Focus on Segmentation, NAT, and Perimeter Zoning
Introduction
In today’s hybrid cloud environments, securing application perimeters and internal workloads requires modern, software-defined networking strategies. Azure Local SDN, previously known as Azure Stack HCI SDN, provides the tools to build secure DMZ architectures on-premises. This article presents a detailed design framework for implementing segmented, NAT-enabled DMZ zones using Gateway Pools and policy-based perimeter control.
Executive Summary
With Azure Local SDN and Gateway Pools, architects can create logical zoning and enforce segmentation through defined traffic flows. This model supports:
- Stateful NAT with SNAT and DNAT flexibility
- Separation between internet-facing and internal workloads
- Centralized ingress and egress control points
- Micro-segmented workloads in isolated VNets
Common use cases include partner access, reverse proxy workloads, and hybrid services exposed to the internet.
Reference Architecture
Key Components and Concepts
| Component | Description |
|---|---|
| DMZ VNet | A logical trust zone for exposed services such as web servers, proxies, and front-end apps. |
| Gateway Pools | Provide public-facing IPs, NAT rules, and load balancing to route traffic securely. |
| NSGs and ACLs | Control both ingress and east-west traffic using policy rules at subnet and VNet levels. |
| Perimeter Zoning | Enforces clear boundaries between external, DMZ, and internal tiers with no direct crossover. |
Network Segmentation and ACLs
Define Segmented VNets
Set up dedicated VNets for each security tier:
- DMZ-Tier for public services
- App-Tier for internal APIs and microservices
- Data-Tier for secure backend databases
Apply ACLs Using PowerShell
Create fine-grained control using SDN access control lists. The example below allows HTTPS traffic into the DMZ.
$rule = @{
Name = "AllowInboundWeb"
Action = "Permit"
Protocol = "TCP"
RemotePortRange = "443"
}
New-NetworkControllerAccessControlList -Name "Inbound-DMZ" -RuleList @($rule) -AccessControlListType "Ingress"
Block all traffic by default and allow only explicitly defined flows. Apply ACLs at the VNet or subnet boundary.
Gateway Pools and NAT Configuration
Define Gateway Pools
Create a Gateway Pool in Windows Admin Center or by using PowerShell. These pools handle public IP routing, NAT, and load balancing.
Assign NAT Rules
Use DNAT for inbound access and SNAT for outbound traffic masking. Below is an example using PowerShell:
Add-NetworkControllerLoadBalancerNatRule -Name "ReverseProxy" `
-FrontendPort 443 `
-BackendPort 8443 `
-Protocol TCP `
-FrontendIpConfigurationId $gatewayVip `
-BackendAddressPoolId $proxyPool
This rule maps external traffic on port 443 to an internal application running on port 8443.
Best Practices for Zoning and Security
| Best Practice | Recommendation |
|---|---|
| Separate Gateway Pools for each zone | Use distinct pools for DMZ and internal workloads to isolate flows |
| Use Zero Trust by default | No direct routes between DMZ and internal tiers. Use proxies or firewalls |
| Tag workloads logically | Apply zone tags like “DMZ”, “Backend”, or “Public” for policy enforcement |
| Enforce routing with UDRs | Use User Defined Routes to send flows through network security appliances |
| Monitor and log all gateway traffic | Enable flow logging using Azure Monitor or Log Analytics via Arc integration |
Sample Bicep Definitions
DMZ VNet
resource dmzVnet 'Microsoft.Network/virtualNetworks@2022-07-01' = {
name: 'DMZ-VNet'
location: location
properties: {
addressSpace: {
addressPrefixes: ['10.10.0.0/24']
}
subnets: [
{
name: 'dmz-subnet'
properties: {
addressPrefix: '10.10.0.0/25'
networkSecurityGroup: {
id: dmzNsg.id
}
}
}
]
}
}
Gateway Pool
resource gatewayPool 'Microsoft.Network/gatewayPools@2023-05-01' = {
name: 'DMZ-GatewayPool'
location: location
properties: {
frontendIPConfigs: [
{
name: 'dmz-gw-ip'
properties: {
publicIPAddress: {
id: publicIp.id
}
}
}
]
backendPools: [
{
name: 'dmz-backend'
properties: {
backendIPConfigurations: []
}
}
]
}
}
Conclusion
By using Azure Local SDN and Gateway Pools, architects can design secure DMZ architectures that support hybrid application exposure without compromising internal security. With NAT, NSG, ACL, and routing policies in place, you can enforce strict perimeter control and limit lateral movement between security zones.
This design approach aligns with modern zero trust strategies and enables highly scalable hybrid deployments across edge, branch, and data center environments.
Table of Contents 1. Introduction to Overlay Networking Overlay networking enables virtual workloads to communicate over an abstracted logical network, regardless of...