Create a hub and spoke topology in Azure - PowerShell

2025-08-22

In this article, you'll learn how to create a hub and spoke network topology with Azure Virtual Network Manager. With this configuration, you select a virtual network to act as a hub and all spoke virtual networks will have bi-directional peering with only the hub by default. You also can enable direct connectivity between spoke virtual networks and enable the spoke virtual networks to use the virtual network gateway in the hub.

Prerequisites

Read about Hub-and-spoke network topology.
Created a Azure Virtual Network Manager instance.
Identify virtual networks you want to use in the hub-and-spokes configuration or create new virtual networks.
Version 5.3.0 of Az.Network is required to access the required cmdlets for Azure Virtual Network Manager.
If you're running PowerShell locally, you need to run Connect-AzAccount -Environment AzureChinaCloud to create a connection with Azure.

Create a virtual network group and add members

This section will help you create a network group containing the virtual networks you'll be using for the hub-and-spoke network topology.

Create a network group for virtual networks with New-AzNetworkManagerGroup.

$ng = @{
        Name = 'myNetworkGroup'
        ResourceGroupName = 'myAVNMResourceGroup'
        NetworkManagerName = 'myAVNM'
    }
    $networkgroup = New-AzNetworkManagerGroup @ng

Add the static member to the static membership group with New-AzNetworkManagerStaticMember:

    $vnet = get-AZVirtualNetwork -ResourceGroupName 'myAVNMResourceGroup' -Name 'VNetA'
    $sm = @{
    NetworkGroupName = $networkgroup.name
    ResourceGroupName = 'myAVNMResourceGroup'
    NetworkManagerName = 'myAVNM'
    Name = 'staticMember'
    ResourceId = $vnet.id
    }
    $staticmember = New-AzNetworkManagerStaticMember @sm

Create a hub and spoke connectivity configuration

This section will guide you through how to create a hub-and-spoke configuration with the network group you created in the previous section.

Create a spokes connectivity group item to add a network group with New-AzNetworkManagerConnectivityGroupItem. You can enable direct connectivity with the -GroupConnectivity flag, global mesh with -IsGlobal flag, or -UseHubGateway flag to use the gateway in the hub virtual network:
```
$spokes = @{
    NetworkGroupId = $networkgroup.Id
}
$spokesGroup = New-AzNetworkManagerConnectivityGroupItem @spokes -UseHubGateway -GroupConnectivity 'DirectlyConnected' -IsGlobal
```

Create a spokes connectivity group and add the group item from the previous step.

[System.Collections.Generic.List[Microsoft.Azure.Commands.Network.Models.NetworkManager.PSNetworkManagerConnectivityGroupItem]]$configGroup = @()
$configGroup.Add($spokesGroup)

Create a hub connectivity group item and define the virtual network you'll use as the hub with New-AzNetworkManagerHub.

[System.Collections.Generic.List[Microsoft.Azure.Commands.Network.Models.NetworkManager.PSNetworkManagerHub]]$hubList = @()

$hub = @{
    ResourceId = '/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/myAVNMResourceGroup/providers/Microsoft.Network/virtualNetworks/VNetA'
    ResourceType = 'Microsoft.Network/virtualNetworks'
} 
$hubvnet = New-AzNetworkManagerHub @hub

$hubList.Add($hubvnet)

Create the connectivity configuration with New-AzNetworkManagerConnectivityConfiguration.

$config = @{
    Name = 'connectivityconfig'
    ResourceGroupName = 'myAVNMResourceGroup'
    NetworkManagerName = 'myAVNM'
    ConnectivityTopology = 'HubAndSpoke'
    Hub = $hubList
    AppliesToGroup = $configGroup
}
$connectivityconfig = New-AzNetworkManagerConnectivityConfiguration @config -DeleteExistingPeering -IsGlobal

Note

If you're currently using virtual network peerings created outside of Azure Virtual Network Manager and want to manage your topology and connectivity with Azure Virtual Network Manager, you have a few options for deployment to eliminate or minimize downtime to your network:

Deploy Azure Virtual Network Manager connectivity configurations on top of existing peerings. Connectivity configurations are fully compatible with preexisting manual peerings. When you deploy a connectivity configuration, by default Azure Virtual Network Manager reuses existing peerings that achieve the connectivity described in the configuration and establishes additional connectivity as needed. This means that you aren't required to delete any existing peerings between the hub and spoke virtual networks.
Fully manage connectivity with Azure Virtual Network Manager. If you want to fully manage connectivity from a single control plane, you can opt to Delete existing peerings to remove all previously created peerings from the network groups' virtual networks targeted in this configuration upon deployment.

Deploy the hub-and-spoke configuration

Commit the configuration to the target regions with Deploy-AzNetworkManagerCommit.

[System.Collections.Generic.List[string]]$configIds = @()  
$configIds.add($connectivityconfig.id) 
[System.Collections.Generic.List[string]]$regions = @()   
$regions.Add("chinanorth3")     

$deployment = @{
    Name = 'myAVNM'
    ResourceGroupName = 'myAVNMResourceGroup'
    ConfigurationId = $configIds
    TargetLocation = $regions
    CommitType = 'Connectivity'
}
Deploy-AzNetworkManagerCommit @deployment

Confirm configuration deployment

Go to one of the virtual networks in the Azure portal and select Peerings under Settings. You should see a new peering connection created between the hub and the spoke virtual networks with AVNM in the name.
To test direct connectivity between spokes, deploy a virtual machine into each spokes virtual network. Then start an ICMP request from one virtual machine to the other.

Next steps

Learn about Security admin rules
Learn how to block network traffic with a SecurityAdmin configuration.