In this article, we will take a closer look at the Corp Subscription type, as it differs significantly from the other two types.
Network
When a Corp Subscription is created, a Virtual Network is automatically set up for you. This network is called a Spoke in Azure and is automatically connected to the Hub in Azure, which in turn is connected to the University of Bern's network.
The following diagram shows the basic structure:
architecture-beta
group unibe[UniBE]
group azure(logos:azure)
group connectivity(azure:subscriptions)[Connectivity] in azure
group subscription(azure:subscriptions)[UserSubscription] in azure
group vnetHub(azure:virtual-networks)[Hub] in connectivity
service azfirewall(simple-icons:fortinet)[Firewall] in vnetHub
group vnetSpoke(azure:virtual-networks)[Spoke] in subscription
service webapp(azure:virtual-machine)[App] in vnetSpoke
service firewall(simple-icons:fortinet)[Firewall] in unibe
webapp{group}:R -- L:azfirewall{group}
azfirewall{group}:R -- L:firewall{group}
The Virtual Network is visible as a resource in your Subscription. The resource is automatically assigned a private IP range, which is directly accessible from the University of Bern's network.
Important
This resource is automatically provided by the IT services. Except for the operations listed below, no changes may be made to the Virtual Network, as otherwise its correct function is no longer guaranteed.
The address range has a defined size, which can be specified when ordering. If the initial size is not sufficient, you can contact the IT services to increase it.
Subnet
In the provided Virtual Network, subnets must first be created. Azure Services can then be placed in these. Network segmentation depends on the services to be deployed in it and must therefore be defined by the subscription owner.
Depending on the provided address range, it is conceivable to use either one large or several smaller subnets. The following table illustrates possible subnetting of a /26 network. The table is not exhaustive. It is also possible to create subnets of different sizes.
| Address Range | Subnets | Number of Addresses | Subnet Address Ranges |
|---|---|---|---|
| 10.32.0.0/26 | 1 | 59 |
|
| 10.32.0.0/26 | 2 | 2 * 27 |
|
| 10.32.0.0/26 | 4 | 4 * 11 |
|
Note
The first three IPs (x.x.x.1, x.x.x.2 and x.x.x.3) in each subnet are reserved by Azure and are not available.
Route Table
All traffic in Corp Subscriptions is routed through the IT services' Azure Firewall. Therefore, when creating a subnet, a Route Table provided by the IT services must be selected. This Route Table sets the firewall as the default gateway for the entire subnet.
Note
As a user, you cannot create your own Route Table or modify the one provided by the IT services!
If a service requires a customized Route Table, you can contact the IT services.
Network Security Group
The Network Security Group (NSG) provides simple firewall rules for your own subnet, allowing users to protect their services. In a Corp Subscription, a default NSG is automatically created. This can be adapted to your own needs.
Note
The default NSG prevents direct network traffic from the internet to the subnet. However, even if you were to adjust this, no communication from outside could be established due to the Route Table.
As with the Route Table, an NSG is required when creating a new subnet.
DNS
Azure DNS is integrated with the University of Bern's DNS. Thus, Azure Cloud zones can also be queried at the university, and changes to Azure DNS are immediately visible within the University of Bern's DNS.
Two use cases are relevant for Azure DNS:
- For each organizational unit, there is a DNS zone in Azure based on its abbreviation according to the schema
<institute abbreviation>.azure.cloud.unibe.ch. This zone is primarily used for virtual machines and user entries.- For virtual machines, a DNS entry is automatically created with the name of the virtual machine within this zone. For a VM
testvm01,testvm01.<institute abbreviation>.azure.cloud.unibe.chis automatically created and linked to the correct IP address. - Custom arbitrary entries in this (and only this) zone can be created via the portal => Guide: Custom DNS entries.
- For virtual machines, a DNS entry is automatically created with the name of the virtual machine within this zone. For a VM
- Name resolution for PaaS services is managed in service-specific zones, e.g.,
privatelink.azurewebsites.netorprivatelink.vaultcore.azure.net. Entries in these zones are automatically managed through Policies. Manual entries are neither necessary nor possible here => Guide: PrivateLink DNS entry.
Important
For many services, when they are created, the option is offered to create a new DNS zone for the service. This option must always be deselected, as these zones are automatically created through policies. If the option is active, the creation of the service will fail with a corresponding error message.
Warning
Resources in a Corp Subscription are by default only accessible within the network. However, name resolution occurs worldwide, but the resources naturally cannot be reached.
Note
Domain entries in the .unibe.ch zone must be ordered via ticket to the hostmaster of the University of Bern.
Public Access
If a service is provided in a Corp Subscription that should be accessible from the internet, this can be implemented in cooperation with the IT services.
A distinction must be made between two scenarios, depending on the way the service is accessible:
- The service communicates via Hypertext Transfer Protocol (HTTP/HTTPS)
- The service creates a TCP/UDP socket but does not use HTTP/HTTPS
Internet to Azure HTTP/HTTPS
The IT services operate a central , which accepts external requests and forwards them internally.
architecture-beta
group azure(logos:azure)
group connectivity(azure:subscriptions)[Connectivity] in azure
group subscription(azure:subscriptions)[UserSubscription] in azure
group vnetHub(azure:virtual-networks)[Hub] in connectivity
group vnetAppGW(azure:virtual-networks)[AppGateway] in connectivity
group vnetSpoke(azure:virtual-networks)[Spoke] in subscription
service azfirewall(simple-icons:fortinet)[Firewall] in vnetHub
service webapp(azure:virtual-machine)[App] in vnetSpoke
service appgw(azure:application-gateway)[Application Gateway] in vnetAppGW
service appgwpip(azure:public-ip)[Public IP] in vnetAppGW
appgwpip:R -- L:appgw
appgw:R -- L:azfirewall
azfirewall:T -- B:webapp
To be able to connect a service via HTTP/HTTPS to the Application Gateway, it must meet the following requirements:
- The service must be accessible via HTTP/HTTPS. The port is not relevant.
- The Application Gateway requires a URL endpoint to determine the status of the service (Health Probe).
- The service has a DNS entry in Azure Private DNS and a valid certificate.
- A public canonical DNS entry (CNAME) points to the Application Gateway
appgateway-azure-cloud.id.unibe.ch.
Registration of new services on the Application Gateway must be ordered via ticket to the IT services.
Internet to Azure Non-HTTP/HTTPS
In this scenario, the port number that the application exposes must be registered on the central firewall.
Registration of new services on the firewall must be ordered via ticket to the IT services.
Next Steps
For all adjustments so far, the Azure Portal has been referenced. Azure also offers a Command Line Interface (CLI) client az. This allows you to create and modify resources via scripts, which brings several advantages => Guide Azure CLI client.