Azure is Microsoft's cloud platform — and its deepest strength is hybrid integration with on-premises Microsoft environments. Organizations already running Active Directory, Windows Server, and Microsoft 365 can extend those environments into Azure seamlessly, creating a unified identity, management, and security plane that spans both on-premises and cloud resources.
This guide covers building a production-ready Azure hybrid environment — from tenant setup and network design through hybrid identity, conditional access enforcement, and unified management with Azure Arc — giving you a complete, security-hardened hybrid cloud foundation.
1 Azure Tenant & Subscription Setup
The Azure tenant is your organization's dedicated instance of Microsoft Entra ID (formerly Azure Active Directory) — it is the root identity and trust boundary for everything in Azure. Getting the structure right from the start prevents costly restructuring later.
Management Group Hierarchy
Root Management Group (Tenant Root)
├── Platform
│ ├── Identity (Entra ID, DNS, AD Connect servers)
│ ├── Management (Log Analytics, Monitor, Security Center)
│ └── Connectivity (Hub VNet, VPN Gateway, ExpressRoute)
└── Landing Zones
├── Production (Live workloads — strictest policies)
├── Non-Production (Dev, Test, Staging)
└── Sandbox (Experimental — auto-expiry policies)
✅ Pro Tip: Implement the Azure Landing Zone architecture from the start — even if you only have one subscription today. The Landing Zone pattern separates platform services (networking, identity, monitoring) from application workloads at the Management Group level, enabling you to apply Azure Policy consistently across all subscriptions without re-doing governance work as you scale.
Subscription Design Principles
- Separate Production from Non-Production: Production subscription gets strictest Azure Policies, separate billing, and tighter RBAC — mistakes in dev never reach prod billing
- Connectivity subscription: Hub VNet, VPN/ExpressRoute gateways, and Azure Firewall in a dedicated subscription — centrally managed by network team
- Identity subscription: Domain Controllers (Azure VM), AD Connect servers, and DNS in an isolated subscription
- Budget alerts per subscription: Set Azure Cost Management budgets on every subscription — prevents runaway spend going unnoticed
Global Admin Hardening
- Enable Privileged Identity Management (PIM) — Global Admin must be activated on-demand, not permanently assigned
- Require MFA for all admin roles — enforce via Conditional Access policy targeting directory roles
- Create break-glass accounts — 2 cloud-only Global Admin accounts with complex passwords, stored in sealed envelopes, monitored with alerts on any sign-in
- Enable Entra ID Identity Protection — automated risk-based MFA and blocking for risky sign-ins
- Configure sign-in risk policies — block high-risk sign-ins, require MFA for medium-risk
⚠️ Warning: Never use your Global Administrator account for day-to-day Azure management. Global Admin has unrestricted access to everything in the tenant — including the ability to reset all user passwords and access all mailboxes. Create a separate admin user with only the role needed (e.g., Contributor on specific subscriptions) and use Global Admin only for tenant-level operations that explicitly require it.
2 Virtual Network (VNet) Design
Azure Virtual Networks are the networking foundation — defining IP address spaces, subnets, peering relationships, and connectivity to on-premises. The hub-and-spoke topology is the recommended architecture for organizations with multiple workloads.
Hub-and-Spoke VNet Topology
# Hub VNet (Connectivity Subscription)
Hub VNet CIDR: 10.100.0.0/16
GatewaySubnet: 10.100.0.0/27 (VPN/ExpressRoute Gateway — must be /27 or larger)
AzureFirewallSubnet: 10.100.1.0/26 (Azure Firewall — must be named exactly this)
BastionSubnet: 10.100.2.0/27 (Azure Bastion — must be named AzureBastionSubnet)
ManagementSubnet: 10.100.10.0/24 (Jump servers, monitoring)
# Spoke VNet 1 — Production (Production Subscription)
Prod VNet CIDR: 10.10.0.0/16
WebTier: 10.10.1.0/24 (App Gateway, public-facing VMs)
AppTier: 10.10.10.0/24 (Application servers)
DataTier: 10.10.20.0/24 (Azure SQL, Cosmos DB, Redis)
# Spoke VNet 2 — Dev/Test (Non-Prod Subscription)
Dev VNet CIDR: 10.20.0.0/16
DevSubnet: 10.20.1.0/24
TestSubnet: 10.20.2.0/24
VNet Peering Configuration
# Azure CLI — Create Hub-to-Spoke Peering
# Hub → Prod Spoke
az network vnet peering create \
--name hub-to-prod \
--resource-group rg-connectivity \
--vnet-name vnet-hub \
--remote-vnet /subscriptions/PROD-SUB-ID/resourceGroups/rg-prod/providers/Microsoft.Network/virtualNetworks/vnet-prod \
--allow-vnet-access true \
--allow-forwarded-traffic true \
--allow-gateway-transit true
# Prod Spoke → Hub
az network vnet peering create \
--name prod-to-hub \
--resource-group rg-prod \
--vnet-name vnet-prod \
--remote-vnet /subscriptions/CONN-SUB-ID/resourceGroups/rg-connectivity/providers/Microsoft.Network/virtualNetworks/vnet-hub \
--allow-vnet-access true \
--use-remote-gateways true
✅ Pro Tip: Enable allow-gateway-transit on the Hub peering and use-remote-gateways on Spoke peerings — this allows all spokes to use the Hub's VPN/ExpressRoute gateway for on-premises connectivity without deploying separate gateways in each spoke VNet. A single VPN Gateway in the Hub serves all spoke VNets, saving $150–$300/month per gateway not deployed.
