Hub & Spoke Architecture on Azure
The standardization and reuse of architectural models is a common practice in software development, which can be inspired in cloud network topologies. The Hub-and-Spoke model is a network topology increasingly adopted by customers on Azure.
We will discuss in this article the characteristics of this architecture, the advantages that can be drawn from it and the most common use cases.
The Hub-and-Spoke Topology
The basic Hub-and-Spoke architecture consists of several VNETs that we will call: Hub and Spokes. The Hub is a virtual network that will be our entry point to our Azure infrastructure and which will be connected to our On-Premise infrastructure in our case. The connection between our local infrastructure to the Hub will be made through a VPN or an Express Route.
We will find in the Hub common and central services, for example VM bastion, supervision, a Firewall or a VPN Gateway. Our Hub is a central point for connectivity to our various On-Premise sites or to other cloud providers .
Spokes are virtual networks on which we will generally place our PaaS applications, VMs and vNet integrated services. Network communication between the Hub and the Spokes involves setting up peerings between the vNets spokes and the Hub.
How many spokes and for which use case? We can imagine a spoke for the production environment and a spoke for pre-production or 1 spoke per application.
We will find several use cases of this architecture, namely:
- Architecture with a hub zone firewall for filtering,
- Centralization of the entry point with a VPN Gateway,
- Centralization of common services such as supervision, FW, Bastion at the Hub level,
- Segregation of environments and resources.
Hub-and-Spoke with Firewall
To centralize the control of incoming and outgoing flows to our applications, we can position a firewall virtual appliance (NVA) in the Hub. The NVA will filter the flows respecting the rules defined by the RSSI to each spoke. The definition of static routes on our subnets is essential to be sure to always pass through our NVA, the User Defined Routing (UDR) service on Azure is our friend for this need.
Advantages and disadvantages
In terms of benefits:
- Our architecture allows a better separation of our environments with a central entry point (Hub) connected to several Spokes. This will allow our security teams to apply fine granularity to each environment or application,
- The application of Tags at the level of each spoke will facilitate internal invoicing and the organization of our resources,
- The hybridization of our services is also easier, because the network connection to them is easier to set up from the Hub,
- A financial advantage: a reduction in connection costs to our On-Premise environment. A single connection for all applications instead of setting up 1 VPN per application/environment,
- Simplification in terms of architecture and resource management.
In terms of disadvantages
- Delicate management of IP address spaces to avoid overlap between the Hub, Spoke and our other On-Premise environments,
- The definition of all IP addressing must be done from the start to avoid surprises,
- A high availability architecture for all Hub services is recommended to avoid any interruption in the event of an incident.
Hub-and-Spoke best practices
The organization of Vnets spokes must be based on application or internal entity to have a functional or business logic.
Example: an online sales company
- Hub : central services – resource group hub
- Spoke 1 : online sales application (mobile and PC) – resource group 1
- Spoke 2: inventory management application – resource group 2
- Spoke 3: delivery management application – resource group 3
- Spoke 4: supplier management application – resource group 4
IP management can be done with third-party tools like IPAM or a simple excel file. Group resource tags are your best friend: spoke, hub, prod, pprd, stockbdd..Etc.
The Hub-and-Spoke architecture remains the most popular for customers who wish to hybridize their On-Premise environments based on a pattern validated and standardized by Microsoft.