This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 25%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECJ%3C/text%3E%3C/svg%3E)
Hello
I am hoping to get a conformation about a best practice concearning the hub spoke architecture.
We have a hub spoke architecture. It has a expressroute connection between the onprem network and Azure. The er gateway is in the hub network, so is a Azure Firewall. We have (sofar) 1 spoke network. In it is a azure private link to Synapse Analytics. Public access to Synapse is disabled, so its only available through its private ip through the hub spoke model. Now we have a SaaS service in Azure that needs to communicate with Synapse Analytics. The best way, we think, is through the Azure Firewall using its public ip and then perform a dnat action. Since the SaaS service and Azure firewall are on Azure, their public ip communication stays on the ms network. I would like to know if the above setup is indeed the best practise.
Kicj
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 59%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
Hello @C.J. Vieleers , Thank you for reaching out and apologies for the delayed response here. Can you please let us know which SaaS service you are using? so that we can comment on the architecture.
It can be any SaaS services that able to connect to a backend database service. In our specific case its Sas Viya.