I am getting ready to extend my on-prem environment to Azure. Some of these questions may answer themselves in the process of building out to Azure. Will each resource group need a new subnet or virtual network? I am uncertain about the best way to plan the virtual network. Should I create one virtual network for the Azure environment and build a subnet for each resource group?
For example, to create a site-to-site VPN, I need to create a resource group with a virtual network and VPN Gateway subnet to connect the on-prem site to the cloud. I plan on deploying SQL in Azure. The best practice is to put SQL into its own resource group, correct? Do I need to create another virtual network for the SQL resource group, or do I create a subnet from the virtual network in the VPN gateway resource group
-
Azure Virtual Network Design
-
I know this is a bit late but hopefully this helps:
Resource groups should be used for grouping like items. IE if you plan on deploying a SQL server cluster, all SQL servers should be in the same group. It depends on how you define your networking whether or not the subnet should also be in that resource group (RG). More below.
In your case, you would probably have one VNET and then multiple subnets. If you plan on filtering East-West traffic, you'll need to determine how you plan to handle that. We use a VM firewall appliance and override the default routes for the subnets to route traffic using the appliance. I would have one RG for your VPN setup and all the pieces needed for that to work. That way when you go to clean up, its easy to delete everything in that one RG.
You don't need multiple VNET's based on what you described so far. But as with most things Microsoft, they build it to be robust to cover most scenarios. Thus, there is 10 ways to do something plus a million third party ways
-
Thank you!