Azure Hub-Spoke Network Architecture & Hybrid Connectivity

Engagement Overview

Cybernerds was engaged to design and implement an enterprise-grade network architecture in Azure for a multi-site organization beginning its cloud migration. The client had three office locations with no existing Azure networking and needed a secure, scalable foundation that would support current workloads (Azure VMs, Azure Files) and future services (AVD, PaaS) without redesign. The engagement followed the PDS framework to deliver a hub-spoke topology with centralized security, hybrid connectivity, and DNS resolution.

Initial State

The organization had recently provisioned an Azure subscription but had no networking infrastructure in place. Key conditions included:

• ✓Three office locations (headquarters + two branch offices) with independent internet connections
• ✓No site-to-site connectivity between offices or to Azure — each location operated independently
• ✓On-premises Active Directory at headquarters with no cloud extension
• ✓Flat network architecture at all locations — no segmentation between workloads or user groups
• ✓Remote access handled via individual VPN client connections to headquarters only
• ✓No centralized DNS resolution for cloud resources
• ✓No firewall or traffic inspection between network segments

Key Challenges

• ✓Multi-Site Connectivity: Three offices needed seamless access to Azure workloads without backhauling through a single location
• ✓Security: Required centralized traffic inspection and network segmentation between environments (production, development, shared services)
• ✓DNS: Cloud resources needed consistent name resolution from all offices and within Azure
• ✓Scalability: Architecture had to accommodate future workloads (AVD, PaaS, additional VMs) without redesign
• ✓Routing: Traffic between spokes needed to route through the hub firewall for inspection — no direct spoke-to-spoke communication
• ✓Management: IT team needed secure administrative access to Azure resources without exposing management ports
• ✓Cost: Enterprise-grade architecture needed to fit within a mid-market budget

Solution Design — PDS Framework

• ✓Hub VNet: Centralized hub containing Azure Firewall, VPN Gateway, Azure Bastion, and shared services subnet
• ✓Spoke VNets: Separate spokes for production workloads, development/test, and shared services — peered to hub
• ✓Azure Firewall: Centralized Layer 7 firewall with application rules, network rules, and threat intelligence filtering
• ✓VPN Gateway: Active-active VPN Gateway with site-to-site tunnels to all three office locations
• ✓Route Tables: User-defined routes (UDR) on all spoke subnets forcing traffic through Azure Firewall
• ✓DNS: Azure DNS Private Zones for internal name resolution — conditional forwarders from on-premises to Azure DNS
• ✓Network Security Groups: Subnet-level NSGs enforcing least-privilege as defense-in-depth alongside firewall rules
• ✓Azure Bastion: Hub-hosted Bastion instance for secure RDP/SSH to VMs across all spokes
• ✓Monitoring: Azure Monitor Network Insights, NSG flow logs, and Firewall diagnostic logs sent to Log Analytics

Implementation — PDS Execution

Implementation was phased: hub infrastructure first, then VPN connectivity, then spoke VNets, then firewall rules — with validation at each stage before proceeding.

• ✓Provisioned hub VNet with subnets for Azure Firewall, VPN Gateway, Bastion, and shared services
• ✓Deployed Azure Firewall with rule collections for application access, inter-spoke traffic, and internet egress
• ✓Configured VPN Gateway in active-active mode with site-to-site tunnels to all three offices
• ✓Created spoke VNets for production and development — peered to hub with gateway transit enabled
• ✓Applied UDR route tables to all spoke subnets routing 0.0.0.0/0 through Azure Firewall
• ✓Configured Azure DNS Private Zones for internal domains — linked to all VNets
• ✓Set up conditional DNS forwarding from on-premises DNS servers to Azure DNS resolver
• ✓Deployed NSGs on all subnets with baseline deny rules and workload-specific allow rules
• ✓Provisioned Azure Bastion in the hub for cross-spoke VM administration
• ✓Configured NSG flow logs and Azure Firewall diagnostics streaming to Log Analytics workspace
• ✓Validated routing from each office to each spoke — confirmed all traffic traversing firewall

Validation — PDS Validation Phase

• ✓Site-to-site VPN tunnels active from all three offices — failover tested with active-active configuration
• ✓Azure Firewall inspecting all inter-spoke and spoke-to-internet traffic — logs confirming rule hits
• ✓DNS resolution working end-to-end — on-premises clients resolving Azure Private DNS names, Azure VMs resolving on-premises names
• ✓UDR routing validated — no direct spoke-to-spoke traffic bypassing the firewall
• ✓NSG rules blocking unauthorized traffic — tested with port scans between subnets
• ✓Azure Bastion providing RDP/SSH to VMs in all spokes without public IP addresses
• ✓Network Insights dashboard showing topology, health, and traffic patterns
• ✓Firewall threat intelligence blocking known malicious IPs — confirmed in diagnostic logs
• ✓New spoke VNet added as test — peered to hub and operational within 15 minutes, validating scalability

Outcome

• ✓Enterprise hub-spoke network architecture deployed with centralized security and management
• ✓All three office locations connected to Azure via redundant site-to-site VPN
• ✓Centralized traffic inspection via Azure Firewall with Layer 7 application rules and threat intelligence
• ✓Network segmentation enforced — production, development, and shared services isolated
• ✓Consistent DNS resolution across on-premises and Azure environments
• ✓Secure administrative access via Azure Bastion — no RDP/SSH exposed to the internet
• ✓Architecture validated for scalability — new spokes can be added in minutes without redesign
• ✓Full network documentation including topology diagrams, IP addressing scheme, firewall rule matrix, and routing tables
• ✓IT team trained on spoke provisioning, firewall rule management, and VPN troubleshooting