|
Important note: |
Table of Contents
- Overview
- Hub and Spoke Architecture
- Basic Hub
- Advanced Hub
- Hub and Spoke Architecture – High-Level Network Diagram
- Basic and Advanced Hub – Services and Features Comparison
- PaaS 2.0: Virtual Network Address Spaces and Subnet Ranges
- PaaS 2.0: Customer Required Inputs
- Experience Manager (XM)
- Experience Platform (XP)
Overview
This article describes the default network architecture for a PaaS 2.0 deployment.
Review the following knowledge base articles for a definitive list of Azure services included when purchasing Sitecore Managed Cloud – PaaS 2.0:
- Sitecore Managed Cloud Standard - PaaS 2.0. Topologies and tiers for Sitecore XP 10.3.1 and higher
- Sitecore Managed Cloud Premium - PaaS 2.0. Topologies and tiers for Sitecore XP 10.3.1 and higher
Hub and Spoke Architecture
PaaS 2.0 is the first time that Sitecore on Azure Managed Cloud has implemented Microsoft’s Hub and Spoke Network Architecture. This architecture allows for centralized control and cost optimization by directing all network ingress for each Azure region through a central hub.
Sitecore offers two tiers of hubs: Basic and Advanced.
Basic Hub
Ingress traffic passes through Azure Front Door Standard. We split Azure Front Door Standard into Production and Non-Production Configurations to allow for simple administration and support, while providing cost optimization by reusing Azure Front Door across multiple environments.
The Basic Hub Resource Group includes several key components, a private DNS service, an Azure Recovery Vault, an Azure Key Vault, an Azure Storage Account, a virtual network (vNet) and an Azure Bastion service with associated Bastion VM. The Azure Bastion service, which requires Sitecore corporate multi-factor authentication, allows authorized Sitecore employees to connect to the Hub vNet and peered Spoke vNets for remote desktop purposes, app services KUDU access, and more. For customer access to the Hub and Spoke vNet, we provide two key options:
- A virtual network gateway (VPN), which provides added security by providing a site-to-site VPN connection to the customer’s corporate firewall to access resources.
- Alternatively, you may choose to use a secured Jump Box VM with Azure Bastion Service.
Advanced Hub
The Advanced Hub extends the capability and functionality of the Basic Hub by adding Advanced Security capabilities with the inclusion of Azure Front Door Premium.
Key features include an advanced Web Application Firewall with Microsoft Managed Rule Sets and Bot Management.
The Advanced also includes the provisioning of Azure Defender for Cloud. Review KB1003247 - Sitecore Managed Cloud - PaaS 2.0 - Defender Implementation Guide, for further details.
As Azure Front Door advances over time, visit Microsoft’s website for the latest comparison.
Hub and Spoke Architecture – High-Level Network Diagram
Basic and Advanced Hub – Services and Features Comparison
| RACI Description | Basic Hub | Advanced hub |
|
Production/Disaster Recovery – Azure Front Door Standard | Yes | - |
| Non-Production Environment – Azure Front Door Standard * | Yes | - |
| Azure Bastion & Automation VM – Virtual Machine | Yes | Yes |
| Azure Private DNS (zones & Queries) | Yes | Yes |
| Internet Egress (Bandwidth) | Yes | Yes |
|
Deployment of Azure Bastion Service | Yes | Yes |
|
Deployment Site to Site VPN | Yes | Yes |
| Azure Key Vault | Yes | Yes |
| Production Environment/Disaster Recovery – Azure Front Door Premium | - | Yes |
| Non-Production Environment – Azure Front Door Premium * | - | Yes |
| Azure Defender for Cloud with Workload Protection | - | Yes |
| Azure DDoS IP Protection | Via Add-on Purchase | Via Add-on Purchase |
* One Azure Front Door to support multiple Sitecore XM/XP Non-Production Deployments
We peer the Hub above to each Sitecore environment’s Virtual Networks which we call a Spoke.
|
IMPORTANT NOTE: PaaS 2.0 Sitecore now provides customers with the full flexibility to choose the IP Ranges they would like to apply to their Sitecore Managed Cloud Deployments. |
PaaS 2.0: Virtual Network Address Spaces and Subnet Ranges
Where possible Sitecore has moved Network Ingress and Egress between the Azure Services Sitecore uses to a Virtual Network.