3 VPN Gateway — Site-to-Site
Azure VPN Gateway creates an IPSec/IKE tunnel between your Azure VNet and your on-premises network — extending your private network into Azure over the public internet with full encryption.
VPN Gateway Deployment
- Create GatewaySubnet in the Hub VNet — must be named exactly
GatewaySubnet, minimum /27
- Create Public IP for the VPN Gateway — Standard SKU, Zone-Redundant for HA
- Create Virtual Network Gateway — select VpnGw2 or higher for production (VpnGw1 max 650 Mbps, VpnGw2 max 1 Gbps)
- Create Local Network Gateway — represents your on-premises firewall (public IP + on-premises CIDR ranges)
- Create the Connection — specify shared key (PSK), IKEv2 protocol, BGP if dynamic routing required
- Configure matching IPSec settings on on-premises firewall — FortiGate, MikroTik, Cisco, pfSense all supported
FortiGate to Azure VPN Configuration
# FortiGate CLI — Azure Site-to-Site VPN
config vpn ipsec phase1-interface
edit "azure-vpn"
set interface "wan1"
set ike-version 2
set keylife 28800
set peertype any
set net-device disable
set proposal aes256-sha256
set dhgrp 14
set remote-gw 20.10.50.100 # Azure VPN Gateway Public IP
set psksecret "YourSharedKeyHere"
next
end
config vpn ipsec phase2-interface
edit "azure-vpn-p2"
set phase1name "azure-vpn"
set proposal aes256-sha256
set dhgrp 14
set keylifeseconds 27000
set src-subnet 10.10.0.0 255.255.0.0 # On-premises range
set dst-subnet 10.100.0.0 255.255.0.0 # Azure Hub VNet range
next
end
Azure VPN Gateway SKU Comparison
| SKU | Max Throughput | S2S Tunnels | BGP | Monthly Cost (India) |
|---|
VpnGw1 | 650 Mbps | 30 | ✅ Yes | ~$140 |
VpnGw2 | 1 Gbps | 30 | ✅ Yes | ~$350 |
VpnGw3 | 1.25 Gbps | 30 | ✅ Yes | ~$700 |
VpnGw1AZ | 650 Mbps | 30 | ✅ Yes | ~$230 (Zone-Redundant) |
Basic | 100 Mbps | 10 | ❌ No | ~$27 (Dev only) |
⚠️ Warning: Never use the Basic VPN Gateway SKU for production — it cannot be upgraded to a higher SKU without deleting and recreating the gateway (causing hours of downtime). Basic SKU also does not support BGP, zone redundancy, or active-active configuration. Deploy VpnGw1 as the minimum for any production workload, even if current bandwidth requirements seem low.
4 ExpressRoute for Private Connectivity
ExpressRoute provides a dedicated private connection between your on-premises infrastructure and Azure — not over the public internet. It delivers consistent latency, guaranteed bandwidth, and higher security than VPN for enterprise-grade hybrid connectivity.
