Virtual Network Service

⭐️⭐️🛬 Landing ZoneA virtual network service provides a pre-configured virtual network. It is a pre-requisite for higher-level services built on virtual networks.

Why a Virtual Network Service?

A virtual network allows resources to communicate with other resources. The other resources may be within the same virtual network, but could also be on-premise or on the internet. All cloud resources need a virtual network, which makes a virtual network service essential.

A virtual network service provides virtual networks to application teams.

A virtual network service has two inputs:

  • a cloud tenant for the virtual network

  • an IP address range, often in CIDR notationopen in new window, which can either be provided by a Network Engineer or automatically by an IP address management tool (IPAM)

A virtual network service creates the virtual network in the cloud tenant. If necessary it registers the IP address range in the organization's IP address management tool (IPAM) thus taking the burden away from application teams.

Given the security implications, networking services must be provided centrally for most Landing Zones. The virtual network service forms the basis for the networking offering.

Cloud-native Service Marketplace

Implement enterprise-wide distribution of cloud infrastructure services via a service Marketplace.

Learn more →

Proven Patterns When Implementing Virtual Network Services

Implement a Hub & Spoke Approach

Defining a central hub with e.g. configured access to on-prem network is a very common approach for a scalable network architecture. If Cloud Tenants (e.g. Azure Subscriptions) need access to On-Prem, a Spoke network is deployed into the tenant and connects it to the Hub.

Align with Your Shared Responsibility Model Alignment

Organizations should strive to make applications go full cloud-native on networking (L7, APIs) or provide strongly centralized services (L3 networking like on-premise).

Embrace Cloud Paradigm Shift

On-premise used L3 connectivity and often no authN/Z on the application layer. The cloud moves this to L7. Network zones are the most difficult to implement as they have a lot of shared responsibilities and interfaces.

Shift Your View on Networking

On-premise networks are mostly flat, whereas in the cloud we can do micro-segmentation and networks become very hierarchical with application teams having a lot of autonomy over their subnets

Provide It as a Landing Zone Module

Virtual network services can be modules for Modular Landing Zones (see Modular Landing Zones).

Make It Compatible with Adjacent Services

Virtual networks are most useful in combination with

  • Firewall rules

  • External IP addresses

  • DNS entries

Most applications need to connect to resources outside the virtual network than their own. The following services need a virtual network as input:

  • GCP Fabric FAST

    Offers sophisticated virtual network setups based on the “hub and spoke” design. One can choose the type of connectivity between the hub and spokes, which are: VPC Peering, Network Virtual Appliances (NVA), or VPN

    Learn More open in new window
  • GCP CFT - Example Foundation

    Offers sophisticated virtual network setups. One can choose the type of connectivity between Dual SVPC or Hub & Spoke.

    Learn More open in new window
  • GCP Setup Checklist

    Separate networks per environment are created and some basic firewall rules are applied. That way you can have the connectivity within one environment (e.g. all production services can talk to each other securely via a VPC). Advanced options like configuring peering or VPN approaches are not provided.

    Learn More open in new window
  • Azure LZ accelerator - ES

    Can deploy Hub and spoke with Azure Firewall, Hub and spoke with your own third-party NVA, Virtual WAN (Microsoft managed)

    Learn More open in new window
  • Azure LZ Terraform module - ES

    By adding deploy_connectivity_resources = true to the module’s input parameters, the module sets up a hub network with a firewall and gateway subnets. These can be further customized by tweaking some networking settings

    Learn More open in new window
  • Azure CAF Terraform Modules

    It can be implemented by running different modules in Level2/connectivity . Modules contain AZ firewall, hub and spoke, vWan, private DNS,…

    Learn More open in new window
  • AWS Control Tower with Account Factory

    CT creates a default VPC with 3 subnets in the management account per availability zone. You can edit VPC configurations for new provisioned accounts with the account factory. For example, you can allow internet access for created subnets, which will lead to the creation of a NAT Gateway. When provisioning a new account, CT automatically deletes the default VPC and creates a new VPC configured by CT.

    Learn More open in new window
  • AWS Control Tower with AFT

    Similar to normal account factory, with addition to AFT customization framework that allows you to include additional terraform resources.

    Learn More open in new window
  • AWS Landing Zone Accelerator

    It provides a reasonable default network setup in the network-config.yaml. Additionally the default config contains a lot of additional options as commented code. You just have to active them and adapt to your needs.

    Learn More open in new window
  • UniPipe

    With UniPipe you can easily provide a Virtual Network Service to e.g. grant on-prem connectivity or to integrate all your company’s productive applications into one network. All you need for this is a Terraform Module that sets up the networking inside the target tenant as needed.

    Learn More open in new window
Last Updated: