I would like to create an extra-paranoid hub-and-spoke DMZ setup on Azure using IaaS VMs.

I have an public internet facing front end server (i.e. an IIS web server) that I’d like to severely lockdown. However, the front end requires access to some back end servers (i.e. a database, a domain controller, etc.). I want to ensure:

1. Only the front end server can talk to the back end servers, and only on agreed upon ports.
2. The back end servers cannot receive or send traffic from/to the public internet.
3. The back end servers cannot talk to each other.
4. These rules are enforced beyond the VM operating system layer to provide defense in depth.

This seems like a reasonable scenario, but I can’t seem to achieve it on Azure. The closest I’ve been able to do is:

• Create an IaaS VM front end and restrict its endpoints appropriately
• Create an Azure Virtual Network with a “FrontEnd” and “BackEnd” subnets placing each machine on the appropriate subnets.
• Prevent RDP access to the back end VMs. If I want to RDP to the backend machines, I must do it through the front end VM.
• Setup Windows Firewall rules on each of these machines to enforce these hub-and-spoke style of rules.

This works ok but it’s not as locked down as I’d like. I really want to have defense-in-depth so that I don’t have to rely on Windows/Linux firewall settings on each machine. For example, let’s say that a back end server must run an application with administrator credentials (assume there are no alternatives to this). I want an extra layer of protection such that a bug (or a malicious query) on the back end server could not:

• Reconfigure the back end’s firewall to be less restrictive.
• Talk to anyone else but the front end machine (this includes the public internet).

As far as I can tell, this isn’t possible on Azure using the Virtual Networking because:

• Azure Virtual Networks don’t seem to expose ACLs or any other advanced filtering support.
• Azure IaaS VMs only support a single NIC and thus the front end can’t be multihomed on both a front end and back end subnet.

Am I missing something? It seems like I might be able to hack something together using multiple virtual networks and VPN them together as a bunch of /30 subnets but that seems quite awful. If I can’t figure this out on Azure it seems my only reasonable alternative is to try to setup something like this on AWS using Virtual Private Cloud (VPC). Any help/guidance would be appreciated.