
# Azure Landing Zone: Network Structure

## Overview

A robust and modular network structure is essential in any Azure Landing Zone. It ensures secure communication, isolation of workloads, and flexibility for future scaling.

---

## Core Components

### Virtual Network (VNet)
- Acts as your private network in the cloud.
- Defines the address space using CIDR blocks.
- VNets are region-specific and isolated unless connected via peering or gateways.

*Example*: Create a VNet with the address space `10.0.0.0/16`.

---

### Subnets
- Logical subdivisions within a VNet.
- Used to isolate workloads like frontend, backend, and management.
- NSGs can be applied at subnet level for access control.

 *Example*:
```
- Subnet-Web:    10.0.1.0/24
- Subnet-DB:     10.0.2.0/24
- Subnet-Admin:  10.0.3.0/24
```

---

### Network Security Group (NSG)
- Used to define inbound and outbound traffic rules.
- Acts like a mini-firewall at subnet or NIC level.
- Rules can be based on IP ranges, ports, and protocols.

*Example*: Allow only ports 80 and 443 into the Web subnet; deny public access to DB subnet.

---

### Azure Firewall / Application Gateway
- **Azure Firewall**: Controls both east-west and north-south traffic, includes logging and threat intelligence.
- **App Gateway**: Provides Layer 7 load balancing and Web Application Firewall (WAF) features.

---

## Recommended Architecture: Hub-Spoke Model

### Hub-Spoke Network Design

A scalable enterprise-grade network topology:

- **Hub VNet**: Centralized services like VPN Gateway, DNS, Bastion.
- **Spoke VNets**: Isolated environments for apps (Dev, Test, Prod).
- Spokes do **not** connect directly to each other.
- Connected via **VNet Peering** to the Hub.

*Visual Model*:
```
          On-Premises
              |
       VPN / ExpressRoute
              |
             Hub
     ┌────────┼────────┐
     ↓        ↓        ↓
  Spoke1   Spoke2   Spoke3
   (Dev)    (Prod)    (Test)
```

---

## Connectivity Options

| Type             | Description                                       |
|------------------|---------------------------------------------------|
| VNet Peering     | Low-latency, high-bandwidth connections between VNets |
| VPN Gateway      | Encrypted IPsec tunnels to on-premises            |
| ExpressRoute     | Dedicated private physical connection              |
| Private Link     | Access Azure PaaS services privately               |

---

## Best Practices

| Best Practice                  | Description                                                  |
|-------------------------------|--------------------------------------------------------------|
| Subnet Segmentation         | Separate web, database, and admin workloads                  |
| NSG + Firewall              | Apply layered traffic control and logging                   |
| Hub-Spoke Architecture      | Centralized control with decentralized deployment            |
| User-Defined Routes (UDR)   | Define explicit routing paths between subnets/VNets          |
| Enable Network Monitoring  | Use NSG Flow Logs and Network Watcher for diagnostics        |

---

## Summary

> The network structure is the circulatory system of your Landing Zone. A well-architected network ensures secure, efficient, and scalable communication between Azure resources.