ExpressRoute vs VPN Gateway
| Attribute | VPN Gateway | ExpressRoute |
|---|
| Path | Public internet (encrypted) | Private dedicated circuit |
| Bandwidth | Up to 1.25 Gbps | 50 Mbps to 100 Gbps |
| Latency | Variable (internet dependent) | Consistent, low — SLA-backed |
| SLA | 99.9% (Active-Active: 99.95%) | 99.95% |
| Cost | Low ($140–$700/month) | High ($500–$5000+/month) |
| Setup Time | Hours | Weeks (ISP provisioning) |
| Best For | Most organizations | Financial services, large data transfer, compliance |
ExpressRoute Connectivity Models (India)
- Co-location: Your equipment in a carrier-neutral data center (STT GDC, CtrlS, NTT India) — direct cross-connect to Microsoft Enterprise Edge (MSEE)
- Point-to-Point Ethernet: Dedicated fiber from your office to Microsoft — arranged through Tata Communications, Airtel, Reliance Jio, or BSNL as ExpressRoute partners
- Any-to-Any (IPVPN): Integrate Azure into your existing MPLS WAN — Azure appears as another branch site on your existing WAN
✅ Pro Tip: For most Indian organizations, ExpressRoute via Tata Communications or Airtel Business is the recommended path — both are certified Microsoft ExpressRoute partners with PoPs in Mumbai and Chennai (closest to Azure India South and India West regions). Request quotes from both and compare — pricing varies significantly by bandwidth tier and contract length.
5 Microsoft Entra ID & Hybrid Identity
Microsoft Entra ID (formerly Azure Active Directory) is the cloud identity platform that powers Microsoft 365, Azure, and thousands of third-party SaaS applications. Connecting it to on-premises Active Directory via Entra Connect creates a unified identity where users have a single credential that works everywhere.
Entra Connect Deployment
- Deploy a dedicated Windows Server 2022 VM — do not install on a Domain Controller
- Download Microsoft Entra Connect from Microsoft Download Center — run on the dedicated server
- Select Express Settings for single forest, single domain organizations — or Custom for multi-forest
- Choose synchronization method — Password Hash Sync is recommended (most resilient, no ADFS required)
- Configure the Entra Connect service account with minimum permissions on AD
- Run initial synchronization — verify users appear in Entra ID portal
- Enable Seamless Single Sign-On (SSO) — domain-joined machines get automatic SSO to cloud apps
- Deploy a second Entra Connect server in staging mode for high availability
Synchronization Method Comparison
| Method | How It Works | Dependencies | Recommendation |
|---|
| Password Hash Sync | Hashed passwords synced to Entra ID — cloud auth | None beyond Entra Connect | ✅ Recommended for most |
| Pass-Through Auth | Auth request forwarded to on-prem AD in real-time | PTA agents on-prem must be online | ⚠️ If cloud-only passwords prohibited |
| Federation (ADFS) | ADFS server issues SAML tokens | ADFS farm — complex, high maintenance | ❌ Avoid unless legally mandated |
⚠️ Warning: Password Hash Sync stores a hash of a hash of the user's password in Entra ID — not the actual password or even the NTLM hash. Microsoft cannot reverse it, and it cannot be used to authenticate against on-premises AD. Despite common misconceptions, PHS is the most resilient and recommended synchronization method — if on-premises AD or Entra Connect goes offline, cloud authentication continues working because the hash is already in Azure.
6 Conditional Access Policies
Conditional Access is Entra ID's policy engine — it evaluates every authentication attempt against conditions (user, location, device, risk) and enforces controls (require MFA, block access, require compliant device). It is the cornerstone of Zero Trust identity security in Azure.
Essential Conditional Access Policies
- Require MFA for All Users: All users → Any cloud app → Require MFA. The single most impactful security control — blocks 99.9% of credential-based attacks
- Block Legacy Authentication: All users → Any cloud app → Client apps: Exchange ActiveSync + Other clients → Block. Legacy auth bypasses MFA entirely
- Require Compliant Device for Sensitive Apps: All users → SharePoint, Teams, ERP → Require Hybrid Entra Joined or Intune compliant device
- Block High-Risk Sign-ins: All users → Any app → Sign-in risk: High → Block access
- Require MFA for Azure Portal: All users → Microsoft Azure Management → Require MFA (separate from general MFA policy)
- Named Locations — Allowed Countries: Block sign-ins from countries where your organization has no users — reduces noise and risk
Conditional Access — Report-Only Mode
# Azure CLI — Create CA Policy in Report-Only mode first
az rest --method POST \
--url "https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies" \
--body '{
"displayName": "Require MFA - All Users",
"state": "enabledForReportingButNotEnforced",
"conditions": {
"users": {"includeUsers": ["All"]},
"applications": {"includeApplications": ["All"]}
},
"grantControls": {
"operator": "OR",
"builtInControls": ["mfa"]
}
}'
✅ Pro Tip: Always deploy new Conditional Access policies in Report-Only mode for 7–14 days before enabling enforcement. Report-Only logs what would have happened — you can review the impact in Entra Sign-in Logs → Conditional Access tab and identify users who would be blocked or require MFA for the first time. This prevents the most common CA deployment disaster: accidentally locking out all users on a Friday afternoon.
