Unlocking direct spoke communication inside a Managed Hub Architecture
Azure continues to expand its networking capabilities, with Azure Virtual Network Manager and Azure Virtual WAN (vWAN) standing out as two of the most transformative services. When deployed together, they offer the best of both worlds: the operational simplicity of a managed hub architecture combined with the ability for spoke VNets to communicate directly, avoiding additional hub hops and minimizing latency
Revisiting the classic hub-and-spoke pattern
|
Element |
Traditional Hub-and-Spoke Role |
|
Hub VNet |
Centralized network that hosts shared services including firewalls (e.g., Azure Firewall, NVAs), VPN/ExpressRoute gateways, DNS servers, domain controllers, and central route tables for traffic management. Acts as the connectivity and security anchor for all spoke networks. |
|
Spoke VNets |
Host individual application workloads and peer directly to the hub VNet. Traffic flows through the hub for north-south connectivity (to/from on-premises or internet) and cross-spoke communication (east-west traffic between spokes). |
|
Benefits |
• Single enforcement point for security policies and network controls |
However, this architecture comes with a trade-off: every spoke-to-spoke packet must route through the hub, introducing additional network hops, increased latency, and potential throughput constraints.
How Virtual WAN modernizes that design
Virtual WAN replaces a do-it-yourself hub VNet with a fully managed hub service:
- Managed hubs – Azure owns and operates the hub infrastructure.
- Automatic route propagation – routes learned once are usable everywhere.
- Integrated add-ons – Firewalls, VPN, and ExpressRoute ports are first-class citizens.
By default, Virtual WAN enables any-to-any routing between spokes. Traffic transits the hub fabric automatically—no configuration required.
Why direct spoke mesh?
Certain patterns require single-hop connectivity
- Micro-service meshes that sit in different spokes and exchange chatty RPC calls.
- Database replication / backups where throughput counts, and hub bandwidth is precious.
- Dev / Test / Prod spokes that need to sync artifacts quickly yet stay isolated from hub services.
- Segmentation mandates where a workload must bypass hub inspection for compliance yet still talk to a partner VNet.
Benefits
- Lower latency – the hub detour disappears.
- Better bandwidth – no hub congestion or firewall throughput cap.
- Higher resilience – spoke pairs can keep talking even if the hub is under maintenance.
The peering explosion problem
With pure VNet peering, the math escalates fast:
For n spokes you need n × (n-1)/2 links. Ten spokes? 45 peerings. Add four more? Now 91.
Each extra peering forces you to:
- Touch multiple route tables.
- Update NSG rules to cover the new paths.
- Repeat every time you add or retire a spoke.
- Troubleshoot an ever-growing spider web.
Where Azure Virtual Network Manager Steps In?
Azure Virtual Network Manager introduces Network Groups plus a Mesh connectivity policy:
|
AVNM Concept |
What It Gives You |
|
Network Group |
A logical container that groups multiple VNets together, allowing you to apply configurations and policies to all members simultaneously |
|
Mesh Connectivity |
Automated peering between all VNets in the group, ensuring every member can communicate directly with every other member without manual configuration |
|
Declarative config |
Intent-based approach where you define the desired network state, and AVNM handles the implementation and ongoing maintenance |
|
Dynamic updates |
Automatic topology management—when VNets are added to or removed from a group, AVNM reconfigures all necessary connections without manual intervention |
Operational complexity collapses from O(n²) to O(1)—you manage a group, not 100+ individual peerings.
A complementary model: Azure Virtual Network Manager mesh inside vWAN
Since Azure Virtual Network Manager works on any Azure VNet—including the VNets you already attach to a vWAN hub—you can apply mesh policies on top of your existing managed hub architecture:
- Spoke VNets join a vWAN hub for branch connectivity, centralized firewalling, or multi-region reach.
- The same spokes are added to an Azure Virtual Network Manager Network Group with a mesh policy.
- Azure Virtual Network Manager builds direct peering links between the spokes, while vWAN continues to advertise and learn routes.
Result:
- All VNets still benefit from vWAN’s global routing and on-premises integration.
- Latency-critical east-west flows now travel the shortest path—one hop—as if the VNets were traditionally peered.
- Rather than choosing one over the other, organizations can leverage both vWAN and Azure Virtual Network Manager together, as the combination enhances the strengths of each service.
Performance illustration
Spoke-to-Spoke Communication with Virtual WAN without Azure Virtual Network Manager mesh:
Spoke-to-Spoke Communication with Virtual WAN with Azure Virtual Network Manager mesh:
Observability & protection
- NSG flow logs – granular packet logs on every peered VNet.
- Azure Virtual Network Manager admin rules – org-wide guardrails that trump local NSGs.
- Azure Monitor + SIEM – route flow logs to Log Analytics, Sentinel, or third-party SIEM for threat detection.
- Layered design – hub firewalls inspect north-south traffic; NSGs plus admin rules secure east-west flows.
Putting it all together
- Virtual WAN offers fully managed global connectivity, simplifying the integration of branch offices and on-premises infrastructure into your Azure environment.
- Azure Virtual Network Manager mesh establishes direct communication paths between spoke VNets, making it ideal for workloads requiring high throughput or minimal latency in east-west traffic patterns.
- When combined, these services provide architects with granular control over traffic routing. Each flow can be directed through hub services when needed or routed directly between spokes for optimal performance—all without re-architecting your network or creating additional management complexity.
By pairing Azure Virtual Network Manager’s group-based mesh with VWAN’s managed hubs, you get the best of both worlds: worldwide reach, centralized security, and single-hop performance where it counts.
Microsoft