Virtual Network Service
Why a Virtual Network Service?
A virtual network allows resources to communicate with other resources. The other resources may be within the same virtual network, but could also be on-premise or on the internet. All cloud resources need a virtual network, which makes a virtual network service essential.
A virtual network service provides virtual networks to application teams.
A virtual network service has two inputs:
a cloud tenant for the virtual network
an IP address range, often in CIDR notation, which can either be provided by a Network Engineer or automatically by an IP address management tool (IPAM)
A virtual network service creates the virtual network in the cloud tenant. If necessary it registers the IP address range in the organization's IP address management tool (IPAM) thus taking the burden away from application teams.
Given the security implications, networking services must be provided centrally for most Landing Zones. The virtual network service forms the basis for the networking offering.
Cloud-native Service Marketplace
Implement enterprise-wide distribution of cloud infrastructure services via a service Marketplace.
Learn more →Proven Patterns When Implementing Virtual Network Services
Implement a Hub & Spoke Approach
Defining a central hub with e.g. configured access to on-prem network is a very common approach for a scalable network architecture. If Cloud Tenants (e.g. Azure Subscriptions) need access to On-Prem, a Spoke network is deployed into the tenant and connects it to the Hub.
Shared Responsibility Model Alignment
Align with YourOrganizations should strive to make applications go full cloud-native on networking (L7, APIs) or provide strongly centralized services (L3 networking like on-premise).
Embrace Cloud Paradigm Shift
On-premise used L3 connectivity and often no authN/Z on the application layer. The cloud moves this to L7. Network zones are the most difficult to implement as they have a lot of shared responsibilities and interfaces.
Shift Your View on Networking
On-premise networks are mostly flat, whereas in the cloud we can do micro-segmentation and networks become very hierarchical with application teams having a lot of autonomy over their subnets
Provide It as a Landing Zone Module
Virtual network services can be modules for Modular Landing Zones (see Modular Landing Zones).
Make It Compatible with Adjacent Services
Virtual networks are most useful in combination with
Firewall rules
External IP addresses
DNS entries
Most applications need to connect to resources outside the virtual network than their own. The following services need a virtual network as input:
Related Tools
- GCP Fabric FAST
Offers sophisticated virtual network setups based on the “hub and spoke” design. One can choose the type of connectivity between the hub and spokes, which are: VPC Peering, Network Virtual Appliances (NVA), or VPN
Learn More - GCP CFT - Example Foundation
Offers sophisticated virtual network setups. One can choose the type of connectivity between Dual SVPC or Hub & Spoke.
Learn More - GCP Setup Checklist
Separate networks per environment are created and some basic firewall rules are applied. That way you can have the connectivity within one environment (e.g. all production services can talk to each other securely via a VPC). Advanced options like configuring peering or VPN approaches are not provided.
Learn More - Azure LZ accelerator - ES
Can deploy Hub and spoke with Azure Firewall, Hub and spoke with your own third-party NVA, Virtual WAN (Microsoft managed)
Learn More - Azure LZ Terraform module - ES
By adding deploy_connectivity_resources = true to the module’s input parameters, the module sets up a hub network with a firewall and gateway subnets. These can be further customized by tweaking some networking settings
Learn More - Azure CAF Terraform Modules
It can be implemented by running different modules in Level2/connectivity . Modules contain AZ firewall, hub and spoke, vWan, private DNS,…
Learn More - AWS Control Tower with Account Factory
CT creates a default VPC with 3 subnets in the management account per availability zone. You can edit VPC configurations for new provisioned accounts with the account factory. For example, you can allow internet access for created subnets, which will lead to the creation of a NAT Gateway. When provisioning a new account, CT automatically deletes the default VPC and creates a new VPC configured by CT.
Learn More - AWS Control Tower with AFT
Similar to normal account factory, with addition to AFT customization framework that allows you to include additional terraform resources.
Learn More - AWS Landing Zone Accelerator
It provides a reasonable default network setup in the network-config.yaml. Additionally the default config contains a lot of additional options as commented code. You just have to active them and adapt to your needs.
Learn More - UniPipe
With UniPipe you can easily provide a Virtual Network Service to e.g. grant on-prem connectivity or to integrate all your company’s productive applications into one network. All you need for this is a Terraform Module that sets up the networking inside the target tenant as needed.
Learn More