Hub-Spoke communication using vNet Peering and User Defined Routes

Brass Contributor

Keyword : 

  • Hub VNet. Virtual network used to deploy the Hub, The hub is the central point of connectivity to host services and internet. Services deployed in Hub vnet can be consumed by the different workloads hosted in the spoke VNets.
  • Workload subnet. The subnets defined in the Spoke Vnets..
  • Spoke VNets. Spokes can be used to isolate workloads in their own VNets, managed separately from other spokes. Each workload might include multiple tiers, with multiple subnets connected through Azure load balancers.
  • VNet peering. To establish communication between two VNets.
  • Azure Firewall Azure Firewall is deployed in the hub, which provides an additional layer of security.



Scenario : 

SPOKE networks must communicate with each other, but peering between them was not allowed.

Problem : 


-- SPOKE 1 is peered with the HUB network 

-- HUB is peered with SPOKE 2

-- No communication between SPOKE 1 and SPOKE 2 


Solutions : 

1- a Network Virtual Appliance (NVA) from the market place  : a VM with a configured Firewall/Router within the HUB and configure it to forward traffic to and from the Spoke1 & 2. 


2- a Virtual Gateway attached to the HUB network : enable communication between spokes with the defined routes. 


We will see the 2nd solution


1- Create the Hub Vnet ( 


2- Create the spoke1 Vnet ( 



3- Create the spoke2 Vnet ( 



We have 03 Vnets : 



3- Configure peering  


**** With Portal Azure 

Hub <> Spoke1







Hub <> Spoke2






Or you can do it  **** With PowerShell Script 


example : create peering  Hub <> Spoke1




$SpokeRG = "Networks"
$SpokeRM = "spoke1"
$HubRG = "Networks"
$HubRM = "centralHub"

$spokermvnet = Get-AzVirtualNetwork -Name $SpokeRM -ResourceGroup $SpokeRG
$hubrmvnet = Get-AzVirtualNetwork -Name $HubRM -ResourceGroup $HubRG

Add-AzVirtualNetworkPeering `
-Name SpokeRMtoHubRM `
-VirtualNetwork $spokermvnet `
-RemoteVirtualNetworkId $hubrmvnet.Id `

Add-AzVirtualNetworkPeering `
-Name HubRMToSpokeRM `
-VirtualNetwork $hubrmvnet `
-RemoteVirtualNetworkId $spokermvnet.Id `



4- Create a Virtual Network Gateway




It's created now ;) 




5- Now, go back to the Peering section of each of the SPOKE Networks and configure “Use Remote gateways” option


6- Create the route tables and define users routes needed for the SPOKE to SPOKE communication 




Add route : 


--The Gateway subnet : CIDR /29  ==> The first and last IP are reserved for azure services. 

--The internal IP address will be from the 4 ==>


****RT of Spoke01

The Address prefix must be the network of the Spoke2 Virtual Network

Virtual appliance : Next hop type

Next hop address : internal address of the Virtual Network Gateway


****RT of Spoke02

The Address prefix must be the network of the Spoke2 Virtual Network

Virtual appliance : Next hop type

Next hop address : internal address of the Virtual Network Gateway




7- Associate these Route tables with our Virtual Networks 


In the Route table field select, Spoke1RouteTable and click Save

***Vnet Spoke1


***Vnet Spoke2



===> The two SPOKE Virtual Networks are able to communicate with each other via the HUB


8- Testing

--Create two windows VMs  ===> The first  in Spoke 1 network and the second The VM  in Spoke 2 network 

--Allow ICMP ping in the firewall of the 02 VMs 




First VM in Spoke 1 network 



Second VM in Spoke 2 network 



====> The result of the test : 


Ping from VM1 To VM2 



Ping from VM2 to VM1




0 Replies