Azure Network Segmentation Terraform

Introduction

Azure network segmentation Terraform is a key pattern used to define boundaries and control traffic in hub-and-spoke architectures.

In previous articles, we explored how to connect VNets, control routing, and enforce outbound traffic using forced tunneling.

At this point, the architecture may look complete:

VNets are connected
Traffic is routed through the hub
Outbound traffic is controlled

But there is still a critical question:

Where does control actually happen?

Connectivity and routing define paths.
But they do not define boundaries.

Azure Network Segmentation — Connectivity Is Not Isolation

In many Azure architectures, once VNets are connected and routing is configured, the system is considered “designed”.

However:

All traffic can still flow through the same logical paths
There is no separation between internal and external zones
Control is applied implicitly, not structurally

A connected system is not necessarily a controlled system.

To move from connectivity to architecture, we need to introduce segmentation.

Why Segmentation Matters

Segmentation defines trust boundaries within a network.

Instead of treating the network as a flat space, we explicitly separate:

Internal traffic
External traffic
Controlled entry and exit points

This allows us to:

Apply different security policies
Inspect traffic at specific boundaries
Reduce unintended communication paths

Without segmentation:

Routing may be correct — but control is still weak.

The Limitation of a Single NIC Design

A common approach when introducing a Virtual Appliance (NVA) is to deploy it with a single network interface.

At first glance, this seems sufficient:

Traffic flows through the appliance
Routing is enforced
Connectivity is maintained

But in practice, this creates a problem:

Internal and external traffic share the same interface
There is no clear separation of zones
Policy enforcement becomes ambiguous

A Virtual Appliance with a single NIC is just a router.

It forwards traffic — but does not define boundaries.

Introducing Dual NIC Segmentation

To introduce real control, we separate the appliance into two logical zones:

Inside interface — connected to internal (trusted) network
Outside interface — connected to external or transit network

Figure 1. Azure NVA with Dual NIC segmentation (inside/outside model)

This design creates a clear boundary:

Traffic enters through one interface
Is processed by the appliance
Leaves through another interface

The system now has direction, structure, and control.

Inside vs Outside — A Structural Boundary

The dual NIC model introduces a simple but powerful concept:

Not all traffic is equal.

Instead of a flat network:

Internal systems communicate through the inside interface
External or outbound traffic is handled via the outside interface

This separation enables:

Explicit traffic inspection
Policy enforcement per direction
Clear routing intent

The network is no longer just connected — it is structured.

Traffic Flow in a Segmented Architecture

When combined with routing and forced tunneling:

Spoke traffic is routed to the hub
Default routes direct traffic to the appliance
The appliance processes traffic between inside and outside zones

The flow becomes:

Spoke VM → Hub (inside interface)
Inside → processing
Outside interface → Internet

The key difference is not connectivity — but the ability to control how traffic crosses boundaries.

Implementing Dual NIC NVA with Terraform

In Terraform, the design translates into:

A VM with two network interfaces
Each NIC placed in a different subnet
Separate NSG and routing logic applied per subnet

Example:

  network_interfaces = {
    outside = {
      subnet_id                     = module.vnet_hub.subnet_ids["fk-subnet-hub-outside"]
      private_ip_address_allocation = "Static"
      private_ip_address            = var.router_outside_private_ip
      enable_ip_forwarding          = true
      attach_nsg_to_nic             = true
      nsg_id                        = module.nsg_router_outside.id
      primary                       = true
    }
    inside = {
      subnet_id                     = module.vnet_hub.subnet_ids["fk-subnet-hub-inside"]
      private_ip_address_allocation = "Static"
      private_ip_address            = var.router_inside_private_ip
      enable_ip_forwarding          = true
      attach_nsg_to_nic             = true
      nsg_id                        = module.nsg_router_inside.id
      primary                       = false
    }
  }

Each interface represents a distinct role in the architecture.

👉 Full working example: https://github.com/foggykitchen/terraform-az-fk-routing/tree/main/examples/04_nva_dual_nic

Why This Pattern Matters

This design is widely used in real-world environments:

Enterprise hub-and-spoke architectures
Security-focused network segmentation
Controlled ingress and egress patterns

It enables:

Separation of trust zones
Centralized inspection
Predictable traffic behavior

This is where networking becomes architecture.

Trade-offs of Dual NIC Segmentation

Segmentation introduces clarity — but also complexity.

Key trade-offs include:

More complex network design
Additional configuration (NICs, subnets, NSGs)
Dependency on the appliance as a control point
Operational overhead

This pattern should not be applied blindly.

It should be used where boundaries and control are required — not just connectivity.

Key Takeaways

Connectivity and routing do not define boundaries
A single NIC appliance does not provide real segmentation
Dual NIC design introduces inside/outside separation
Segmentation enables control, inspection, and policy enforcement

A Virtual Appliance without segmentation is just a router.
With segmentation — it becomes a control boundary.

🚀 Continue Your Journey

Azure Fundamentals gives you the baseline: VNets, subnets, NSGs, compute, storage, and private connectivity.

This article moves one level deeper.

It shows why network design is not only about connecting resources, but about defining boundaries, routing paths, and control points.

👉 Azure Fundamentals with Terraform/OpenTofu gives you the foundation.
👉 Azure Advanced Networking with Terraform/OpenTofu takes you into real multi-VNet architecture, segmentation, routing, private connectivity, and centralized control.

In the full Azure Advanced Networking course, we build hub-and-spoke topology, VNet peering, User Defined Routes, Private Endpoints, Private DNS, RBAC, and Azure Firewall step by step.

Design Azure Networks with Real Boundaries and Control

You’ve seen why flat connectivity is not enough. Now build the full Azure Advanced Networking lab with Terraform and OpenTofu: hub-and-spoke topology, VNet peering, User Defined Routes, Private Endpoints, Private DNS, RBAC, and Azure Firewall. This course shows how Azure networking becomes architecture — not just connected VNets.

🧱 Segmentation · 🧭 UDRs · 🔁 Hub-and-Spoke · 🔥 Azure Firewall