy inheritance across the entire tenant. The diagram emphasizes the importance of maintaining compliance, flexibility, and alignment with organizational governance requirements.
Diagram of policy and policy set definitions assigned within the Azure landing zone Management Group hierarchy, highlighting the levels at which these policies are deployed

VPN Gateway or ExpressRoute Gateway in Connectivity Subscription

Gateways play a vital role in establishing secure and reliable cross-premises connectivity. This section discusses the use of VPN and ExpressRoute gateways in the connectivity subscription.

VPN Gateway

A VPN gateway is used to establish secure cross-premises connectivity between the on-premises network and Azure VNets. It supports site-to-site (S2S), point-to-site (P2S), and VNet-to-VNet connections. NAT is supported on VPN gateways with SKUs VpnGw2 to VpnGw5 and VpnGw2AZ to VpnGw5AZ.

This infographic shows the configuration of NAT (Network Address Translation) for Azure VPN Gateway using the Azure portal. It explains the mechanisms of translating one IP address to another, commonly used for connecting networks with overlapping IP address ranges. The diagram highlights the supported SKUs and the steps to build the topology by completing the parts of the article.
Diagram illustrating the configuration of NAT (Network Address Translation) for Azure VPN Gateway, highlighting the supported SKUs and the basic building blocks for setting up NAT in network connectivity.

ExpressRoute Gateway

An ExpressRoute gateway provides a dedicated, private connection between the on-premises network and Azure. It offers higher bandwidth and lower latency compared to VPN gateways. NAT is also supported on ExpressRoute gateways for public and Microsoft peering.

The infographic shows the setup of zone-redundant virtual network gateways. It illustrates how instances of the virtual network gateways are distributed across different availability zones to ensure redundancy and reliability. Specifically, Instance #1 is located in Availability Zone 2, and Instance #2 is located in Availability Zone 3. The infographic also shows the flow of cross-premises ingress and egress traffic through these instances, highlighting their roles in managing network traffic.
Zone-redundant virtual network gateways deployed across different availability zones to ensure redundancy and reliability

Address Space Allocation

Proper address space allocation is critical for avoiding conflicts and ensuring future scalability. This section provides guidance on planning and managing address space allocation.

Planning Address Space

Allocate address space with future growth in mind. Ensure that the address ranges do not overlap between on-premises and Azure environments.

Tools for Address Space Management

Azure provides tools such as IP Address Manager (IPAM) and Azure Virtual Network Manager (AVNM) to help manage address space allocation efficiently.

Diagram illustrating the steps to create an IP address pool for a virtual network in the Azure portal, highlighting the fields to be filled in the 'Create an IP address pool' window
Diagram illustrating the steps to create an IP address pool for a virtual network in the Azure portal, highlighting the fields to be filled in the 'Create an IP address pool' window
Diagram illustrating the steps to enter the IP address range for a root pool and complete the creation of an IP address pool in the Azure portal
Diagram illustrating the steps to enter the IP address range for a root pool and complete the creation of an IP address pool in the Azure portal
Diagram illustrating the steps to associate an existing virtual network with an IP address pool in the Azure portal, highlighting the Allocations settings and the process of selecting virtual networks
Diagram illustrating the steps to associate an existing virtual network with an IP address pool in the Azure portal, highlighting the Allocations settings and the process of selecting virtual networks
Diagram illustrating the steps to create static CIDR blocks for a pool in the Azure portal, highlighting the fields to be filled in the 'Allocate static CIDRs from pool' window
Diagram illustrating the steps to create static CIDR blocks for a pool in the Azure portal, highlighting the fields to be filled in the 'Allocate static CIDRs from pool' window
Diagram illustrating the steps to review the allocation usage of an IP address pool in the Azure portal, highlighting the statistics available in the Allocations window
Diagram illustrating the steps to review the allocation usage of an IP address pool in the Azure portal, highlighting the statistics available in the Allocations window
This infographic shows the fields to review for each allocation in an IP address pool in the Azure portal. It includes fields such as Name, Address space, Address count, IP allocation, and Status, providing a detailed overview of the allocation's details and status within the pool.
Diagram illustrating the fields to review for each allocation in an IP address pool in the Azure portal, highlighting the details available in the Allocations window

Network Address Translation (NAT)

NAT can be used to conserve IP addresses by mapping an external IP address and port to a larger set of internal IP addresses. This is particularly useful when there is a shortage of address space. NAT is supported on premium VPN gateways (VpnGw2 to VpnGw5 and VpnGw2AZ to VpnGw5AZ) and ExpressRoute gateways.

Considering IPv6

Given the scarcity of IPv4 addresses, consider adopting IPv6. IPv6 provides a vastly larger address space and can coexist with IPv4, allowing for a phased transition. Implementing IPv6 where needed can help future-proof the network and provide connectivity to IPv6-only clients.

Diagram illustrating a simple dual stack (IPv4/IPv6) deployment in Azure, highlighting the benefits of dual stack connectivity for applications hosted in Azure

Deploying Gateways for Connectivity

Ensuring high availability and redundancy is essential for reliable connectivity. This section explains the deployment of gateways, including both active-active and active-passive configurations.