7 Azure Arc — Hybrid Management
Azure Arc extends Azure management capabilities to resources outside of Azure — on-premises servers, servers in other clouds (AWS, GCP), Kubernetes clusters, and SQL Server instances. It brings a unified control plane to your entire infrastructure regardless of where it runs.
What Azure Arc Enables
- Azure Policy on on-prem servers: Apply and audit configuration policies on Windows and Linux servers running on-premises — same as cloud VMs
- Microsoft Defender for Cloud: Security posture management and threat detection for on-premises servers — unified with Azure security score
- Azure Monitor: Collect logs and metrics from on-premises servers into Log Analytics Workspace — single monitoring pane
- VM Extensions: Deploy Azure monitoring agents, configuration management tools, and security agents to on-prem servers from Azure portal
- Azure Update Manager: Manage OS patching for on-premises Windows and Linux servers from Azure — unified patch compliance view
- RBAC for on-prem servers: Control who can access and manage on-premises servers using Azure RBAC — same model as Azure VMs
Azure Arc Server Onboarding
# Generate onboarding script from Azure Portal:
# Azure Arc → Add Infrastructure → Servers → Add a single server
# Or via Azure CLI:
az connectedmachine generate-azcmagent-script \
--resource-group rg-arc \
--location centralindia \
--os windows \
--output-file arc-onboard.ps1
# Run on each on-premises server (Windows PowerShell as Admin):
.\arc-onboard.ps1
# Verify onboarding:
az connectedmachine list --resource-group rg-arc --output table
✅ Pro Tip: For onboarding 50+ on-premises servers to Azure Arc, use the Service Principal onboarding method with a deployment script distributed via Group Policy or SCCM — it runs silently without requiring interactive authentication on each server. Create a dedicated Service Principal with only Azure Connected Machine Onboarding role — minimum permissions, not Contributor.
8 Azure Monitor & Cost Management
Azure Monitor is the unified observability platform — collecting metrics, logs, and traces from Azure resources, on-premises servers (via Arc), and applications. Combined with Cost Management, it gives complete visibility into both operational health and spending.
Log Analytics Workspace Setup
- Create a central Log Analytics Workspace in the Management subscription
- Set retention to 90 days (default 30) — required for most security compliance frameworks
- Enable Diagnostic Settings on all Azure resources — route logs to the central workspace
- Connect Microsoft Defender for Cloud to the workspace — security alerts and recommendations in one place
- Install Azure Monitor Agent on all VMs (Azure and Arc-connected) — replaces legacy MMA and OMS agents
- Create Data Collection Rules — define which event logs and performance counters to collect per server type
Azure Cost Management Best Practices
- Cost allocation tags: Tag every resource with Environment (prod/dev/test), Project, and CostCenter — enables accurate cost attribution per team
- Budget alerts: Create budgets at subscription level — alert at 80% and 100% of monthly forecast
- Azure Advisor: Check weekly — identifies idle VMs, underutilized ExpressRoute circuits, and right-sizing recommendations
- Reserved Instances: Commit 1-year for predictable production workloads — 30–40% savings vs pay-as-you-go
- Azure Hybrid Benefit: Apply existing Windows Server and SQL Server licenses to Azure VMs — up to 40% additional cost reduction
- Dev/Test subscriptions: Use Azure Dev/Test pricing for non-production subscriptions — discounted VM rates available with Visual Studio subscriptions
⚠️ Warning: Azure ExpressRoute circuits continue billing even when not in use — unlike most Azure resources that stop charging when deleted. If you provision an ExpressRoute circuit and the ISP provisioning is delayed or you decide not to proceed, the circuit must be explicitly deleted (not just disconnected) to stop billing. ExpressRoute circuits in "Not Provisioned" state still incur the port fee of $50–$500/month depending on bandwidth tier.
Need Help with Azure Hybrid Setup?
EnterWeb IT Firm architects and deploys Azure hybrid environments — from initial tenant setup and VNet design through ExpressRoute provisioning, Entra ID Connect, and Azure Arc onboarding. Microsoft-certified engineers with hands-on India region deployment experience.