Hub-spoke virtual networks in Azure - Bastiaan Wassenaar - NDC Oslo 2024

Service Endpoints allow secure direct connections to Azure services over Microsoft’s backbone network instead of public internet, with no additional cost

Private Endpoints create secure private IP connections to Azure services within your VNet, but come with costs for the endpoint itself and traffic

Private DNS zones are crucial for name resolution when using Private Endpoints - they need to be linked to VNets where resolution is needed

Hub-spoke network topology requires careful planning around:

• DNS configuration and resolution
• Non-overlapping IP ranges
• Proper peering setup (one-way vs two-way)
• Cost implications of peering traffic

When implementing hub-spoke:

• Hub typically contains shared services and networking appliances like Azure Firewall
• Spokes need route tables to forward traffic through the hub
• Custom DNS configuration often needed when using Azure Firewall

Network changes involving DNS typically require VM reboots to take effect

Virtual Network Manager helps manage complex networking scenarios across subscriptions and regions

Identity and zero trust approaches should be considered alongside network security

Planning is critical as networking decisions impact:

• Cost
• Performance
• Scalability
• Security
• Operational complexity

Team coordination between security, networking and development teams is essential for successful implementation