What are the network deployment requirements?

When designing the network layout for your production environment, you should consider separating your CD and CM environments by having them in separate subnets, and using a firewall to control port and machine access. Separating the environments creates a more secure deployment, but does increase the complexity of the deployment, including the need to recreate some of the roles in both environments. In Azure, you can achieve this by using a Cloud Only Virtual Network and Windows Firewall. Azure does not offer the equivalent of a firewall appliance, but Barracuda Networks does offer a Virtual Machine equivalent.

Another thing to consider when designing the network layout is load balancing. When choosing your hardware and algorithm, be aware that CM servers must use sticky sessions. Within Azure you have the choice of Traffic Manager or Load Balancer. Traffic Manager uses DNS redirection, and can redirect based on failover, round robin, or geographic location. Azure Load Balancer has internal and external offerings. External is targeted at only Virtual Machines, and internal is targeted at cloud services or virtual networks. The Azure Load Balancer redirects randomly, with no configuration options.

For a list of required ports, please see Firewall ports.