Tech Stack :
Introduction
This project implements a highly secure Hub-and-Spoke network topology in Azure using Terraform. It is designed to centralize security management while isolating application and data workloads into distinct virtual networks.
Features
The architecture follows industry-standard security patterns, ensuring that no traffic moves between segments without explicit authorization.
π‘οΈ Centralized Security (Hub)
The "Hub" VNet acts as the central connectivity point. It hosts the shared security services that protect the entire environment:
- Azure Firewall (Standard): All inter-spoke traffic is routed through a central firewall for stateful inspection.
- Azure Bastion: Provides secure SSH access to virtual machines directly through the Azure Portal, eliminating the need for public IP addresses on individual VMs.
πΈοΈ Isolated Workloads (Spokes)
Workloads are segregated into specialized "Spoke" VNets to minimize the blast radius of any potential security incident:
- App Spoke: Dedicated network for application logic and virtual machines
- Data Spoke: Isolated network for storage and database services.
- VNet Peering: High-bandwidth connectivity between the Hub and Spokes, configured to allow forwarded traffic through the firewall.
π Zero-Trust Data Access
A core highlight of this project is the Zero-Trust approach to data security.
- Private Link & Endpoints: The Azure SQL Server has public network access disabled. It is only accessible via a Private Endpoint within the Data Spoke.
- Granular Firewall Policies: Instead of broad network rules, a modern Firewall Policy is used to allow only SQL traffic (Port 1433) from the specific App Subnet to the Data Subnet.
π» Infrastructure as Code (IaC)
The entire environment is fully automated with Terraform, ensuring consistent deployments across environments.