- Want to assign many IP addresses to new applications created on Azure, e.g. Containers
- Want to freely design the network according to new technologies and services
- On the other hand, need to connect to On-premisess or shared services on other virtual networks in Azure
- With conventional methods such as peering, the number of IP addresses is insufficient or overlapped
- NAT on VPN Gateway
- Limitation: NAT for VNet-to-VNet connection is not supported
- Private Link Service
- Limitation: Supported only for VM/VMSS
- Connect VNets (expose endpoints) with Private Link Service
- for VM/VMSS with Azure LB
- for HTTP(s) with Application Gateway (New! private preview as of June 2022)
- Expose multi-tenant managed services with Private Endpoint
VNet for projects are able to have the same address space as others and On-premises! You got freedom.
- (Fake)On-premises VNet
- Client VM
- DNS Resolver container (zone forwarder for Hub VNet linked DNS)
- VPN Gateway to Hub VNet (ER is also OK)
- Hub VNet
- VPN Gateway to On-premises VNet
- DNS Resolver container (Alternative: Azure DNS Private Resolver)
- Linked private DNS zone
- for shared service: internal.poc
- for multi tenant managed service: privatelink.file.core.windows.net
- Shared Web service container (with TLS self-signed)
- Private Link Service to shared web service with Application Gateway
- Private Endpoint to Project VNet
- for ssh to jumpbox VM
- for project web service
- Project VNet
- Jumpbox VM
- Project web service
- Private Link Service to projct web service with Application Gateway
- Private Endpoint to Hub VNet
- for shared web service
- Private Endpoint to multi tenant managed service
- Linked private DNS zone
- for shared service: internal.poc
- for multi tenant managed service: privatelink.file.core.windows.net
- Multi tenant managed service
- Shared contents on Azure Storage file share
graph TB
subgraph VNet-fake-On-premises-10.0.0.0/16
vm-client
vpng-onprem
aci-onprem-resolver
end
subgraph VNet-Hub-10.1.0.0/16
vpng-onprem --> vpng-hub
aci-onprem-resolver --> aci-hub-resolver
agw-hub --> aci-shared-web
aci-shared-web --> pe-hub-shared-contents
subgraph private-endpoint-hub-to-multi-tenant
pe-hub-shared-contents
end
subgraph private-endpoint-to-prj1
pe-agw-hub-to-prj1
pe-lbi-hub-to-prj1
end
aci-hub-resolver --> dns-endpoint-hub
dns-endpoint-hub --> private-dns-zone-link-hub
end
subgraph VNet-Project1-10.0.0.0/16
pe-agw-hub-to-prj1 --> agw-prj1
pe-lbi-hub-to-prj1 --> pl-lbi-prj1
pl-lbi-prj1 --> lbi-prj1
agw-prj1 --> aci-prj1-web
lbi-prj1 --> vm-prj1-jumpbox
aci-prj1-web --> pe-shared-contents-prj1-to-mt
subgraph private-endpoint-prj1-to-shared-service
pe-agw-prj1-to-hub --> agw-hub
end
subgraph private-endpoint-to-multi-tenant
pe-shared-contents-prj1-to-mt
end
dns-endpoint-prj1 --> private-dns-zone-link-prj1
end
subgraph Azure-DNS-Private-Zone
private-dns-zone-link-hub --> private-zone-hub-internal
private-dns-zone-link-hub --> private-zone-hub-multi-tenant
private-dns-zone-link-prj1 --> private-zone-prj1-internal
private-dns-zone-link-prj1 --> private-zone-prj1-multi-tenant
end
subgraph Multitenants
pe-hub-shared-contents --> fileshare-shared-contents
pe-shared-contents-prj1-to-mt --> fileshare-shared-contents
end
myname@mytenant@vm-client:~$ curl https://shared-web.internal.poc --insecure
Hello from shared-web
myname@mytenant@vm-client:~$ curl https://shared-web.internal.poc/shared/shared.html --insecure
This is shared content.
- Name resolution: OK
- Shared contents via Private Endpoint: OK
myname@mytenant@vm-client:~$ curl http://10.1.0.6
Hello from project1-web
myname@mytenant@vm-client:~$ curl http://10.1.0.6/shared/shared.html
This is shared content.
- Reachability: OK
- Shared contents via Private Endpoint: OK
myname@mytenant@vm-client:~$ az ssh vm --ip 10.1.0.5
Welcome to Ubuntu 20.04.4 LTS (GNU/Linux 5.13.0-1025-azure x86_64)
[snip]
- Reachability: OK
- SSH with Azure AD auth(no need to manage cert/key and local account): OK
myname@mytenant@vm-jumpbox:~$ curl http://10.0.16.4
Hello from project1-web
myname@mytenant@vm-jumpbox:~$ curl http://10.0.16.4/shared/shared.html
This is shared content.
- Reachability: OK
- Shared contents via Private Endpoint: OK
myname@mytenant@vm-jumpbox:~$ curl https://shared-web.internal.poc --insecure
Hello from shared-web
- Name resolution: OK
- Reachability: OK
- Scalability of Private Link Service
- Private Link has limits on the number that can be configured, e.g. 8 IPs per Private Link Service.
- You may need to increase Private Link Service on the number of projects
- Outbound traffic control on Project VNet
- Simple: One Azure Firewall per Project VNet
- Shared: Share one Azure Firewall with multiple projects
- Need peering, so lose the freedom of network design (trade-off!)
- Resouce grouping, ownership and permissions
- There are resources such as endpoints that are difficult to decide whether to put in a shared group or a project.
- Consider the onwership and delegation of work when the project increases and during operation