Each Spoke has its own Virtual Network, Each Virtual Network contains multiple Subnets, and each Subnet has an attached Network Security Groups to control authorized access and prevent any unauthorized access to Azure Services. We do use a feature called vNet Peering to connect the Hub Virtual Network to allow each Spoke(s) Virtual Network.
NOTE: It is important to note that if you select to have a VPNGW1AZ connecting to your own organization's network, each vNet IP Address Range must be assigned a range of IPs that will not overlap with the existing IPs. vNet CIDR Range can be customized at Initial Deployment time only.
The Network and Subnet information noted within this knowledge base article defines the vanilla deployment provided by Sitecore.
PaaS 2.0: Acceptable/Valid IP Addresses
Sitecore Managed Cloud is delivered on Microsoft Azure. As such, when provisioning a Sitecore Managed Cloud PaaS 2.0 environment, it is important to familiarize yourself with the acceptable IP ranges available for use by Microsoft. Sitecore currently supports ranges defined in RFC 1918:
- 10.0.0.0 to 10.255.255.255 (10/8 prefix)
- 172.16.0.0 to 172.31.255.255 (172.16/12 prefix)
- 192.168.0.0 to 192.168.255.255 (192.168/16 prefix)
Official Microsoft Documentation can be found here.
Known IP Address Restrictions
Azure reserves the first four addresses and the last address, for a total of five IP addresses within each subnet.
For example, the IP address range of 192.168.1.0/24 has the following reserved addresses:
- 192.168.1.0: Network address.
- 192.168.1.1: Reserved by Azure for the default gateway.
- 192.168.1.2, 192.168.1.3: Reserved by Azure to map the Azure DNS IP addresses to the virtual network space.
- 192.168.1.255: Network broadcast address.
PaaS 2.0: Customer Required Inputs
Prior to the deployment of your Managed Cloud PaaS 2.0 deployment, you will be required to specify a network address space for each of your Sitecore Hub and Spoke Environments.
Hub Environment
When the Hub Provisioning Pipeline is executed, the Sitecore Cloud Operation team will require the customer to provide a valid /24 network address space. This subnet should be provided when logging the request in the ServiceNow portal.
Note: Sitecore requires a unique virtual network address space for each Hub environment.
| Type | CIDR | Available IPs | Example | Usable Range |
|
Primary Hub: Virtual Network Address Space | /24 | 251 IPS | 10.0.0.0/24 | 10.0.0.0 - 10.0.0.255 |
| Secondary Hub: Virtual Network Address Space * | /24 | 251 IPS | 10.0.0.0/24 | 10.0.0.0 - 10.0.0.255 |
* Only applicable for customers who have purchased Disaster Recovery Protection. Note that Sitecore does not include vNet peering between the Primary and Secondary Hubs. Whilst it is not recommended, it is technically possible to re-use the same network address space for both the Primary and Secondary Hubs
During the Hub provisioning process, the customer-provided /24 network address space will be carved up into the following network subnets. The process is repeated for both the Primary and Secondary Hub Environments.
| Type | CIDR | Available IPs | Example | Usable Range |
|
Azure Bastion Subnet | /26 | 59 IPS | 10.0.0.0/26 | 10.0.0.0 – 10.0.0.63 |
| Gateway Subnet | /27 | 27 IPS | 10.0.0.0/27 | 10.0.0.64 – 10.0.0.95 |
| Azure Bastion VM Subnet | /28 | 11 IPS | 10.0.0.0/28 | 10.0.0.96 – 10.0.0.111 |
Spoke Environment
When the Hub Provisioning Pipeline is executed, the Sitecore Cloud Operation team will require the customer to provide a valid network address space for each Spoke deployment. This subnet should be provided when pinging the request in the ServiceNow portal.
