Azure Best Practice - Hub&Spoke topology

Welcome to my first blog-post in the Azure best practices series!

Azure networking can be confusing, in this post I'll demonstrate the key configurations of Hub and Spoke topology.

Note: To keep this article short, it will highlight the most-important configurations in the process.

Hub and Spoke topology allows routing traffic from your chosen Vnets (Spokes) through a centralized Vnet (Hub) to make a secure, convenient and cost effective networking environment in Azure. The main services that deployed into the Hub Vnet will be accessible via the Spoke Vnets. Thus, makes perfect sense for cost-effectiveness. In addition, It allows keeping the network secured by applying security best practices on the Hub that affects the Spoke Vnets.

To make the magic works, you need to pre-configure the followings:

• Three Vnets and subnets (2 Spokes and a Hub).

Vnet1 represents one Spoke, Vnet2 represents the Hub, Vnet3 represents the second Spoke.

• Two VM's with associated NIC's deployed into the Spoke subnets (VM1 and VM3)

Our Goal: Make a connection between VM1 and VM3 whithout peering between Vnet1 and Vnet3.

First Step, deploy a VPN Gateway into the Hub Vnet.

Next, lets configure some peering!

In each peering configuration we must set the following:

• In the Hub peerings select - Use this virtual network's gateway or Route Server.
• In the Spokes peerings select - Use the remote virtual network's gateway or Route Server.

Note - In Hub and Spoke topology implemented with a vpn gateway, the vnet peering configuration: "Traffic forwarded from remote virtual network" is redundant.

Configure the following peerings:

• Peering between each Spoke Vnet to the Hub.
• Peering between the Hub Vnet to all Spokes.

Have you finished with the peering work? Awsome!

Eventhough the peerings are configured properly, resources within the Spokes can communicate with resources within the Hub, but not between the Spoke Vnets.

To complete the Hub and Spoke topology and achieve our goal, we need to configure one last resource: a Route-Table.

Note: In the route-table, configure routes for each Spoke subnet.

Configure the Route-Table with the following routes configurations:

• In the Address prefix configuration, enter the Spoke subnet's IP adresses.
• In "next hop type" configurations: select "virtual appliance" and enter the VPN Gateway private ip address or alternatively, select "virtual network gateway".

Note: The last octate of the VPN gateway private IP address is 4.

Finally, associate the route-table to the Spoke subnets (Route-Table settings > subnets) and ping between the VM's in the Spokes. You can also use the "connection troubleshoot" tool in the network diagnostic tools of the "NetworkWatcher" to check the connection.

I hope you will find this article useful, and I would happy to assist in any way, just drop me a line :)

Explore the Microsoft documentation: https://docs.microsoft.com/en-us/azure/developer/terraform/hub-spoke-introduction