MoreIQPlatform
Architecture
Connectivity
CONNECTIVITY Version 1 (WIP) Last Review Date: August, 2024

Documentation Overview

covers:

Connectivity Subscription

Overview

  • The More IQ Connectivity subscription, sub-miq-connectivity, contains all centralised networking and DNS resources of the More IQ Landing Zone solution.
  • The segregation of networking resources from other resources allows policy and permissions to be tightly controlled without significant impact on workloads.
  • Access to the Connectivity subscription should be minimised as modification of networking resources can have serious operational and availability impacts on workloads and services.
  • The current implementation of More IQ networking infrastructure is a single region (Australia East) hub and spoke network with no Firewall or Gateway.
  • The following diagram shows the overall resource topology of the connectivity subscription.
    Connectivity Subscription Topology

Access

  • Access to this site is for members of the MoreCore team, and permitted subcontractors.
  • Access is controlled via specific groups, list out (Network Contributor)

VWAN

  • As the solution is a single region, hub and spoke networking model with no firewall and gateway, there is no need for a VWAN to host the security resources.
  • In the future, if multiple regions are enabled or a gateway is implemented, a VWAN would be required / strongly recommended.

Hub Network

  • The More IQ Hub VNet is the central network in the Australia East region.
  • All spoke VNets in all subscriptions are peered to the hub VNet.

Spoke Networks

  • Each subscription in the landing zones management group has a spoke vnet peered to the regional hub network.
  • The management and devops subscriptions also have spoke VNets.
  • The management vnet IS NOT peered to regional hub network as it does not need to communicate with Azure resources on the data plane.
  • Each spoke VNet has a unique CIDR range allocated from the address space/CIDR range of the hub VNet.
  • Spoke VNets are segmented using subnets by the landing zone consumer.
  • A policy enforces that all subnets require a Network Security Group attached. This can prevent creation or mutation of resources. To prevent problems during provisioning, a temporary, time bound, exemption to the policy must be created before provisioning processes execute.

Firewall

  • It is recommended that More IQ Landing Zones are secured by an Azure Firewall.
  • This ensures all communication to and from the Internet traverses the Azure Firewall.
  • It is recommended to create the Firewall inside a VWAN in a secured hub.
  • In a multi region deployment, an Azure Firewall would be created in regional secured VWan hubs.

Web application Firewalls (WAFs)

  • Any workloads requiring a layer 7 Web Application Firewall will create one in a subnet of the spoke vnet in the landing zone subscription.

Gateway

  • In the future, if a connection to an on-premise network is required, then an Azure Gateway should be created in a regional secured VWan hub closest to the on-premise location.

Network monitoring

  • Network monitoring is currently minimal and would require flow logs to be enabled at network or subnet level.
  • Network monitoring of the sub-miq-management Nat Gateway is managed by the Nat Gateway.
ManagementDevOps Services