← Back to Engineering Blog
πŸ—“οΈ Jul 1, 2023⏱️ 3 min read

Azure Enterprise Scale Landing Zone: Hub-and-Spoke BGP Steering & Checkov Gates

How we architected a multi-region Azure Enterprise Landing Zone using Terraform, ExpressRoute BGP steering, and Checkov policy-as-code gates.

πŸŽ™οΈ Listen to ArticleREADY
AI Audio Synthesis Narrator
Share Post:

β€œAn enterprise Azure footprint without strict Landing Zone governance quickly becomes a chaotic mess of unpeered VNets and public IP security holes.”

The Setup

In July 2023 in my current role as Associate Director, we led the cloud architecture strategy for a global enterprise client migrating 300+ application workloads to Microsoft Azure.

The client required a multi-region Azure Enterprise Scale Landing Zone topology supporting central security inspection, active-active ExpressRoute connectivity, and strict policy-as-code guardrails preventing non-compliant resource creation.


The Mess

Initial development teams were creating ad-hoc Virtual Networks (VNets) with public IP endpoints directly exposed to the internet.

During an early audit scan of an unmanaged subscription, static routing loops created asymmetric traffic paths that dropped ExpressRoute connections:

[CRITICAL] 2023-07-11 11:15:00 UTC - Azure Network Watcher Flow Log
Resource: /subscriptions/.../resourceGroups/rg-spoke-app/providers/Microsoft.Network/virtualNetworks/vnet-spoke-01
Flow Status: DROPPED (Asymmetric Routing Detected across Azure Firewall)
Issue: Spoke VNet User Defined Route (UDR) 0.0.0.0/0 pointing to Azure NVA, but return traffic routing directly over ExpressRoute Gateway.
Result: Stateful Azure Firewall dropped TCP SYN-ACK packets (Asymmetric Traffic Drop).

Without automated IaC guardrails, developers bypassed security controls and created un-encrypted storage accounts and open Network Security Groups (NSGs).


The Solution

I architected a modular Azure Hub-and-Spoke Landing Zone Engine using Terraform, Checkov static analysis, and BGP Local-Pref route steering:

  1. Central Hub VNet Architecture: Deployed central Hub VNets in East US and West Europe hosting Azure Firewall Premiums and ExpressRoute Gateways.
  2. Deterministic BGP Route Steering: Configured BGP AS-Path Prepending and Local-Preference rules directing all inter-spoke traffic through central NVAs.
  3. Automated DevSecOps Pipeline Gate: Enforced Checkov static analysis scans inside GitHub Actions blocking PRs containing public IP assignments or missing tags.
# main.tf - Azure Hub-and-Spoke Spoke VNet Module with Checkov Skip Tags
# checkov:skip=CKV_AZURE_10: Public IP disabled via policy
# checkov:skip=CKV_AZURE_18 border security enforced

resource "azurerm_virtual_network" "vnet_spoke" {
  name                = "vnet-spoke-prod-01"
  location            = "eastus"
  resource_group_name = "rg-spoke-prod"
  address_space       = ["10.240.10.0/24"]
}

resource "azurerm_route_table" "rt_spoke" {
  name                = "rt-spoke-to-hub"
  location            = azurerm_virtual_network.vnet_spoke.location
  resource_group_name = azurerm_virtual_network.vnet_spoke.resource_group_name

  route {
    name                   = "DefaultToHubFirewall"
    address_prefix         = "0.0.0.0/0"
    next_hop_type          = "VirtualAppliance"
    next_hop_in_ip_address = "10.240.0.4" # Azure Firewall Private IP
  }
}
# Checkov CI/CD Static Security Scan Command
checkov -d ./terraform/azure-landing-zone --framework terraform --output cli

# Checkov Output Summary
Passed checks: 142, Failed checks: 0, Skipped checks: 4
Result: PASSED (100% Policy Compliance - Zero Public IP Violations)

The Results

The Azure Landing Zone deployment delivered enterprise-grade cloud governance:

  • Provisioning Speed: Reduced spoke environment setup time from 4 weeks to 4 hours.
  • Asymmetric Routing Drops: Reduced from 18% packet drops to 0% asymmetric routing errors.
  • Security Violations: 0 un-encrypted storage accounts or public IPs deployed across 300+ workloads.

Key Takeaway

Always enforce Hub-and-Spoke VNet routing stanzas with automated Checkov CI/CD policy gates. Centralizing egress traffic through Azure Firewall Premiums eliminates asymmetric routing loops and guarantees Zero-Trust cloud security.


Architecture and decisions: mine. Azure Landing Zone HCL: mine. AI assistance: structure, syntax, first draft. β€” Sachin

SKS

Sachin Kumar Sharma

Associate Director (Infrastructure & Cloud Architecture Strategy) | 20+ Yrs Exp

Architecting resilient multi-cloud enterprise landing zones, SDN overlay fabrics, DevSecFinOps automation pipelines, and autonomous Agentic AI platforms.

πŸ“¬

πŸ“¬ Stay Updated on Tech Releases

Sign up to get notified when I publish new production war stories, agentic AI architecture blueprints, or open-source infrastructure tools.

⚑ Theme Adaptive Shift
Switching layouts matching domain reading affinity...