Create a hub-and-spoke topology in Azure - Portal

In this article, you learn how to create a hub-and-spoke topology with Azure Virtual Network Manager. With this configuration, you select a virtual network to act as a hub and all spoke virtual networks have bi-directional peering with only the hub by default. You also can enable direct connectivity between spoke virtual networks in the same spoke network group and enable the spoke virtual networks to use the gateway in the hub virtual network.

• Read about the Hub-and-spoke network topology.
• Create an Azure Virtual Network Manager instance.
• Identify the virtual networks you want to use in the hub-and-spoke configuration or create new virtual networks.

This section helps you create a network group containing the virtual networks you're using as the spokes for the hub-and-spoke topology.

1. Browse to your resource group, and select the network-manager resource.

2. Under Settings, select Network groups. Then select + Create.

3. On the Create a network group pane, then select Create:

   Expand table

   Setting	Value
   Name	Enter network-group.
   Description	(Optional) Provide a description about this network group.
   Member type	Select Virtual network from the dropdown menu.

4. Confirm that the new network group is now listed on the Network groups pane.

Azure Virtual Network Manager provides you with two methods for adding membership to a network group. You can manually add virtual networks or use Azure Policy to conditionally add virtual networks to the network group. This how-to manually adds membership. For information on defining group membership with Azure Policy, see Define network group membership with Azure Policy.

To manually add the desired virtual networks to your network group for use in your connectivity configuration, follow these steps:

1. From the list of network groups, select your network group and select Add virtual networks under Manually add members on the network group page.

2. On the Manually add members pane, select all desired virtual networks and select Add.

3. To review the network group membership that you manually added, select Group Members on the Network Group page under Settings.

This section guides you through creating a hub-and-spoke configuration with the network group you created in the previous section.

1. Select Configurations under Settings, then select + Create.

2. Select Connectivity configuration from the drop-down menu to begin creating a connectivity configuration.

3. On the Basics page, enter the following information, and select Next: Topology >.

   Expand table

   Setting	Value
   Name	Enter a name for this configuration.
   Description	(Optional) Enter a description about what this configuration does.

4. On the Topology tab, select the Hub and spoke topology under Topology.

5. Select the Delete existing peerings checkbox if you want to remove all previously created virtual network peerings between virtual networks in the network groups included in this configuration. Then select Select a hub.

6. On the Select a hub pane, select the virtual network intended as the hub virtual network and select Select.

7. Select + Add network groups.

8. On the Add network groups page, select the network groups you want to add to this configuration as spokes. Then select Add to save.

9. Select the settings you want to enable for each spoke network group. The following three options appear next to each network group name under Spoke network groups:

   • Direct connectivity: Select Enable peering within network group if you want to establish connectivity between virtual networks in the network group. By default, this connectivity will only be established between virtual networks in this network group that belong to the same region.
   • Global Mesh: This option is only selectable if direct connectivity is enabled. Select Enable mesh connectivity across regions if you want to establish connectivity across regions for all virtual networks in this network group.
   • Gateway: Select Use hub as a gateway if you have a virtual network gateway in the hub virtual network that you want the virtual networks of this spoke network group to use to pass traffic to on-premises.

10. Select Review + Create > Create to create the hub-and-spoke connectivity configuration.

To have this configuration take effect in your environment, you need to deploy the configuration to the regions in which your selected virtual networks reside.

1. Select Deployments under Settings, then select Deploy a configuration.

2. On the Deploy a configuration page, select the following settings:

   Expand table

   Setting	Value
   Configurations	Select Include connectivity configurations in your goal state .
   Connectivity configurations	Select the name of the configuration you created in the previous section.
   Target regions	Select all the regions that apply to virtual networks you select for the configuration. You might choose to select a subset of regions at a time if you want to gradually roll out this configuration.

3. Select Next and then select Deploy to complete the deployment.

4. The deployment displays in the list for the selected region. The deployment of the configuration can take a few minutes to complete. Select the Refresh button to check on the status of the deployment.

   

1. See view applied configurations.

2. To test direct connectivity between spoke virtual networks, deploy a virtual machine into each spoke virtual network. Then initiate an ICMP request from one virtual machine to the other.

• Create a secured hub-and-spoke topology in this tutorial.
• Learn how to deploy a hub-and-spoke topology with Azure Firewall.
• Learn how to create a mesh connectivity configuration.
• Learn about Security admin rules
• Learn how to block network traffic with a Security admin configuration.