← Back to Dashboard

Design 2: Single VM Web Server (IaaS Foundation)

Summary

This design details a secure "Lift and Shift" of a legacy application to a single Virtual Machine.

Topology: The VM resides in a Spoke VNet peered to the Hub VNet. Management (RDP) is done via the Hub (Bastion), not Public IP.

1. Key Design Decisions (ADR)

ADR-01: IaaS vs. PaaS

  • Decision: Virtual Machine (IaaS).
  • Rationale: Legacy app requires Registry changes/COM+ not supported on PaaS.

ADR-02: Connectivity

  • Decision: Hub & Spoke.
  • Rationale: Centralizes management. No Public IP on the VM itself (safer).

2. High-Level Design (HLD)

+--------------+           +--------------------------+           +--------------+
|  Admin User  |           |        HUB VNet          |           |  SPOKE VNet  |
|  (RDP)       |           |      (Bastion)           |           |  (Workload)  |
+------+-------+           +------------+-------------+           +------+-------+
       |                                |                                |
       v                                | (Peering)                      |
+------+-------+                        v                                v
|  Azure       |           +------------+-------------+           +------+-------+
|  Bastion     |---------->| VNet Peering             |<--------->|  VM          |
|  (Browser)   |           | (Hub <-> Spoke)          |           |  (IIS)       |
+--------------+           +--------------------------+           +------+-------+

3. Low-Level Design (LLD)

                               PRIMARY REGION (East US)
+-----------------------------------------------------------------------+
| HUB VNet: vnet-hub (10.0.0.0/16)                                      |
|   +-----------------------+                                           |
|   | Azure Bastion         |                                           |
|   +-----------|-----------+                                           |
|               |                                                       |
|               v (Peering)                                             |
+---------------|-------------------------------------------------------+
                |
+---------------|-------------------------------------------------------+
| SPOKE VNet: vnet-hr-prod (10.1.0.0/16)                                |
|   +-----------------------+                                           |
|   | Subnet: Workload      |                                           |
|   | [VM: vm-hr-01]        |                                           |
|   | (10.1.1.4)            |                                           |
|   | NSG: Allow 3389 (Hub) |                                           |
|   +-----------------------+                                           |
+-----------------------------------------------------------------------+

                               SECONDARY REGION (West US)
+-----------------------------------------------------------------------+
| DR SPOKE VNet                                                         |
|   +-----------------------+                                           |
|   | ASR Replica Disk      |                                           |
|   | (Hydrated on Failover)|                                           |
|   +-----------------------+                                           |
+-----------------------------------------------------------------------+

4. Component Rationale

  • Bastion: Secure RDP over HTML5/SSL. No open ports to internet.
  • Premium SSD: 99.9% SLA for single VM.

5. Strategy: High Availability (HA)

  • Status: Low. Single Point of Failure (SPOF).
  • SLA: 99.9%.

6. Strategy: Disaster Recovery (DR)

  • Implementation: Azure Site Recovery (ASR).
  • Process: Replicate VM to West US. RPO ~15 mins.

7. Strategy: Backup

  • Implementation: Azure Backup.
  • Policy: Daily snapshot, 30 day retention.

8. Strategy: Security

  • NSG: Deny All Inbound from Internet. Allow 3389 only from Hub Subnet.

9. Well-Architected Framework Analysis

  • Reliability: Low.
  • Security: High. (Due to Hub/Bastion).
  • Cost Optimization: Medium.
  • Operational Excellence: Low. Manual patching.
  • Performance Efficiency: Medium.

10. Detailed Traffic Flow

1. Admin: Logs into Azure Portal -> Connect -> Bastion.

2. Bastion: Initiates RDP session from Hub to Spoke VM (10.1.1.4).

3. NSG: Checks rule "Allow from Hub". Passes.

4. Session: Admin manages server.

11. Runbook: Deployment Guide (Azure Portal)

Phase 1: Create Resource Group

1. Search: "Resource groups" -> + Create.

2. Resource group: rg-design02-vm.

3. Region: East US.

4. Create.

Phase 2: Create Spoke VNet

1. Search: "Virtual networks" -> + Create.

2. Resource group: rg-design02-vm.

3. Name: vnet-hr-prod.

4. Region: East US.

5. IP Addresses:

* Space: 10.1.0.0/16.

* Subnet: snet-workload (10.1.1.0/24).

6. Create.

7. Peering:

* Go to vnet-hr-prod -> Peerings -> + Add.

* Remote VNet: vnet-hub.

* Name: Spoke-to-Hub.

* Add.

Phase 3: Create VM

1. Search: "Virtual machines" -> + Create.

2. Resource group: rg-design02-vm.

3. Name: vm-hr-01.

4. Region: East US.

5. Image: Windows Server 2019 Datacenter.

6. Size: Standard_D2s_v3.

7. Administrator account: Set username/password.

8. Inbound port rules: None.

9. Networking:

* Virtual network: vnet-hr-prod.

* Subnet: snet-workload.

* Public IP: None (Crucial).

* NIC network security group: Advanced -> Create new nsg-vm-hr-01.

10. Create.

Phase 4: Configure NSG for Bastion

1. Go to the new NSG nsg-vm-hr-01.

2. Inbound security rules -> + Add.

3. Source: IP Addresses.

4. Source IP addresses/CIDR ranges: 10.0.0.0/16 (The Hub VNet range, or specifically the BastionSubnet range).

5. Source port ranges: *.

6. Destination: Any.

7. Service: RDP.

8. Action: Allow.

9. Priority: 100.

10. Name: AllowBastionInbound.

11. Add.

Phase 5: Configure DR (ASR)

1. Go to the VM vm-hr-01.

2. Disaster recovery (left menu).

3. Target region: West US.

4. Review + Start replication.

5. *Note: This creates the cache storage account and recovery services vault automatically.*

Phase 6: Verify Access

1. Go to vnet-hub (ensure Bastion is deployed there as per Design 5).

2. Go to vm-hr-01 -> Connect -> Bastion.

3. Enter credentials.

4. Verify RDP session opens in browser.