We have our application and database in different VNETs in different subscription. Also we have different environments (Pre-Production and Production). Currently the database for PROD and PRE-PROD is in different subnet but same VNET.
I see we can have peering at VNET level. We want the peering between the application and database at subnet level so that PRE-PROD application should not be able to connect to PROD database and vice-versa.
CodePudding user response:
From Microsoft documentation:
Azure routes traffic between all subnets within a virtual network, by default. You can create your own routes to override Azure's default routing.
This approach is described here: https://docs.microsoft.com/en-us/azure/architecture/framework/security/design-network-segmentation
You would want to create one NSG per subnet, make a rule to block all inbound traffic and then allow only traffic that is required. Note that NSG's are stateful, so you do not need to specify outbound rules for your traffic. Also make sure you apply the rules in the right order from top to bottom. The rule with the lowest id is applied first.