Sitecore Managed Cloud Standard – PaaS 2.0: Virtual Network Overview


 

  Important note:

  This article applies to PaaS 2.0 deployments done between 08/2023 and 01/2024 only.

  Review KB1003312: Sitecore Managed Cloud Standard – PaaS 2.0: Virtual Network Overview for all new deployments, provisioned after 01/02/2024.

 

Table of contents

 

Overview

This article describes the default network architecture for a PaaS 2.0 deployment.

Review the following knowledge base articles for a definitive list of Azure services included when purchasing Sitecore Managed Cloud – PaaS 2.0:

 

Hub and Spoke Architecture

PaaS 2.0 is the first time that Sitecore on Azure Managed Cloud has implemented Microsoft’s Hub and Spoke Network Architecture. This architecture allows for centralized control and cost optimization by directing all network ingress for each Azure region through a central hub.

Sitecore offers two tiers of hubs:

 

Basic Hub

Ingress traffic passes through Azure Front Door Standard. We split Azure Front Door Standard into Production and Non-Production Configurations to allow for simple administration and support, while providing cost optimization by reusing Azure Front Door across multiple environments.

The Basic Hub Resource Group includes several key components, a private DNS service, an Azure Recovery Vault, an Azure Key Vault, an Azure Storage Account, a virtual network (vNet) and an Azure Bastion service with associated Bastion VM. The Azure Bastion service, which requires Sitecore corporate multi-factor authentication, allows authorized Sitecore employees to connect to the Hub vNet and peered Spoke vNets for remote desktop purposes, app services KUDU access, and more. For customer access to the Hub and Spoke vNet, we provide two key options:

 

Advanced Hub

The Advanced Hub extends the capability and functionality of the Basic Hub by adding Advanced Security capabilities with the inclusion of Azure Front Door Premium.
Key features include an advanced Web Application Firewall with Microsoft Managed Rule Sets and Bot Management.
As Azure Front Door advances over time, visit Microsoft’s website for the latest comparison.

A screenshot of a computer screenDescription automatically generated

 

Basic and Advanced Hub – Services and Features comparison

Service and SKU Description Basic Hub Advanced Hub
 Production/Disaster Recovery – Azure Front Door Standard Yes -
 Non-Production Environment – Azure Front Door Standard*  Yes -
 Azure Bastion & Automation VM – Virtual Machine  Yes Yes
 Azure Private DNS (zones & Queries)  Yes Yes
 Internet Egress (Bandwidth)   Yes Yes

 Deployment of Azure Bastion Service
 Required for Sitecore Support your environment

 Yes Yes

 Deployment Site to Site VPN
 Defined by customer during environment provisioning request

 Yes Yes
 Azure Key Vault   Yes Yes
 Production Environment/Disaster Recovery – Azure Front Door Premium  - Yes
Non-Production Environment – Azure Front Door Premium*  - Yes

* One Azure Front Door to support multiple Sitecore XM/XP Non-Production Deployments 

The Hub above is peered to each Sitecore environment’s Virtual Networks which is called a spoke.

 

Default Virtual Network and Subnet Ranges

Where possible Sitecore has moved Network Ingress and Egress between the Azure Services Sitecore uses to a Virtual Network.

Each Spoke has its own Virtual Network, Each Virtual Network contains multiple Subnets, and each Subnet has an attached Network Security Groups to control authorized access and prevent any unauthorized access to Azure Services. We do use a feature called VNet Peering to connect the Hub Virtual Network to allow each Spoke Virtual Network.

Note: It is important to note that if you select to have a VPN connecting to your own organizations network, each VNet IP Address Range must be assigned a range of IPs that will not overlap with the existing IPs.

Important note: vNet CIDR Range can be customized at Initial Deployment time only.

 

The Network and Subnet information noted within this knowledge base article defines the vanilla deployment provided by Sitecore.