The CIDR for the network address space must honor the minimum required CIDR as defined below.
Note: Sitecore requires a unique virtual network address space for each spoke environment.
Experience Manager (XM)
XM Spoke Environment Types
| Type | CIDR | Available IPs | Example | Usable Range |
| XM Single: Virtual Network Address Space | /23 | 512 IPS | 10.0.0.0/23 | 10.0.0.0 - 10.0.1.255 |
| XM Scaled: Virtual Network Address Space | /22 | 1024 IPS | 10.0.0.0/22 | 10.0.0.0 – 10.0.3.254 |
XM Single Spoke – Subnet Allocation
When requesting the provision of an XM Single Spoke, the provisioning process will automatically designate the following Subnet.
| Type | CIDR | Available IPs | Example | Usable Range |
| XM Single: Virtual Network Address Space | /23 | 512 IPS | 10.0.0.0/23 | 10.0.0.0 - 10.0.1.255 |
| Application Gateway | /24 | 251 IPS | 10.0.0.0/24 | 10.0.0.0 - 10.0.0.255 |
| Private Endpoints | /26 | 59 IPS | 10.0.1.0/26 | 10.0.1.0 - 10.0.1.63 |
| Single (All Services) | /28 | 11 IPS | 10.0.1.64/28 | 10.0.1.64 - 10.0.1.79 |
XM Single Spoke – Static Private Endpoints
| Type | Available IPs | Example |
| SQL Server | 1st Available IP | 10.0.1.4 |
| SI (Identity) | 2nd Available IP | 10.0.1.5 |
| Single (All) | 5th Available IP | 10.0.1.8 |
XM Scaled Spoke – Subnet Allocation
When requesting the provision of an XM Scaled Spoke, the provisioning process will automatically designate the following Subnet.
| Type | CIDR | Available IPs | Example | Usable Range |
| XM Scaled: Virtual Network Address Space | /22 | 1024 IPS | 10.0.0.0/22 | 10.0.0.0 – 10.0.0.3.254 |
| Application Gateway | /24 | 251 IPS | 10.0.0.0/24 | 10.0.0.0 - 10.0.0.255 |
| Private Endpoints | /26 | 59 IPS | 10.0.1.0/26 | 10.0.1.0 - 10.0.1.63 |
| SI (Identity) | /26 | 59 IPS | 10.0.1.64/26 | 10.0.1.64 - 10.0.1.127 |
| CM (Content Management) | /26 | 59 IPS | 10.0.1.128/26 | 10.0.1.128 - 10.0.1.191 |
| CD (Content Delivery) | /26 | 59 IPS | 10.0.1.192/26 | 10.0.1.192 - 10.0.1.255 |
XM Scaled Spoke – Static Private Endpoints
| Type | Available IPs | Example |
| SQL Server | 1st Available IP | 10.0.1.4 |
| SI (Identity) | 2nd Available IP | 10.0.1.5 |
| CM (Content Management) | 3rd Available IP | 10.0.1.6 |
| CD (Content Delivery) | 4th Available IP | 10.0.1.7 |
| Redis Private Endpoint | 16th Available IP | 10.0.1.19 |
Experience Platform (XP)
XP Spoke Environment Types
| Type | CIDR | Available IPs | Example | Usable Range |
| XP Single: Virtual Network Address Space | /23 | 512 IPS | 10.0.0.0/23 | 10.0.0.0 - 10.0.1.255 |
| XP Scaled: Virtual Network Address Space | /22 | 1024 IPS | 10.0.0.0/22 | 10.0.0.0 – 10.0.3.254 |
XP Single Spoke – Subnet Allocation
When requesting the provision of an XP Single Spoke, the provisioning process will automatically designate the following Subnet.