On-Premises and Cloud Gateways

To establish connectivity, you will need to deploy one gateway on-premises and one in the cloud. If considering an active-active setup, this would result in a total of four gateways: two in the cloud and two on-premises. This setup ensures high availability and redundancy.

Active-Active Configuration

In an active-active configuration, both gateways in the cloud and on-premises are active simultaneously, providing load balancing and failover capabilities. This setup requires two local network gateways and two connections for each on-premises VPN device.

Diagram illustrating the dual-redundancy active-active mode design, highlighting the setup of Azure VPN gateway in active-active mode and the resulting full mesh connectivity

Active-Passive Configuration

In an active-passive setup, one gateway is active while the other is on standby. If the active gateway fails, the passive gateway takes over, ensuring continuity of service. This setup typically involves one VPN gateway and two local network gateways.

Multiple Hubs in Different Regions

For organizations with operations in multiple regions, having multiple hubs is a common practice. This section discusses the use of multiple hubs and the Virtual WAN (VWAN) setup.

Regional Hubs

A hub resides within a single region. If a customer has major operations in multiple regions, such as West Europe and West US, they would likely have separate hubs in each region. This setup ensures regional redundancy and optimized performance.

Virtual WAN (VWAN) Setup

For a more scalable solution across multiple regions, consider using Azure Virtual WAN (VWAN). VWAN provides a unified and global network backbone, allowing seamless connectivity between regions. It simplifies network management and enhances security by centralizing network policies and controls.

This infographic shows the Virtual WAN architecture, which is a hub and spoke design with built-in scale and performance for branches (VPN/SD-WAN devices), users (Azure VPN/OpenVPN/IKEv2 clients), ExpressRoute circuits, and virtual networks. It enables a global transit network architecture where the cloud-hosted network 'hub' allows transitive connectivity between distributed endpoints. The diagram highlights that Azure regions serve as hubs connected in full mesh in a Standard Virtual WAN, facilitating any-to-any connectivity using the Microsoft backbone. It also mentions the options for spoke connectivity with SD-WAN/VPN devices, either manually set up in Azure Virtual WAN or using the Virtual WAN CPE partner solution.
Diagram illustrating the Virtual WAN architecture, highlighting the hub and spoke design, and the connectivity options for branches, users, ExpressRoute circuits, and virtual networks

Non-Peered Subscriptions and Address Space

Understanding the considerations for non-peered subscriptions and address space is important for avoiding conflicts and ensuring efficient network management.

Non-Overlapping Address Spaces

Non-peered subscriptions, especially those in the online management group, may not require non-overlapping address spaces since they are not peered with the connectivity hub.

Key Considerations for Network Design

Creating a robust and efficient network architecture involves adhering to fundamental principles. This section highlights key considerations for network design, including security, cost-efficiency, scalability, simplicity, and high availability.

  1. Security:

    • Ensure that the network design adheres to security best practices, including the use of NSGs, Azure Firewall, and other security measures.

  2. Cost-Efficiency:

    • Optimize the network design to minimize costs while maintaining performance and security.

  3. Scalability:

    • Design the network to be scalable, allowing for easy expansion as the organization’s needs grow.

  4. Simplicity:

    • Keep the network design as simple as possible to reduce complexity and ease management.

  5. High Availability:

    • Ensure high availability by implementing redundancy and failover mechanisms.

Additional Recommendations

Optimizing network performance and management requires following best practices from various sources. This section provides additional recommendations based on insights from Azure Advisor, the Well-Architected Framework, and other sources.

  1. Use Azure Advisor:

    • Azure Advisor provides recommendations for optimizing performance, security, and cost. Regularly review and implement these recommendations to maintain an efficient and secure network.

  2. Implement Redundancy:

    • Apply redundancy at different levels, including compute, data, and network tiers, to ensure reliability and high availability.

  3. Monitor and Optimize Performance:

    • Continuously monitor network performance using Azure Network Watcher and other monitoring tools. Optimize network configurations based on performance metrics and usage patterns.

  4. Leverage Azure Well-Architected Framework:

    • Follow the principles of the Azure Well-Architected Framework to ensure that your network design aligns with best practices for reliability, security, cost optimization, operational excellence, and performance efficiency.

Conclusion

By following these best practices and recommendations, organizations can effectively manage their network address space, ensuring seamless connectivity and scalability in hybrid cloud environments. Utilizing tools like IPAM and AVNM, considering options like NAT and IPv6, and adhering to the principles of the Cloud Adoption Framework and the Well-Architected Framework can further enhance address space management.

Share the Post:

Related Posts

Transform Your IT Strategy: Windows Server Reclass Explained

Unlock the potential of Windows Server Reclass to transform your IT strategy. This guide provides a detailed overview of how re-evaluating and re-allocating Windows Server licenses can lead to substantial cost savings and improved operational efficiency. Learn about the integration of Azure Arc and Azure Hybrid Benefit to manage and secure hybrid environments effectively.

Read More