Hey everyone! I have a question about our current setup with our production and development environments. Right now, we have separate subscriptions and virtual networks (vnets) for Prod and Dev. They are connected through vnet peering, but the Dev subscription doesn't have a domain controller (DC). Management is suggesting we disable the vnet peering and create a DC in the Dev environment to keep traffic separate, possibly routing it through its own firewall (like Azure Firewall or Palo Alto). I'm curious if building new DCs in the Dev subscription is overkill and whether it actually helps us segregate traffic. If we go ahead with breaking the vnet peering, would we need a new firewall for SSL traffic to reach all 50 Dev servers? Is all of this really worth the hassle? Any thoughts or suggestions on how to approach this with minimal impact? Thanks!
1 Answer
One option could be to create a third subscription as a 'hub' and set up both the DC and firewall there. Then, just peer the Prod and Dev VNets to the hub. This way, you can keep things isolated without too much hassle.
Would we really need a whole new subscription for that? Can’t we just use an existing one and set up a new vnet? Or is a new subscription the best route for full isolation?