-1

I am currently hosting multiple production projects in Microsoft Azure. Each project is configured with a separate virtual network with two Windows VMs to act as web servers, and one server to act as domain controller. Security is essential in all environment so I have kept them totally isolated from one another.

I am going to create one additional virtual network which will serve as a management area, and I will connect this network to each other one with a site-to-site VPN tunnel. My goal is to use this management network as a base for centralized WSUS management, endpoint security management, GPO configuration, etc.

Would it be smart/secure to design it like this? I was thinking of having one Active Directory forest with the TLD in the management network, and each project network as a subdomain in the same forest.

Any suggestions and advice would be greatly appreciated as I attempt to plan out the best configuration. Keep in mind, it's not a problem for me to reconfigure the current project networks to fit into this new model.

blizz
  • 1,174

1 Answers1

1

The way my Big 4 client does it is by creating rules in each client NSG that lets them talk to a specific management server (or servers) for monitoring, alerting, antivirus, updates, etc. Each NSG only allows communication for specific ip addresses for the specific ports required for each VM to talk to the "management" server. So there's no centralized network, credentials, AD or anything else. No client can communicate with any other client, only to the management server and there's no "management" network that connects any client to any other client.

As for your comment about creating a separate VPN connection/network to/for each client, I think that would work as well, as long as they're all independent and isolated VPN connections/networks.

joeqwerty
  • 111,849