I would like to create an extra-paranoid hub-and-spoke DMZ setup on Azure using IaaS VMs.
I have an public internet facing front end server (i.e. an IIS web server) that I'd like to severely lockdown. However, the front end requires access to some back end servers (i.e. a database, a domain controller, etc.). I want to ensure:
This seems like a reasonable scenario, but I can't seem to achieve it on Azure. The closest I've been able to do is:
This works ok but it's not as locked down as I'd like. I really want to have defense-in-depth so that I don't have to rely on Windows/Linux firewall settings on each machine. For example, let's say that a back end server must run an application with administrator credentials (assume there are no alternatives to this). I want an extra layer of protection such that a bug (or a malicious query) on the back end server could not:
As far as I can tell, this isn't possible on Azure using the Virtual Networking because:
Am I missing something? It seems like I might be able to hack something together using multiple virtual networks and VPN them together as a bunch of /30 subnets but that seems quite awful. If I can't figure this out on Azure it seems my only reasonable alternative is to try to setup something like this on AWS using Virtual Private Cloud (VPC). Any help/guidance would be appreciated.
I received a private answer from the Azure team that effectively said that this is not currently possible. It's a requested feature but there is no set timeline for its implementation.