BRIDGE Design - Azure HUB SPOKE Topology

During the summer of 2020, Axess Digital redesigned our production environment and implemented a "HUB SPOKE Topology".

The rationale behind this design was to create a secure scalebar production environment and to ensure our customers the best practice solution regarding availability, security and data protection.

All inbound and outbound traffic is routed through the HUB's Gateways and Firewalls. By design, this is the only way into the spokes.

All maintenance and system access is controlled by an encrypted VPN connection, which Axess Digitals Professional Services fully controls.

HUB SPOKE topology, as defined by Microsoft
The architecture consists of the following aspects:

Hub virtual network: The hub virtual network is the central point of connectivity to your on-premises network. It's a place to host services that can be consumed by the different workloads hosted in the spoke virtual networks.

Spoke virtual networks: Spoke virtual networks are used to isolate workloads in their own virtual networks, managed separately from other spokes. Each workload might include multiple tiers, with multiple subnets connected through Azure load balancers.

Virtual network peering: Two virtual networks can be connected using a peering connection. Peering connections are non-transitive, low latency connections between virtual networks. Once peered, the virtual networks exchange traffic by using the Azure backbone without the need for a router.

Azure Firewall: Azure Firewall is a managed firewall as a service. The Firewall instance is placed in its own subnet.

VPN virtual network gateway or ExpressRoute gateway. The virtual network gateway enables the virtual network to connect to the VPN device, or ExpressRoute circuit, used for connectivity with your on-premises network.

VPN device. A device or service that provides external connectivity to the on-premises network. The VPN device may be a hardware device or a software solution such as the Routing and Remote Access Service (RRAS) in Windows Server 2012. For more information, see About VPN devices for Site-to-Site VPN Gateway connections

Source:
https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/hub-spoke?tabs=cli

Created By Fredrik Eriksson Version Number 1 Created Date 19.06.2022

Revision date

19.06.2022