Virtual WAN Hub-Spoke Architecture

Introduction

This document provides a comprehensive guide to implementing a hub-spoke network topology using Azure Virtual WAN. This architecture is a best practice for connecting and managing your Azure and on-premises network resources efficiently.

What is Hub-Spoke?

The hub-spoke topology is a network design pattern where a central hub network is connected to multiple spoke networks. This model simplifies network management, enhances security, and improves connectivity across distributed environments.

• Hub: Typically contains shared services like firewalls, DNS servers, and internet egress points. It acts as a central point of connectivity.
• Spokes: Represent individual networks (e.g., VNet for a specific application, VNet for a department) that connect to the hub. Spokes do not directly communicate with each other; all traffic between spokes must traverse the hub.

Azure Virtual WAN

Azure Virtual WAN is a networking service that brings together networking, security, and routing functionalities into a single operational interface. It offers a highly scalable and resilient global transit network.

Virtual WAN simplifies the management of large-scale, distributed network environments. It provides:

• Branch connectivity (Site-to-Site VPN, ExpressRoute)
• Remote user connectivity (Point-to-Site VPN)
• VNet connectivity
• Global transit network architecture
• Integrated security features

Benefits of Hub-Spoke with Virtual WAN

Combining the hub-spoke model with Azure Virtual WAN offers significant advantages:

• Simplified Management: Centralized control plane for all your network resources.
• Enhanced Security: Route traffic through a central security hub (e.g., Azure Firewall) for consistent policy enforcement.
• Scalability: Virtual WAN supports a large number of spokes and global connectivity.
• Cost-Effectiveness: Reduces complex peering configurations and data egress costs.
• Global Reach: Leverages Azure's global backbone for efficient transit.
• Improved Connectivity: Seamlessly connect on-premises sites, remote users, and Azure VNets.

Key Components

An Azure Virtual WAN hub-spoke architecture typically involves the following Azure resources:

Diagram illustrating the hub-spoke model with Azure Virtual WAN.

• Virtual WAN Hub: The central networking component deployed in Azure. It hosts the transit routing and connectivity services.
• Virtual Hub Router: An abstraction within the Virtual WAN hub that handles routing between spokes, sites, and users.
• Spoke VNets: Azure Virtual Networks that host your workloads and are connected to the Virtual WAN hub.
• Virtual Network Connection: The resource that links a spoke VNet to the Virtual WAN hub.
• VPN Sites: On-premises network locations connected to the Virtual WAN hub via Site-to-Site VPN.
• ExpressRoute Circuits: Dedicated private connections from on-premises to the Virtual WAN hub.
• Azure Firewall (Optional but Recommended): Deployed in the hub VNet or as a managed service in the hub for advanced security.
• Network Virtual Appliances (NVAs) (Optional): Can be deployed in spoke VNets or a dedicated hub VNet for specialized routing or security.

Implementation Steps

Follow these general steps to set up a hub-spoke network with Azure Virtual WAN:

1. Create a Virtual WAN Resource

   Navigate to the Azure portal and create a new Virtual WAN resource. Choose the desired region and subscription.

2. Create a Virtual Hub

   Within your Virtual WAN resource, create a Virtual Hub. This hub will serve as the central transit point. You can choose to deploy it in a new VNet or use an existing one.

   Consider deploying Azure Firewall or other NVAs in this hub VNet for security.

3. Connect Spoke VNets

   For each VNet you want to include as a spoke:

   • Navigate to the Virtual WAN resource.
   • Under "Connectivity", select "Virtual network connections".
   • Click "Create virtual network connection".
   • Select the Spoke VNet, the Virtual Hub, and configure the routing settings. Ensure "Propagate to none" is unchecked if you want automatic route propagation.

4. Connect On-premises Sites (Optional)

   To connect your on-premises networks:

   • Under "Connectivity", select "Site-to-site VPN" or "ExpressRoute".
   • Create VPN Sites or configure ExpressRoute connections, specifying their connection to your Virtual Hub.

5. Configure Routing

   Virtual WAN automatically handles routing between spokes, sites, and users connected to the hub. You can configure custom routes if needed, especially for routing traffic through an Azure Firewall.

   For example, to route traffic through Azure Firewall in the hub, you would typically:

   
   // Example Azure CLI snippet (conceptual)
   az network vhub route-table create \
       --resource-group <hub-rg> \
       --vhub-name <hub-name> \
       --name <route-table-name> \
       --labels "default"
   
   az network vhub route-table route add \
       --resource-group <hub-rg> \
       --vhub-name <hub-name> \
       --route-table-name <route-table-name> \
       --name "route-to-firewall" \
       --destination-prefixes "0.0.0.0/0" \
       --next-hop <firewall-private-ip-address>
                           

6. Verify Connectivity

   Test connectivity between different spokes, spokes and on-premises, and from the internet (if configured) to ensure the architecture is functioning as expected.

Design Considerations

• Hub Location: Deploy the hub in a region that provides optimal connectivity to your most critical resources and users.
• Hub Sizing: Virtual WAN hubs are managed by Azure and scale automatically. However, consider the throughput requirements for your connections.
• Security: Implement Azure Firewall or NVAs in the hub for centralized security inspection of inter-spoke and internet-bound traffic.
• IP Addressing: Plan your IP address spaces for VNets carefully to avoid overlap and ensure proper routing.
• Route Propagation: Understand how routes are propagated. By default, spokes learn routes from the hub, and the hub learns routes from connected spokes and sites.
• Cost: Review the pricing for Virtual WAN, VPN Gateways, ExpressRoute, and any deployed NVAs.
• DNS Resolution: Ensure proper DNS resolution is configured for resources across your hub-spoke network. You might need to deploy DNS forwarding to the hub.