:: CLOUD_NETWORKING // ARCHITECTURE

Secure Hub-and-Spoke Network.

A comprehensive Bicep implementation of a Secure Hub-and-Spoke network topology in Azure. This architecture provides centralized security, shared services, and hybrid connectivity.

Azure Firewall VPN Gateway Azure Bicep Private DNS

VIEW_REPOSITORY

📖 Executive Summary

This project implements a Secure Hub-and-Spoke network topology, a standard pattern for organizing workloads in Azure. Ideally suited for enterprises requiring shared services, centralized security, and effective connectivity.

The architecture features a central Hub VNet hosting shared resources like Azure Firewall and VPN Gateway, and multiple Spoke VNets for isolated workload environments. Traffic is governed by User Defined Routes (UDRs) and VNet Peering.

🏗️ Architecture

graph TB subgraph AzureCloud [Azure Cloud] subgraph HubVNet ["Hub VNet (10.0.0.0/16)"] direction TB FW[Azure Firewall] VPNGW[VPN Gateway] DNS[Private DNS] end subgraph Spoke1VNet ["Spoke 1 VNet (10.1.0.0/16)"] direction TB VM1[Workload VM] end subgraph Spoke2VNet ["Spoke 2 VNet (10.2.0.0/16)"] direction TB VM2[Workload VM] end %% Traffic Flow VM1 -->|UDR 0.0.0.0/0| FW VM2 -->|UDR 0.0.0.0/0| FW %% Gateway Transit VPNGW -.->|Gateway Transit| VM1 VPNGW -.->|Gateway Transit| VM2 end OnPrem[On-Premises Network] <-->|Site-to-Site VPN| VPNGW

>> Read: Deep Dive into the Architecture

🛠️ Technology Stack

Infrastructure as Code: Azure Bicep (Modularized design)
Network Security:
- Azure Firewall (East-West & North-South inspection)
- Network Security Groups (NSGs)
Connectivity:
- VNet Peering (Hub to Spoke)
- VPN Gateway (Site-to-Site / Point-to-Site)
Routing & DNS:
- User Defined Routes (UDR)
- Private DNS Zones

🚀 Key Features

1. Centralized Security Control

Azure Firewall: Acts as the central traffic inspector. All traffic leaving the spokes is forced through the firewall.
Policy Enforcement: Consistent security rules applied across all workloads.

2. Workload Isolation

Spoke VNets: Each spoke is an isolated environment. Spokes cannot talk to each other directly unless allowed by the Firewall.
NSGs: Granular access control at the subnet level within spokes.

>> Guide: Understanding Isolation

3. Hybrid Connectivity

VPN Gateway: Provides a secure tunnel for on-premises networks to access Azure resources via the Hub.
Gateway Transit: Spokes use the Hub's VPN gateway to communicate with on-premises, saving costs.

📂 Repository Structure

/
├── main.bicep               # Orchestrator Deployment
├── modules/
│   ├── vnet.bicep           # VNet & Subnet Definitions
│   ├── firewall.bicep       # Azure Firewall & Policies
│   ├── vpngateway.bicep     # Virtual Network Gateway
│   ├── peering.bicep        # VNet Peering Logic
│   ├── routetable.bicep     # UDRs for Traffic Shaping
│   └── dns.bicep            # Private DNS Zones
└── README.md                # Documentation

💻 Getting Started

Prerequisites

Azure Subscription
Azure CLI (az login)
Bicep CLI

Deployment Instructions

# Login to Azure
az login

# Create a Resource Group
az group create --name SecureHubSpokeRG --location eastus

# Deploy the Bicep Template
az deployment group create \
  --resource-group SecureHubSpokeRG \
  --template-file main.bicep

Verification

After deployment, use Network Watcher to verify the effective routes on a test VM in the Spoke VNet. Ensue next hop is the Azure Firewall.