Thought experiment answers
This section contains the solution to the thought experiment for the chapter.
The VNet should have an address space that has an ample number of IP addresses (for future growth), but it cannot overlap the current network space, so a class B private network at 172.16.0.0/20 will be implemented. The following subnets will be created:
The different subnets will contain various VMs to meet the requirements. There will be network security groups on each subnet and each VMs NIC. Inbound rules will be created to allow the least privileged access for traffic into a subnet and then into the NIC.
Apps IIS VMs hosting the application
Data SQL Server VMs providing the databases
Identity AD Domain Controllers/DNS
AppGateway App Gateway VMs
GatewaySubnet ExpressRoute VPN Gateways
An ExpressRoute connection between Azure and the on-premises datacenter will be created. The Public IP addresses will be configured as the endpoint for the ExpressRoute circuit. The AD domain controllers will be setup as DNS servers by configuring the VNet to point to those servers.
The Azure Application Gateway will be used to publish the IIS VMs as a Backend Pool. These VMs which will be installed into the Apps subnet. The App Gateway will also be configured as a web application firewall (WAF). The SQL Server Always On cluster will be installed into the Data subnet behind an internal load balancer that will be configured using Direct Server Return. The domain controllers will be installed into the Identity subnet and configured to provide DNS services, including the configuration on the VNet to point to these servers for DNS.