| Type | CIDR | Available IPs | Example | Usable Range |
| XP Single: Virtual Network Address Space | /23 | 512 IPS | 10.0.0.0/23 | 10.0.0.0 - 10.0.1.255 |
| Application Gateway | /24 | 251 IPS | 10.0.0.0/24 | 10.0.0.0 - 10.0.0.255 |
| Private Endpoints | /26 | 59 IPS | 10.0.1.0/26 | 10.0.1.0 - 10.0.1.63 |
| Single (All Services) | /28 | 11 IPS | 10.0.1.64/28 | 10.0.1.64 - 10.0.1.79 |
| XC-Single | /28 | 11 IPS | 10.0.1.80/28 | 10.0.1.80 - 10.0.1.95 |
Additionally, when requesting the provision of your Sitecore Environment, you have the option to select either Dynamic or Static IP address. The table below represents the Static IP Allocation should you choose this deployment option.
XP Single Spoke – Static Private Endpoints
| Type | Available IPs | Example |
| SQL Server | 1st Available IP | 10.0.1.4 |
| SI (Identity) | 2nd Available IP | 10.0.1.5 |
| Single (All) | 5th Available IP | 10.0.1.8 |
| XC-Single (XP Services) | 6th Available IP | 10.0.1.9 |
| Service Bus | 15th Available IP | 10.0.1.18 |
XP Scaled Spoke – Subnet Allocation
When requesting the provision of an XP Scaled Spoke, the provisioning process will automatically designate the following Subnet.
| Type | CIDR | Available IPs | Example | Usable Range |
| XP Scaled: Virtual Network Address Space | /22 | 1024 IPS | 10.0.0.0/22 | 10.0.0.0 – 10.0.0.3.254 |
| Application Gateway | /24 | 251 IPS | 10.0.0.0/24 | 10.0.0.0 - 10.0.0.255 |
| Private Endpoints | /26 | 59 IPS | 10.0.1.0/26 | 10.0.1.0 - 10.0.1.63 |
| SI (Identity) | /26 | 59 IPS | 10.0.1.64/26 | 10.0.1.64 - 10.0.1.127 |
| CM (Content Management) | /26 | 59 IPS | 10.0.1.128/26 | 10.0.1.128 - 10.0.1.191 |
| CD (Content Delivery) | /26 | 59 IPS | 10.0.1.192/26 | 10.0.1.192 - 10.0.1.255 |
| PRC (Processing Service) | /26 | 59 IPS | 10.0.2.0/26 | 10.0.2.0 - 10.0.2.63 |
| XC-Basic (Multi-Service: Basic) | /26 | 59 IPS | 10.0.2.64/26 | 10.0.2.64/26 |
| XC-ResourceIntensive (Multi-Service: Intensive) | /26 | 59 IPS | 10.0.2.128/26 | 10.0.2.128 - 10.0.2.191 |
| Headless – Optional | /26 | 59 IPS | 10.0.2.192/26 | 10.0.2.192 - 10.0.2.255 |
Additionally, when requesting the provision of your Sitecore Environment, you have the option to select either Dynamic or Static IP address. The table below represents the Static IP Allocation should you choose this deployment option.
XP Scaled Spoke – Static Private Endpoints
| Type | Available IPs | Example |
| SQL Server | 1st Available IP | 10.0.1.4 |
| SI (Identity) | 2nd Available IP | 10.0.1.5 |
| CM (Content Management) | 3rd Available IP | 10.0.1.6 |
| CD (Content Delivery) | 4th Available IP | 10.0.1.7 |
| cortex-processing | 7th available IP | 10.0.1.10 |
| cortex-reporting | 8th available IP | 10.0.1.11 |
| ma-ops | 9th available IP | 10.0.1.12 |
| ma-rep | 10th available IP | 10.0.1.13 |
| PRC (Processing Service) | 11th available IP | 10.0.1.14 |
| xc-collect | 12th available IP | 10.0.1.15 |
| xc-refdata | 13th available IP | 10.0.1.16 |
| xc-search | 14th available IP | 10.0.1.17 |
| service bus private endpoint | 15th available IP | 10.0.1.18 |
| Redis Private Endpoint | 16th available IP | 10.0.1.19 |