Implementing Hub and Spoke network topology in Microsoft Azure

What is Hub and Spoke

A hub and spoke network topology is a widely used network topology for all types of networks. This topology is also known as star topology. In this topology the main access point is connected to the internet to with a wire; like spokes on a wheel, all user devices connect to the wireless router in the center. All network traffic must go through the hub to reach other spokes in the network or to connect to an outside network.

Hub :

A hub and spoke network can be small with a single access point, like in your local WiFi-enabled coffee shop or at home, or it can be large enough to connect to a corporate enterprise with multiple APs. Most cellular voice networks are hub and spoke, as well; the cellular tower for a certain region is the hub, and all the mobile devices roaming through that area are the spokes.

Spoke :

Hub and spoke networks are well understood by all network administrators, and their benefits are thoroughly documented. They offer a high degree of security because each device on the network is isolated from the others through the single connection to the wireless router. Other benefits include high performance, centralization, and simplicity. They’re relatively inexpensive and easy to wire and easy to fix if a component goes down.

The most important con to this network topology is the single point of failure at the center. If the wireless router dies, the entire network goes dark.

one physical site act as Hub (Example, Main Office), while other physical sites act as spokes. Spoke sites are connected to each other via Hub site. In Hub-and-spoke Wide Area Network (WAN) topology, the network communication between two spokes always travels through the hub.

Ref : https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/images/spoke-spoke-routing.png

Benefits of the hub and spoke topology

A hub and spoke network topology is a way to isolate workloads while sharing common services. These services include identity and security. The hub is a VNet that acts as a central connection point to an on-premises network. The spokes are VNets that peer with the hub. Shared services are deployed in the hub, while individual workloads are deployed inside spoke networks. Here are some benefits of the hub and spoke network topology:

• Cost savings by centralizing services in a single location that can be shared by multiple workloads. These workloads include network virtual appliances and DNS servers.
• Overcome subscriptions limits by peering VNets from different subscriptions to the central hub.
• Separation of concerns between central IT (SecOps, InfraOps) and workloads (DevOps).

Typical uses for the hub and spoke architecture

Some of the typical uses for a hub and spoke architecture include:

• Many customers have workloads that are deployed in different environments. These environments include development, testing, and production. Many times, these workloads need to share services such as DNS, IDS, NTP, or AD DS. These shared services can be placed in the hub VNet. That way, each environment is deployed to a spoke to maintain isolation.
• Workloads that don’t require connectivity to each other, but require access to shared services.
• Enterprises that require central control over security aspects.
• Enterprises that require segregated management for the workloads in each spoke.

Components used in Architecture

The demo architecture created and deployed consists of the following components:

• Hub VNet. Virtual network used to deploy the Hub, The hub is the central point of connectivity to host services and internet. Services deployed in Hub vnet can be consumed by the different workloads hosted in the spoke VNets.
• Workload subnet. The subnets defined in the Spoke Vnets..
• Spoke VNets. Spokes can be used to isolate workloads in their own VNets, managed separately from other spokes. Each workload might include multiple tiers, with multiple subnets connected through Azure load balancers.
• VNet peering. To establish communication between two VNets, Those vnets must be peered at each other. This is known as VNet peering.Peering connections are non-transitive, low latency connections between VNets. After peering VNets exchange traffic by using the Azure backbone.VNet peering is used to connect the hub to each spoke. You can peer VNets in the same region, or different regions.
• UDR
• Azure Firewall Azure Firewall is deployed in the hub, which provides an additional layer of security. Azure Firewall is cost effective, especially if it’s used as a shared solution consumed by multiple workloads.

Steps to Create HUB and Spoke Architecture in Azure :

1. Create a Azure Vnet(SpokeVnet1) with having IP range 12.0.0.0\16
2. Create a subnet in SpokeVnet1 and name it as Workload Subnet with 12.0.2.0\24
3. Create Second Azure Vnet(SpokeVnet1) with having IP range 13.0.0.0\16
4. Create a subnet in SpokeVnet2 and name it as Worksload Subnet with 13.0.2.0\24
5. Create a Azure Vnet(HubVnet1) with having IP range 11.0.0.0\16
6. Create a subnet in HubVnet1and name it as WoAzureFirewallSubnet with 11.0.1.0\24
7. Install the Azure Firewall in HubVnet1and