A network topology increasingly adopted by Microsoft Azure customers is the network topology defined Hub-Spoke. This article lists the main features of this network architecture, examines the most common use cases, and shows the main advantages that can are obtained thanks to this architecture.
The Hub-Spoke topology
In a Hub-Spoke network architecture, theHub is a virtual network on Azure that serves as the point of connectivity to the on-premises network. This connectivity can be done through VPN Site to site or through ExpressRoute. The Spoke are virtual networks running the peering with the Hub and can be used to isolate workloads.
The architecture basic scheme:
This architecture is also designed to position in the Hub network a network virtual appliance (NVA) to control the flow of network traffic in a centralized way.
In this regard it should be noted that Microsoft recently announced the availability of the’Azure Firewall, a new managed service and fully integrated into the Microsoft public cloud, that allows you to secure the resources present on the Virtual Networks of Azure. At the moment the service is in preview, but soon it will be possible to assess the adoption of Azure Firewall to control centrally, through policy enforcement, network communication streams, all cross subscriptions and cross virtual networks. This service, in the presence of Hub-Spoke network architectures , lends itself to be placed in the Hub network, in order to obtain complete control of network traffic.
For additional details on Azure Firewall you can see Introduction to Azure Firewall.
When you can use the Hub-Spoke topology
The network architecture Hub-Spoke is typically used in scenarios where these characteristics are required in terms of connectivity:
- In the presence of workloads deployed in different environments (development, testing and production) which require access to the shared services such as DNS, IDS, Active Directory Domain Services (AD DS). Shared services will be placed in the Hub virtual network, while the various environments (development, testing and production) will be deployed in Spoke networks to maintain a high level of insolation.
- When certain workloads must not communicate with all other workloads, but only with shared services.
- In the presence of reality that require a high level of control over aspects related to network security and needing to make a segregation of the network traffic.
The advantages of the Hub-Spoke topology
The advantages of this Azure network topology can be summarized as:
- Cost savings, because shared services can be centralized in one place and used by multiple workloads, such as the DNS server and any virtual appliances. It also reduces the VPN Gateways to provide connectivity to the on-premises environment, with a cost savings for Azure.
- Granular separation of tasks between IT (SecOps, InfraOps) and workloads (Devops).
- Greater flexibility in terms of management and security for the Azure environment.
Useful references for further reading
The following are the references to the Microsoft technical documentation useful to direct further investigation on this topic:
- Connect an on-premises network to Azure
- Implement a hub-spoke network topology with shared services in Azure
- DMZ between Azure and your on-premises datacenter
- Deploy highly available network virtual appliances
One of the first aspects to consider when you implement solutions in the cloud is the network architecture to be adopted. Establish from the beginning the most appropriate network topology allows you to have a winning strategy and avoid to be in the position of having to migrate workloads, to adopt different network architectures, with all the complications that ensue.
Each implementation requires a careful analysis in order to take into account all aspects and to make appropriate assessments. It is therefore not possible to assert that the Hub-Spoke network architecture is suitable for all scenarios, but certainly it introduces several benefits that make it effective for obtaining certain characteristics and have a high level of flexibility.