Skip to content

Tausif30/Hub-Spoke-Network

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
Hub_Spoke_Network.pdf
Hub_Spoke_Network.pdf
 
 
README.md
README.md
 
 
Tests.sh
Tests.sh
 
 
database.sh
database.sh
 
 
hub.sh
hub.sh
 
 
routing.sh
routing.sh
 
 

Repository files navigation

Azure Secure Hub-and-Spoke Network Project

1. Project Overview

This project implements a secure, scalable Hub-and-Spoke network topology in Azure. The design uses a central "Hub" Virtual Network (VNet) to consolidate shared services, while "Spoke" VNets host isolated workloads (Production and Non-Production), enhancing security and operational efficiency. The entire infrastructure is deployed using idempotent Bash scripts.

Project Highlights

  • Centralized Security: Azure Firewall (AZFW_VNet SKU) is deployed in the Hub, combined with User-Defined Routes (UDRs), to ensure all traffic between Spokes and the internet is inspected.
  • Zero Trust Data: Azure SQL Database is secured using Private Link and a Private DNS Zone, completely eliminating public internet exposure for the database.
  • Hybrid Readiness: Secure remote access is enabled via a VPN Gateway and Azure Bastion, providing a foundation for hybrid cloud integration.
  • Validated Segmentation: The routing configuration strictly enforces isolation, confirming zero unauthorized packet movement between the Prod and Non-Prod environments.

2. Network Topology & Components

The architecture is logically divided into a Hub VNet and two Spoke VNets, with communication managed by VNet Peering and controlled by the Azure Firewall.

Hub-Spoke-Tokyo

Figure 1: Azure Hub-and-Spoke Logical Diagram

The Hub VNet (vnet-hub-secure - 10.0.0.0/16)

Hosts all shared network and services which are:

  • Azure Firewall (fw-hub): The security choke point. All egress and inter-VNet traffic is routed through its Private IP (10.0.1.4).
  • VPN Gateway (vpn-gw-hub): Provides encrypted site-to-site or point-to-site connectivity. VNet Peering utilizes Gateway Transit to allow Spokes to use this connection. VPN Gateway IP Subnet (10.0.2.0/24)
  • Azure Bastion (bastion-hub): A managed service for secure RDP/SSH access to VMs using HTTPS (port 443), eliminating the need for public IPs on the workload VMs.
  • SQL Private Endpoint (pe-sql-hub): A network interface placed in the dedicated Database Subnet (10.0.4.0/24) that links to the Azure SQL PaaS service.

The Spoke VNets

Isolated networks hosting the application environment:

  • Production Spoke (vnet-spoke-prod - 10.1.0.0/16)
  • Non-Production Spoke (vnet-spoke-nonprod - 10.2.0.0/16)
  • Connectivity: Spoke-to-Spoke communication is disabled by default. Traffic must be peered to the Hub and then explicitly permitted by the Firewall's rules.

Network Controls

  • VNet Peering: Establishes the virtual connection that allows packets to travel between the Hub and Spokes using Azure's backbone network.
  • User Defined Routes (UDRs): Applied to Spoke subnets, these rules override Azure's default routing and force the 0.0.0.0/0 route (all internet-bound and inter-VNet traffic) to the Firewall's Private IP (10.0.1.4).
  • Private DNS Zones: A critical security component that ensures the SQL Database name resolves to its Private Endpoint IP (10.0.4.x) across all three peered VNets, bypassing all public DNS resolution.

About

Creating and Testing a Hub-Spoke Network from the Azure Services

Resources

Readme
Activity

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages