Hub & Spoke Networks

As we continue with the network topologies, let’s talk about the Hub and Spoke Networks.

?

This reference architecture implements a hub-and-spoke star network pattern with customer-managed hub infrastructure components.

?

This reference architecture implements a hub-and-spoke star network pattern in which the hub virtual network acts as a central point of connectivity to many spoke virtual networks. Virtual spoke networks connect to the hub and can be used to isolate workloads.

?

You can also enable cross-premises scenarios by using the hub to connect to local networks.

?

This architecture describes a network pattern with customer-managed hub infrastructure components. For a Microsoft managed hub infrastructure solution, see Hub-and-spoke topology with Azure Virtual WAN.

?

The advantages of using a hub-and-spoke star configuration include the following:

• Cost savings
• Exceeding subscription limits
• Isolation of workloads

?

?

Some of the typical uses for a hub-and-spoke star architecture include workloads that:

• Have multiple settings that require shared services. For example, a workload might have development, test, and production environments. Shared services can include DNS, Network Time Protocol (NTP), or Active Directory Domain Services (AD DS) identifiers. Shared services are placed in the core virtual network, while each environment is deployed in a different radius to maintain isolation.
• They do not require connectivity to each other, but do require access to shared services.
• Require central control over security, such as a perimeter network (also known as DMZ) firewall in the center with segregated workload management at each spoke.
• Require central control over connectivity, such as selective connectivity or isolation between spokes of certain environments or workloads.

?

This sample solution uses a single Azure resource group. You can also deploy the hub and each spoke to different resource groups and subscriptions.

??

When you pair virtual networks in different subscriptions, you can associate the subscriptions with the same or a different Azure Active Directory (Azure AD) tenant. This flexibility enables decentralized management of each workload, while keeping shared services at the center. See Create a virtual network peering: Resource Manager, different subscriptions, and Azure AD tenants.

?

As a general rule, it is best to have at least one center per region. This configuration helps to avoid a single point of failure, for example, to prevent resources in Region A from being impacted at the network level by an outage in Region B.

?

To centrally manage connectivity and security controls, use Virtual Network Manager to create new hub-and-spoke virtual network topologies or incorporate existing topologies. Using Virtual Network Manager ensures hub and spoke star network topologies are prepared for future large-scale growth across multiple subscriptions, management groups, and regions.

?

?Example use case scenarios for Virtual Network Manager include the following:

• Democratization of virtual radio network management in groups such as business units or application teams. Democratization can result in a large number of requirements for network security rules and connectivity between virtual networks.
• Standardization of multiple replication architectures across multiple Azure regions to ensure a global footprint for applications.

?

To ensure consistent connectivity and network security rules, you can use network groups to group virtual networks from any subscription, management group, or region in the same Azure AD tenant. You can automatically or manually add virtual networks to network groups through dynamic or static membership assignments.

?

The discoverability of virtual networks that Virtual Network Manager manages is defined by scopes. This feature provides flexibility for a desired number of Network Manager instances, allowing for greater democratization of virtual network pool management.

?

To connect spoke virtual networks in the same network group to each other, use Virtual Network Manager to implement virtual network peering or direct connectivity. Use the global mesh option to extend direct mesh connectivity to radio networks in different regions. The following diagram shows the global mesh connectivity between regions.

??

For detailed documentation, we can go to the links:

Hub-spoke network topology in Azure

https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/hub-spoke?tabs=cli

?

Hub-spoke network topology with Azure Virtual WAN

https://learn.microsoft.com/en-us/azure/architecture/networking/hub-spoke-vwan-architecture

?

?We can also talk about peering 2 networks in different subscriptions, it is possible, even if they are from different "Tenants". Peering two virtual networks allows resources in different virtual networks to communicate with each other with the same bandwidth and latency that the resources would have if they were in the same virtual network. Learn more about Virtual Network Peering.

?

Depending on whether the virtual networks are in the same subscription or different subscriptions, the steps to create a virtual network peering are different. The steps for peering networks built with the classic deployment model are different. For information about deployment models, see Azure deployment model.

?

You cannot create a virtual network peering between two virtual networks deployed using the classic deployment model. If you need to connect virtual networks that were created through the classic deployment model, you can use an Azure VPN Gateway to connect the virtual networks.

?

For the detail of the documentation, we can go to the link:

Create a virtual network peering - Resource Manager, different subscriptions and Azure Active Directory tenants.

https://learn.microsoft.com/en-us/azure/virtual-network/create-peering-different-subscriptions?tabs=create-peering-portal#cli

?

?

We can also have the option of accessing PaaS services through internal addresses and avoiding exposing those services to the internet. We can do that by defining Private Connections.

?

A private endpoint is a network interface that uses a virtual network's private IP address. This network interface connects you privately and securely to a service powered by Azure Private Link. By enabling a private endpoint, you add the service to the virtual network.

The service could be an Azure service like:

• Azure Storage
• Azure Cosmos DB
• Azure SQL Database
• Your own service through the Private Link service.

?

?When using private endpoints, the traffic is protected on a private link resource. The platform validates network connections and only allows those that reach the specified private link resource. To access additional child resources of the same Azure service, additional private endpoints are required. In the case of Azure Storage, for example, separate private endpoints will be needed to access the file and blob child resources.

?

Private endpoints provide a private access IP address for the Azure service, but don't necessarily restrict public network access to the service. Azure App Service and Azure Functions don't support public access when associated with a private endpoint. However, all other Azure services require additional access controls. These controls provide an additional layer of network security to your resources, offering protection to prevent access to the Azure service associated with the private link resource.

?

Private endpoints support network policies. Network policies enable support for Network Security Groups (NSGs), User Defined Routes (UDRs), and Application Security Groups (ASGs). For more information about enabling network policies for a private endpoint, see Managing network policies for private endpoints. To use an application security group with a private endpoint, see Set up an application security group (ASG) with a private endpoint.

?

You can connect to a private link resource using the following connection approval methods:

• Auto Approve – Use this method when you have permissions for the specific private link resource.
• Manual Request – Use this method when you do not have the necessary permissions and want to request access. An approval workflow will start. The private endpoint and subsequent private endpoint connections will be created in a Pending state. The owner of the private link resource is responsible for approving the connection. Once approved, the private endpoint is enabled to send traffic normally, as shown in the following approval workflow diagram:

?

?Through a private endpoint connection, the owner of a private link resource can:

• Review all the details of the private endpoint connection.
• Approve a private endpoint connection. The corresponding private endpoint will be enabled to send traffic to the private link resource.
• Reject a private hotspot connection. The corresponding private endpoint will be updated to reflect the status.
• Delete a private endpoint connection in any state. The corresponding private endpoint will be updated with a disconnected status to reflect the action. The private endpoint owner can only delete the resource at this time.

?

?For detailed documentation of Private Endpoints, we can go to:

What is a private endpoint?

https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-overview

?

?For the complete list of resources and their limitations to move between subscriptions, we can go to this link:

Move operation support for resources

https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/move-support-resources

?

?

Thanks for reading and I hope it is helpful for you.

Your comments are appreciated.

?

Mariano Carro Arrubarrena.

?#cloudcapsules

?