Hub & Spoke Reference Architecture

Post by: syed hussain in All Architecture Reference Architecture

Summary

This is a simple reference architecture for an Azure Hub and Spoke infrastructure.

CLI Script

# Variables
resourceGroup="HubAndSpokeResourceGroup"
location="uksouth"
hubVnetName="HubVNET"
hubSubnetName="HubSubnet"
hubAddressPrefix="10.0.0.0/16"
hubSubnetPrefix="10.0.1.0/24"
spokeAddressPrefixes=("10.1.0.0/16" "10.2.0.0/16" "10.3.0.0/16")
spokeSubnetPrefixes=("10.1.1.0/24" "10.2.1.0/24" "10.3.1.0/24")
webAppName="Spoke3WebApp"

# Login to Azure
az login

# Set Subscription
az account set --subscription <subscription-id>

# Create a Resource Group
az group create --name $resourceGroup --location $location

# Create Hub VNET and Subnet
az network vnet create --resource-group $resourceGroup --name $hubVnetName --address-prefix $hubAddressPrefix --subnet-name $hubSubnetName --subnet-prefix $hubSubnetPrefix

# Create Spoke VNETs and establish VNET Peering
for i in {1..3}
do
  spokeVnetName="SpokeVNET$i"
  spokeSubnetName="SpokeSubnet$i"
  
  az network vnet create --resource-group $resourceGroup --name $spokeVnetName --address-prefix ${spokeAddressPrefixes[$i-1]} --subnet-name $spokeSubnetName --subnet-prefix ${spokeSubnetPrefixes[$i-1]}

  az network vnet peering create --resource-group $resourceGroup --name "HubToSpoke$i" --vnet-name $hubVnetName --remote-vnet $spokeVnetName --allow-forwarded-traffic --allow-vnet-access
  az network vnet peering create --resource-group $resourceGroup --name "SpokeToHub$i" --vnet-name $spokeVnetName --remote-vnet $hubVnetName --allow-forwarded-traffic
done

# Create a lightweight Web App in Spoke 3
az appservice plan create --name $webAppName --resource-group $resourceGroup --location $location --sku FREE
az webapp create --name $webAppName --resource-group $resourceGroup --plan $webAppName

# Restrict Web App Network Access to the Hub
az webapp config access-restriction add --resource-group $resourceGroup --name $webAppName --rule-name 'AllowHub' --action Allow --priority 100 --vnet-name $hubVnetName --subnet $hubSubnetName

echo "Deployment Complete"

Explanation

The script provided creates the Hub and Spoke VNETs, and it also establishes VNET peering between them. By default, the IP address space within these VNETs (Virtual Networks) is private and not directly accessible from the public internet.

However, some specifics to note:

  1. Inbound Communication: If a spoke VNET contains a resource with a public IP address (like a public load balancer or a VM with a public IP), that resource would be accessible from the internet unless network security group (NSG) rules or other security measures are put in place to block such access.
  2. Outbound Communication: Resources within the spoke VNETs can initiate outbound communication to the internet by default, unless you set up an NSG or use Azure Firewall in the hub to restrict such communication.
  3. Restricting Web App: The Web App created in Spoke 3 is a public-facing service, and it will have a public URL (like https://spoke3webapp.azurewebsites.net). However, the script provided sets up network access restrictions so that the Web App can only be accessed from the Hub VNET, making it effectively private with respect to VNET access. Still, if there are other public-facing resources in any of the spokes, they would need similar restrictions.
  4. Inter-Spoke Communication: The script establishes VNET peering in a way that allows traffic to flow between spokes through the hub. This is done by enabling the --allow-forwarded-traffic flag during the peering setup.

Restricting Web App

In point 3, when I mentioned that the Web App created in Spoke 3 is restricted to be accessed only from the Hub VNET, I was referring to the following line from the script:

az webapp config access-restriction add --resource-group $resourceGroup --name $webAppName --rule-name 'AllowHub' --action Allow --priority 100 --vnet-name $hubVnetName --subnet $hubSubnetName

This line uses the az webapp config access-restriction add command to add an access restriction rule to the Web App. Specifically:

  • --rule-name 'AllowHub': Names the rule.
  • --action Allow: Specifies that this rule is to allow traffic.
  • --priority 100: Sets the rule’s priority (lower numbers have higher priorities).
  • --vnet-name $hubVnetName --subnet $hubSubnetName: Specifies that the rule allows traffic only from the Hub VNET’s subnet.

This ensures that the Web App is accessible only from the specified VNET and subnet (i.e., the Hub). Once complete, this will then create an Access Restriction in the Networking blade of the Web App.

Public Access to the Web App via Application Gateway

To access the app publicly through the Hub, you would set up a form of ingress into the Hub, which then routes traffic to the Spoke. This involves several steps, including creating a VPN or using Azure Application Gateway or Azure Firewall. Here’s a basic outline using Azure Application Gateway:

1. Azure Application Gateway:

Azure Application Gateway is a web traffic load balancer that enables you to manage traffic to your web applications. It can also act as a reverse proxy.

