0PricingLogin
Azure Fundamentals · Lesson

Hub-and-Spoke Network Topology

Design a hub-and-spoke VNet topology with a shared hub for firewall, DNS, and VPN, and spoke VNets for individual workloads connected via VNet peering.

Introduction to Hub-and-Spoke

The hub-and-spoke network topology is the recommended Azure network architecture for enterprise environments. It consists of a central hub VNet that hosts shared networking services and multiple spoke VNets that host individual workloads. Spokes connect to the hub via VNet peering. This topology centralises security controls, reduces network complexity, and scales efficiently as new workloads are added.

The Hub VNet

The hub VNet is the central network that all spoke VNets connect to. It typically contains:

  • Azure Firewall — centralised outbound and east-west traffic inspection
  • VPN Gateway or ExpressRoute Gateway — on-premises connectivity
  • Azure Bastion — secure RDP/SSH access to VMs without public IPs
  • Azure DNS private zones — centralised private DNS resolution
  • Network monitoring resources — connection monitors and flow logs
# Create the hub VNet:
az network vnet create \
  --resource-group hubRG \
  --name hubVNet \
  --address-prefix 10.0.0.0/16 \
  --subnet-name AzureFirewallSubnet \
  --subnet-prefix 10.0.1.0/26

All lessons in this course

  1. Cloud Adoption Framework Overview
  2. Azure Landing Zones
  3. Hub-and-Spoke Network Topology
  4. Enterprise Identity and Access Design
← Back to Azure Fundamentals