Skip to main content

Azure Network Architecture

This page describes the network infrastructure that Fractal Cloud deploys when you initialize an Azure environment. The architecture follows the Azure Cloud Adoption Framework and Azure Landing Zone recommendations for enterprise deployments.


Overview

Fractal Cloud deploys a hub-and-spoke topology using Azure Virtual Networks (VNets) with Service Endpoints and VNet Integration for secure, private connectivity between the hub and platform services. All network address ranges are allocated dynamically by the built-in IPAM system.

┌──────────────────────────────────────────────────────┐
│ Hub VNet │
│ Central network infrastructure │
└──────────────────┬───────────────────────────────────┘

VNet Peering

┌──────────────┼──────────────┐
│ │ │
▼ ▼ ▼
Platform Spoke A Spoke B
VNet VNet VNet
(Agents) (Ops Env A) (Ops Env B)

Hub VNet

The Hub VNet serves as the central network anchor for the landing zone. It provides the peering point for all spoke VNets and hosts shared network infrastructure such as firewalls, VPN gateways, and centralized services.


Platform VNet

The Platform VNet hosts the Cloud Agents and all shared platform services. It connects to Azure PaaS services through Service Endpoints for private, secure access.

What Runs Here

  • Fractal Cloud Agent — Azure App Service with VNet Integration for private outbound access
  • Custom Workload Agent — Azure App Service for application-level deployments
  • Azure Database for PostgreSQL — agent state and configuration
  • Azure Key Vault — secrets management, accessed via Service Endpoint
  • Azure Container Registry — agent container images

Private Connectivity

  • Service Endpoints extend the VNet identity to Azure PaaS services, enabling secure access over the Azure backbone
  • VNet Integration routes all App Service outbound traffic through the VNet for private database and Key Vault connectivity
  • Managed Identities provide credential-free authentication between Azure resources

Operational Environment Spoke VNets

When an Operational Environment is created:

  1. A new Azure Subscription is created under the Management Environment's Management Group
  2. IPAM allocates a CIDR block from the management environment's address space
  3. A spoke VNet is created with private subnets
  4. VNet Peering connects the spoke VNet back to the Hub VNet
  5. Role assignments allow the Cloud Agent's managed identity to provision resources

Live Systems using Molecule-level Blueprints deploy into the spoke VNet automatically. Live Systems with explicit VNet components are created as standalone infrastructure outside the hub-and-spoke topology.


Management Group Hierarchy

Fractal Cloud uses Azure Management Groups to organize subscriptions with cascading governance policies:

Tenant Root Group
└── Platform Management Group
└── Fractal Cloud Management Group
└── Landing Zones Management Group
└── Environment Management Group
├── Management Subscription
├── Operational Subscription A
└── Operational Subscription B

Security

  • No inbound access required — agents initiate all communication outbound over HTTPS
  • Private-first connectivity — all PaaS services accessed via Service Endpoints or Private Endpoints
  • Managed Identities — no secrets stored for service-to-service communication
  • Subscription isolation — each operational environment runs in its own Azure subscription