← Back to Dashboard

Design 5: The Hub and Spoke (Network Foundation)

Summary

This is the Foundation Design for the entire Azure Architecture series. It establishes the Hub VNet (Central Control Plane) and a Spoke VNet (Workload Zone).

Crucial Context: All subsequent designs (e.g., Multi-Tier App, AKS, SQL) should be deployed as Spokes peered to this Hub. This ensures they inherit security (Firewall), connectivity (VPN), and monitoring from the start.

1. Key Design Decisions (ADR)

ADR-01: Centralized Hub

  • Decision: Use a Hub VNet for shared services (VPN, Firewall, Bastion).
  • Problem: Managing VPN gateways in 50 different subscriptions is expensive and complex.
  • Rationale: Centralize the expensive gateway in one Hub. Peer all Spokes to it.
  • Conclusion: Cost efficient and easier to secure.

ADR-02: VNet Peering

  • Decision: Use VNet Peering with Gateway Transit.
  • Rationale: Allows Spoke VMs to use the Hub's VPN Gateway to talk to On-Premises.

2. High-Level Design (HLD)

+--------------+           +--------------+           +--------------+
|              |           |   HUB VNet   |           |  SPOKE VNet  |
|  On-Premises |<--------->|  (East US)   |<--------->|  (East US)   |
|   Office     |   VPN     | 10.0.0.0/16  |  Peering  | 10.1.0.0/16  |
|              |           |              |           |              |
+--------------+           +------+-------+           +------+-------+
                                  |                          |
                                  | (Global Peering)         | (ASR Rep)
                                  v                          v
                           +--------------+           +--------------+
                           |   DR HUB     |           |   DR SPOKE   |
                           |  (West US)   |<--------->|  (West US)   |
                           +--------------+           +--------------+

3. Low-Level Design (LLD)

                               PRIMARY REGION (East US)
+-----------------------------------------------------------------------+
|  HUB VNet (10.0.0.0/16)                                               |
|   +-----------------------+                                           |
|   | VPN Gateway           | <=======(VPN Tunnel)========[On-Prem]     |
|   | (vpngw-hub)           |                                           |
|   +-----------|-----------+                                           |
|               |                                                       |
|               v (Peering: Allow Gateway Transit)                      |
+---------------|-------------------------------------------------------+
                |
+---------------|-------------------------------------------------------+
|  SPOKE VNet (10.1.0.0/16)                                             |
|   +-----------------------+                                           |
|   | VM: 10.1.1.4          |                                           |
|   | (No Public IP)        |                                           |
|   +-----------------------+                                           |
+-----------------------------------------------------------------------+

                                      |
                                      | (Global VNet Peering / ASR)
                                      v

                               SECONDARY REGION (West US)
+-----------------------------------------------------------------------+
|  DR HUB VNet (10.2.0.0/16)                                            |
|   +-----------------------+                                           |
|   | VPN Gateway (Standby) |                                           |
|   +-----------|-----------+                                           |
|               |                                                       |
|               v (Peering)                                             |
+---------------|-------------------------------------------------------+
                |
+---------------|-------------------------------------------------------+
|  DR SPOKE VNet (10.3.0.0/16)                                          |
|   +-----------------------+                                           |
|   | VM (ASR Replica)      |                                           |
|   | (Hydrated on Failover)|                                           |
|   +-----------------------+                                           |
+-----------------------------------------------------------------------+

4. Component Rationale

  • VPN Gateway: Connects Azure to the physical office.
  • Gateway Transit: The magic setting in Peering that allows the Spoke to "see" the VPN Gateway.

5. Strategy: High Availability (HA)

  • VPN Gateway: Active-Standby by default. If the active instance fails, the standby takes over in seconds.
  • Peering: Part of the Azure SDN backbone. Highly available by design.

6. Strategy: Disaster Recovery (DR)

  • Implementation: Global VNet Peering.
  • Process: In a true enterprise setup, you would replicate this entire topology to West US.

* Create vnet-hub-dr (10.2.0.0/16) in West US.

* Create vnet-spoke-dr (10.3.0.0/16) in West US.

* Enable ASR to replicate the VM from East Spoke to West Spoke.

7. Strategy: Backup

  • Config: Backup the VPN Gateway configuration scripts.
  • VMs: Backup Spoke VMs using Azure Backup.