Steps:

  1. Create Application Gateway:
    • Navigate to the Azure Portal.
    • Create a new Application Gateway in the Hub VNET.
    • For the frontend configuration, define a public IP so it’s accessible from the internet.
    • For the backend configuration, add the Web App (in Spoke 3) as the backend pool.
  2. Configure Routing:
    • Define a routing rule in the Application Gateway that accepts traffic on the public IP and routes it to the Web App.
  3. Access Restrictions:
    • Ensure the Web App has an access restriction that allows traffic from the Hub VNET (or more specifically, the subnet where Application Gateway is located).
  4. DNS Configuration (optional):
    • If you want to use a custom domain, you can map a domain name to the public IP of the Application Gateway.

2. Network Security Groups (NSGs):

Ensure that NSGs are appropriately configured:

  • Allow inbound traffic to the Application Gateway’s public IP.
  • Ensure outbound traffic is permitted from the Application Gateway to the Web App.

3. Accessing the Web App:

Once everything is set up:

  • You can access the Web App by navigating to the public IP of the Application Gateway (or the custom domain if you’ve set that up).
  • The Application Gateway will act as a reverse proxy, taking your public request and forwarding it to the Web App in the private Spoke VNET.

Complete Azure CLI Script

Here is the complete Azure CLI script, including the Application Gateway.

# Variables
resourceGroup="HubAndSpokeResourceGroup"
location="uksouth"
hubVnetName="HubVNET"
hubSubnetName="HubSubnet"
hubAddressPrefix="10.0.0.0/16"
hubSubnetPrefix="10.0.1.0/24"
spokeAddressPrefixes=("10.1.0.0/16" "10.2.0.0/16" "10.3.0.0/16")
spokeSubnetPrefixes=("10.1.1.0/24" "10.2.1.0/24" "10.3.1.0/24")
webAppName="Spoke3WebApp"
appGatewayName="HubAppGateway"
publicIpName="AppGatewayPublicIP"

# Login to Azure
az login

# Set Subscription
az account set --subscription <subscription-id>

# Create a Resource Group
az group create --name $resourceGroup --location $location

# Create Hub VNET and Subnet
az network vnet create --resource-group $resourceGroup --name $hubVnetName --address-prefix $hubAddressPrefix --subnet-name $hubSubnetName --subnet-prefix $hubSubnetPrefix

# Create Spoke VNETs and establish VNET Peering
for i in {1..3}
do
  spokeVnetName="SpokeVNET$i"
  spokeSubnetName="SpokeSubnet$i"
  
  az network vnet create --resource-group $resourceGroup --name $spokeVnetName --address-prefix ${spokeAddressPrefixes[$i-1]} --subnet-name $spokeSubnetName --subnet-prefix ${spokeSubnetPrefixes[$i-1]}

  az network vnet peering create --resource-group $resourceGroup --name "HubToSpoke$i" --vnet-name $hubVnetName --remote-vnet $spokeVnetName --allow-forwarded-traffic --allow-vnet-access
  az network vnet peering create --resource-group $resourceGroup --name "SpokeToHub$i" --vnet-name $spokeVnetName --remote-vnet $hubVnetName --allow-forwarded-traffic
done

# Create a lightweight Web App in Spoke 3
az appservice plan create --name $webAppName --resource-group $resourceGroup --location $location --sku FREE
az webapp create --name $webAppName --resource-group $resourceGroup --plan $webAppName

# Restrict Web App Network Access to the Hub
az webapp config access-restriction add --resource-group $resourceGroup --name $webAppName --rule-name 'AllowHub' --action Allow --priority 100 --vnet-name $hubVnetName --subnet $hubSubnetName

# Create a Public IP for the Application Gateway
az network public-ip create --resource-group $resourceGroup --name $publicIpName --allocation-method Static --sku Standard

# Create the Application Gateway in Hub
az network application-gateway create \
  --name $appGatewayName \
  --location $location \
  --resource-group $resourceGroup \
  --capacity 2 \
  --sku Standard_v2 \
  --public-ip-address $publicIpName \
  --vnet-name $hubVnetName \
  --subnet $hubSubnetName \
  --servers "https://$webAppName.azurewebsites.net"

# Configure a routing rule in the Application Gateway
az network application-gateway rule create \
  --resource-group $resourceGroup \
  --gateway-name $appGatewayName \
  --name rule1 \
  --http-listener appGatewayHttpListener \
  --rule-type Basic \
  --address-pool appGatewayBackendPool

echo "Deployment Complete"

Note:

This is a simplified overview. In a real-world setup, considerations around security, monitoring, and scalability should be taken into account. You might also integrate Azure Firewall, WAF (Web Application Firewall) features of Application Gateway, or other security measures to further secure and manage the traffic.

Please also note:

  1. Customization: This script uses certain hardcoded values and conventions based on previous discussions. You might need to customize subnet addresses, SKUs, or other values to fit your environment.
  2. Security: This script provides a basic setup. For real-world deployments, consider integrating the Web Application Firewall (WAF) capabilities of the Application Gateway and other security best practices.
  3. Web App: The script assumes that the Web App is already set up to only accept traffic from the Hub VNET.

Remember to test and review the script in a non-production environment before using it in a production scenario.

To enhance privacy and security:

  • You can use Network Security Groups (NSGs) to control inbound and outbound traffic to network interfaces (NIC), VMs, and subnets.
  • Deploy Azure Firewall or a third-party Network Virtual Appliance (NVA) in the hub for advanced routing, filtering, and logging.
  • Use Private Endpoints or Azure App Service Environment if you want truly private Azure PaaS services.
Tags:
02 Oct 2023
0