 

Hub Environment

When the Hub Provisioning Pipeline is executed, the following range will be used as default: 10.0.0.0/16

Name Range Description
Variable Subnet Name 10.0.1.0/24 Azure Bastion Service Subnet
Variable Subnet Name 10.0.2.0/24 Azure Bastion Host Subnet
 Variable Subnet Name 10.0.3.0/24 Gateway Subnet

It is possible to customize the network subnet ranges to suit your needs and to ensure the Sitecore-provided network ranges do not overlap with your internal network ranges. 
 

Spoke Environment

When the Spoke Provisioning Pipeline is executed, the following range will be used as default: 10.1.0.0/16

 

XP Scaled

Name Range Description
Verification_subnet 10.1.100.0/24 Temporary subnet used to verify the availability of the internal endpoints
pe 10.1.1.0/24 Includes all the private endpoints of the Azure PaaS resources
agw 10.1.0.0/24 Application Gateway
cd 10.1.4.0/24 Content Delivery Server (XM and XP)
cm 10.1.2.0/24 Content Management Server
si 10.1.3.0/24 Identity Server
xc-resourceintensive 10.1.7.0/24 XC Resource Intensive App Plan (XP Only)
xc-basic 10.1.6.0/24 XC Basic App Plan (XP Only)
prc 10.1.5.0/24 xDB Processing Service (XP Only)
headless 10.1.8.0/24 Option Subnet for Headless services
(Node JS)

It is possible to customize the network subnet ranges to suit your needs and to ensure the Sitecore-provided network ranges do not overlap with your internal network ranges.

 

XP Single

Name Range Description
verification_subnet  10.1.100.0/24 A temporary subnet used to verify the availability of the internal endpoints
pe 10.1.1.0/24 Includes all the private endpoints of the Azure PaaS resources
agw 10.1.0.0/24 Application Gateway
single 10.1.2.0/24 ####Provide info ( -single and –si endpoints are using it)
xc-single 10.1.3.0/24 ####Provide info ( -xc-single endpoints is using it) 

 

XM Scaled

Name Range Description
Verification_subnet 10.1.100.0/24 Temporary subnet used to verify the availability of the internal endpoints
pe 10.1.1.0/24 Includes all the private endpoints of the Azure PaaS resources
agw 10.1.0.0/24 Application Gateway
cd 10.1.4.0/24 Content Delivery Server (XM and XP)
cm 10.1.2.0/24 Content Management Server
si 10.1.3.0/24 Identity Server

 

XM Single

Name Range Description
Verification_subnet 10.1.100.0/24 Temporary subnet used to verify the availability of the internal endpoints
pe 10.1.1.0/24 Includes all the private endpoints of the Azure PaaS resources
agw 10.1.0.0/24 Application Gateway
single 10.1.2.0/24 ####Provide info (single endpoint is using it)

It is possible to customize the network subnet ranges to suit your needs and to ensure the Sitecore-provided network ranges do not overlap with your internal network ranges.

 

Alternative IP Ranges with 10.x.0.0 /16 Range

The following alternative IP Ranges are available for selection. These ranges can be used for the Hub and the Spoke(s) environments.

During the Sitecore Provisioning process, Sitecore will check to see if the requested range is already in use within the Sitecore Managed Cloud deployment. This check will validate the previously deployed Hub and Spoke Environments. If the nominated range is unavailable the Sitecore Cloud Operations support will reply to the Service Request Ticket requesting the customer to provide an alternative IP Range.

When selecting an alternative IP Range, the Sitecore provisioning process will dynamically assign the following subnet ranges to the aligned service types. The process is handled by the provisioning pipeline and does not require customer input. Note that it is NOT possible to alter the "/24" subnet allocations.

