Best Practices for Designing a Hub-and-Spoke Architecture in Azure

Hi MercedesCustodio24

All the VNet prefixes in my hub-and-spoke architectures are derived from a single prefix: 

• Hub and spoke = /16.
• This /16 is then divided into multiple virtual networks.
• For the hub, I typically create a /20 VNet with /24 subnets.

I avoid making my hub too small, as rebuilding it would be a nightmare.

Components

Hub

• Subscriptions – Typically, one for the hub and multiple for the spokes.
• Hub vNet
• Virtual Networks (vNets)
• Subnets
• Network Security Groups (NSGs) per subnet
• User Defined Routes (UDRs) per subnet
• Peering with spoke networks
• Virtual Network Gateway (VPN or ExpressRoute)
• Network Virtual Appliances (NVAs) such as Azure Firewall or third-party solutions
• Azure Bastion or VM jump hosts
• Application Gateway with Web Application Firewall (WAF)
• If VMs are used, core infrastructure resources are typically placed in the hub rather than relying on on-premises traffic, including:
  • Domain controllers (DCs) and DNS
  • Upstream update servers for third-party endpoint protection or other on-premises core infra dependencies

Spoke

• Spoke vNet
• Virtual Networks (vNets)
• Subnets
• Network Security Groups (NSGs) per subnet
• User Defined Routes (UDRs) per subnet
• Peering with the hub
• Requirements for private links and service endpoints

Key Challenges Encountered
Complex Routing with network segmentation

• Segmentation & NVAs – When strict segmentation is required, all traffic between subnets must pass through an NVA, even within the same vNet.
• On-Premises Connectivity – Ensuring seamless traffic flow to on-premises networks via BGP, making all known network ranges accessible.
• Internet Traffic Management – Deciding whether Azure should handle inbound/outbound internet traffic or route it through on-premises.

ExpressRoute Deployment
If ExpressRoute is required, the process of ordering, physical installation by the ISP, and configuration can be time-consuming.

IP Addressing Strategy

• Carefully plan the IP addressing scheme based on expected workloads:
  • Some PaaS services with service endpoints cannot share subnets with other resources.
  • AKS requires a large subnet range for scalability, which must be accounted for upfront.

Role-Based Access Control (RBAC) & Resource Management

• Clearly define who will manage what early on to:
  • Properly plan resource placement
  • Ensure RBAC roles are set up efficiently

Detection and monitoring

• Ensure that log collection is set up, but be mindful that if not managed efficiently, it can become a costly component. Implement proper log retention policies and optimization to avoid unnecessary costs.