Share via

Azure Hub and Spoke Topology - Where to locate VMs with Public IP

Nathanael Santschi 136 Reputation points
2022-11-18T09:02:29.947+00:00

In a Azure Hub and Spoke Network Topology is the idea that every VM which needs to be accessed from external via Public IP (direct assigned, via Loadbalancer...), is located in the Hub Network?
Or is the Hub only for all Services which are shared for the Spoke Vnets?

So if I have a VM with a certain Service which is only used in one Spoke Vnet and from public but not in the other spoke vnets, should I place the VM in the Hub Network or in this certain Spoke Network? For this example I would use a LoadBalancer with a NAT for a certain Port to the VM.

Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
9,074 questions
Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,779 questions
Azure Load Balancer
Azure Load Balancer
An Azure service that delivers high availability and network performance to applications.
506 questions
0 comments
Accepted answer
  1. Roderick Bant 2,056 Reputation points
    2022-11-18T09:16:19.333+00:00

    Hi @Nathanael Santschi

    IN a hub-spoke topology the idea is to place a central Azure Firewall in it's own subnet in the hub network. Any public IPs are attached to this central firewall to enable all management of access to the network in a central, easy to audit place. All the spokes should route traffic through this firewall to enable control of traffic between the spokes. Again in one central place.

    This diagram on Microsoft Learn gives a good overview of the setup and the document contains a clear explanation of the various components that make a hub-spoke topology

    Services are typically placed in the spokes with exceptions for some infrastructure services like central DNS for your network.

    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Nathanael Santschi 136 Reputation points
    2022-11-18T10:17:58.653+00:00

    @Roderick Bant
    Well sure that makes sense.

    In the scenario where I'm wondering about that, there isn't a Azure Firewall in place right now. But other components like VPN Gateway in the Hub. So it is probably still legitimate to use the Hub and Spoke topology. Azure Firewall can be added later on if needed.

    But only to make a small Service public available I don't think Azure Firewall is needed.
    Using a Load Balancer with a Public IP and a NAT configured + NSGs and Subnet segmentation should be good enough as well right?

    So placing the VM in the Spoke network with a Loadbalancer + NAT setup would make sense as well? And later on if this environment grows we could still add an Azure Firewall and assign the Public IPs there.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.