 

Hub Environment

Customer Defined Network Range: 10.”X”.1.0 / 24
"X" = 0 to 250

Name Range Description
Variable Subnet Name 10.x”.1.0/24 Azure Bastion Service Subnet
Variable Subnet Name 10.x”.2.0/24 Azure Bastion Host Subnet
 Variable Subnet Name 10.x”.3.0/24 Gateway Subnet

 

Spoke Environment

Customer Defined Network Range: 10.”X”.1.0 / 24
"X" = 0 to 250

Name Range Description
Verification_subnet 10.”x”.100.0/24 Temporary subnet used to verify the availability of the internal endpoints
pe 10.”x”.1.0/24 Includes all the private endpoints of the Azure PaaS resources
agw 10.”x”.0.0/24 Application Gateway
cd 10.”x”.4.0/24 Content Delivery Server (XM and XP)
cm 10.”x”.2.0/24 Content Management Server
si 10.”x”.3.0/24 Identity Server
xc-resourceintensive 10.”x”.7.0/24 XC Resource Intensive App Plan (XP Only)
xc-basic 10.”x”.6.0/24 XC Basic App Plan (XP Only)
prc 10.”x”.5.0/24 xDB Processing Service (XP Only)
headless 10.”x”.8.0/24 Option Subnet for Headless services
(Node JS)

 

Disaster Recovery Network Considerations

For customers with Disaster Recovery Services included in their agreement, it is worth considering which IP Ranges you require in your secondary region.

Sitecore Managed Cloud DR 2.0 is fully isolated from a network perspective, meaning the DR Hub and Spoke deployments do not include VNet peering back to the Primary region. For this reason it is possible to allocate the same IP Ranges to your DR Hub and Spoke Environments as you have with your Production Hub and Spoke Environments. It Is equally possible to allocate IP Ranges from the list above.

 

Alternative IP Ranges

The following alternative IP Ranges are available for selection. These ranges can be used for the Hub and the Spoke(s) environments.

 

Alternative IP Ranges with 172.x.0.0 /16 Range

The following alternative IP Ranges are available for selection. These ranges can be used for the Hub and the Spokes environments.

During the Sitecore Provisioning process, Sitecore will check to see if the requested range is already in use within the Sitecore Managed Cloud deployment. This check will validate the previously deployed Hub and Spoke Environments. If the nominated range is unavailable the Sitecore Cloud Operations team will reply to the Service Request Ticket requesting the customer to provide an alternative IP Range.

When selecting an alternative IP Range, the Sitecore provisioning process will dynamically assign the following subnet ranges to the aligned service types. The process is handled by the provisioning pipeline and does not require customer input. Note that it is NOT possible to alter the /24 subnet allocations.

 

Hub Environment

Customer Defined Network Range: 172.”X”.1.0 / 24
"X" = 16 to 31

Name Allocated Subnet Description
Variable Name 172.”x”.1.0/24 Azure Bastion Service Subnet
Variable Name 172.”x”.2.0/24 Azure Bastion Host Subnet
Variable Name 172.”x”.3.0/24 Application Gateway

 

Spoke Environment

Customer Defined Network Range: 172.”X”.1.0 / 24
"X" = 16 to 31

Name Range Description
Verification_subnet 172.”x”.100.0/24 Temporary subnet used to verify the availability of the internal endpoints
pe 172.”x”.1.0/24 Includes all the private endpoints of the Azure PaaS resources
agw 172.”x”.0.0/24 Application Gateway
cd 172.”x”.4.0/24 Content Delivery Server (XM and XP)
cm 172.”x”.2.0/24 Content Management Server
si 172.”x”.3.0/24 Identity Server
xc-resourceintensive 172.”x”.7.0/24 XC Resource Intensive App Plan (XP Only)
xc-basic 172.”x”.6.0/24 XC Basic App Plan (XP Only)
prc 172.”x”.5.0/24 xDB Processing Service (XP Only)
headless 172.”x”.8.0/24 Option Subnet for Headless services (Node JS)

 

Disaster Recovery Network Considerations

For customers with Disaster Recovery Services included in their agreement, it is worth considering which IP Ranges you require in your secondary region.

Sitecore Managed Cloud DR 2.0 is fully isolated from a network perspective, meaning the DR Hub and Spoke deployments do not include VNet peering back to the Primary region. For this reason, it is possible to allocate the same IP Ranges to your DR Hub and Spoke Environments as you have with your Production Hub and Spoke Environments. It Is equally possible to the allocated IP Ranges from the list above.

 

Alternative IP Ranges

The following alternative IP Ranges are available for selection. These ranges can be used for the Hub and the Spokes environments.