8. Strategy: Security

  • Definition: Protecting data and resources from unauthorized access.
  • Implementation:

* Isolation: Spoke VNets are isolated from each other by default (unless peered).

* No Public IPs: Workloads in the Spoke do not need Public IPs; they are accessed securely via the VPN.

9. Well-Architected Framework Analysis

  • Reliability: High. VPN Gateway has active-standby instances. Peering is managed by Azure SDN.
  • Security: Excellent. Zero Trust. Workload VMs have NO Public IPs. All traffic is filtered through the Hub (future Firewall).
  • Cost Optimization: High. Shared VPN Gateway saves money compared to deploying one per VNet.
  • Operational Excellence: High. Separation of duties: Network team manages Hub; App teams manage Spokes.
  • Performance Efficiency: High. VNet Peering offers low latency and high bandwidth (same as being in the same VNet).

10. Detailed Traffic Flow

1. Admin Access: Admin in Office (192.168.1.5) initiates RDP to 10.1.1.4.

2. Tunnel: Traffic goes through VPN Tunnel to Hub Gateway.

3. Routing: Hub Gateway sees destination 10.1.1.4 is in the Peered Spoke.

4. Peering: Traffic crosses the Peering link.

5. Arrival: Traffic hits VM. Return traffic follows the same path.

11. Runbook: Deployment Guide (Azure Portal)

Phase 1: Create Resource Group

1. Log in to the Azure Portal.

2. In the top search bar, type Resource groups and select it.

3. Click + Create.

4. Subscription: Select your subscription.

5. Resource group: Enter rg-hub-prod.

6. Region: Select (US) East US.

7. Click Review + create.

8. Click Create.

Phase 2: Create Hub VNet

1. Search for Virtual networks and click + Create.

2. Basics Tab:

* Resource group: Select rg-hub-prod.

* Name: Enter vnet-hub.

* Region: East US.

3. IP Addresses Tab:

* Delete any default IPv4 space.

* IPv4 address space: Enter 10.0.0.0/16.

* Add subnet:

* Subnet name: GatewaySubnet (Must be exact).

* Subnet address range: 10.0.0.0/24.

* Click Add.

4. Click Review + create, then Create.

Phase 3: Create VPN Gateway (The Hub Core)

1. Search for Virtual network gateways and click + Create.

2. Basics Tab:

* Name: vpngw-hub.

* Region: East US.

* Gateway type: VPN.

* VPN type: Route-based.

* SKU: VpnGw1 (or Basic for testing to save money).

* Virtual network: Select vnet-hub.

3. Public IP Address Tab:

* Public IP address: Select Create new.

* Name: pip-vpngw.

4. Click Review + create, then Create.

* *Note: Deployment takes 30-45 minutes.*

Phase 4: Create Spoke VNet (The Workload)

1. Create a new Resource Group: rg-spoke-workload.

2. Create a Virtual Network:

* Resource group: rg-spoke-workload.

* Name: vnet-spoke.

* Region: East US.

* IP Addresses: 10.1.0.0/16.

* Subnet: Name snet-workload, Range 10.1.1.0/24.

Phase 5: Configure Peering (Connecting them)

1. Go to Virtual networks -> Select vnet-hub.

2. On the left menu, under Settings, click Peerings.

3. Click + Add.

4. This Virtual Network (Hub):

* Peering link name: Hub-to-Spoke.

* Traffic to remote virtual network: Allow.

* Traffic forwarded from remote virtual network: Allow.

* Virtual network gateway or Route Server: Check Allow gateway transit.

5. Remote Virtual Network (Spoke):

* Peering link name: Spoke-to-Hub.

* Virtual network: Select vnet-spoke.

* Traffic to remote virtual network: Allow.

* Traffic forwarded from remote virtual network: Allow.

* Virtual network gateway or Route Server: Check Use the remote virtual network's gateway.

6. Click Add.

7. Wait for Peering Status to change to Connected.

Phase 6: Verification

1. Deploy a Windows VM in vnet-spoke / snet-workload. None for Public IP.

2. Once running, note its Private IP (e.g., 10.1.1.4).

3. If you have a P2S VPN or On-Prem connection to the Hub, try to RDP to 10.1.1.4.

4. Success! You are accessing a private spoke via the Hub.