Hub-spoke virtual networks in Azure - Bastiaan Wassenaar - NDC Oslo 2024

Learn how to design and implement Azure hub-spoke networks, covering Private Endpoints, DNS configuration, network security, and best practices for enterprise deployments.

Key takeaways
  • Service Endpoints allow secure direct connections to Azure services over Microsoft’s backbone network instead of public internet, with no additional cost

  • Private Endpoints create secure private IP connections to Azure services within your VNet, but come with costs for the endpoint itself and traffic

  • Private DNS zones are crucial for name resolution when using Private Endpoints - they need to be linked to VNets where resolution is needed

  • Hub-spoke network topology requires careful planning around:

    • DNS configuration and resolution
    • Non-overlapping IP ranges
    • Proper peering setup (one-way vs two-way)
    • Cost implications of peering traffic
  • When implementing hub-spoke:

    • Hub typically contains shared services and networking appliances like Azure Firewall
    • Spokes need route tables to forward traffic through the hub
    • Custom DNS configuration often needed when using Azure Firewall
  • Network changes involving DNS typically require VM reboots to take effect

  • Virtual Network Manager helps manage complex networking scenarios across subscriptions and regions

  • Identity and zero trust approaches should be considered alongside network security

  • Planning is critical as networking decisions impact:

    • Cost
    • Performance
    • Scalability
    • Security
    • Operational complexity
  • Team coordination between security, networking and development teams is essential for successful implementation