Azure Virtual Network Manager is a management service that allows you to centrally manage virtual networks across different Azure subscriptions. ANM for Hub & Spoke and Security Configurations has recently gone into GA! I wanted to see how easy it would be to take an existing set of Virtual Networks and convert them into a (ANM) managed Hub & Spoke model.
What is Hub & Spoke?
Good question, and probably one worth answering if you want to understand the rest of this post, if you already know, skip right on to the next heading.
The hub-and-spoke network topology is a common architecture pattern used for organizing and managing network resources.
Hub: The hub is a central virtual network in Azure that acts as a focal point for connectivity to your on-premises network. It hosts shared Azure services and serves as the central point for cross-premises network connections. Think of it as the heart of your network setup.
Spokes: Spokes are additional virtual networks that peer with the hub. Each spoke can isolate and manage workloads separately. Workloads within spokes can include multiple tiers. Spokes can exist in different subscriptions and represent different environments (e.g., Production and Non-production).
Virtual Network Connectivity: The architecture connects virtual networks using peering connections or connected groups. These connections are non-transitive and low-latency, allowing peered or connected virtual networks to exchange traffic over the Azure backbone without needing a router.
Hub & Spoke is one of the most common network topologies used in Azure, however it's not one size fits all, some organisations may need isolation and more mature organisations may use an approach based on democratisation. The main alternative to Hub & Spoke is vWAN which is very similar to the Hub & Spoke topology but the Hub is fully managed - if you're interested in the differences you can find more here: Hub-spoke network topology with Azure Virtual WAN - Azure Architecture Center | Microsoft Learn.
Use-cases for ANM
I can see this been a great use case for organisations who don't currently have a defined network topology in place, it would be a large amount of work to do this manually, especially if the Virtual Networks have been deployed manually. Microsoft have provided a list of conceptual use-cases here: Common use cases for Azure Virtual Network Manager | Microsoft Learn
Assumptions
For this guide, I've already deployed my Hub and Spoke Virtual Networks, I've not deployed a VPN Gateway, so please note, there may be some additional steps to ensure the Hub acts as the Gateway vNet should you create a Hub & Spoke with hybrid connectivity. I've not configured any peering or connectivity.
Deploying Azure Virtual Network Manager
In the Portal, search for "Network managers" and head to the "Network managers" blade.
Fill in the basics tab, I'm going to select "Connectivity and Security admin" as my features so I can take advantage of all the features should I need to in the future.
On the next page, I'm setting my Subscription as my management scope as this is a demo, you will need to consider which subscriptions you'd like to enrol into AVNM and select a relevant management group which encompasses
Validate your configuration and review & create.
Configuring AVNM
To create our hub and spoke topology, I'm going to define a Network Group, create a configuration and then deploy it, which follows the same order as the list in the Network Manager blade under "Locks" under "Settings"
Network Group
Head to the "Network Groups" pane and select "Create" I'm going to call mine "ng-hub-spoke" the member type in this case is "Virtual network"
Next I need to add my members, these will be the Spoke Virtual Networks:
Configurations
This is where we will define our Topology and Virtual Networks. Head to the "Configuration" pane and select "Create -> Connectivity Configuration"
For the Topology, I'm going to select "Hub and Spoke" please note, if you're looking to test "Mesh" it's still in preview and as such, doesn't have any associated SLAs, it's recommended you do not test this with Production resources.
I've added my Network Group I created earlier, and I need to add my hub, to do that, select "Select a hub" and choose your hub from the list.
Once my Hub & Spokes have been defined, I can see the Topology mapped out on the next page:
Once completed, Create your configuration, I selected "Create" or you could start the deployment immediately as highlighted.
Deployment
To recap on where we are so far, we've created our Network Group containing all of our spokes, we've created our Hub & Spoke configuration where we've set out the Hub, and included the Spoke network group. We've reviewed the topology diagram and we're happy. All that's left to do is deploy the configuration profile.
Head to "Deployments" and select "Deploy Configurations" -> "Connectivity Configuration" Select your Configuration and Region, in this case, it's UK South.
Review the configuration and select "Deploy"
No more than a few minutes later, my Hub & Spoke was deployed, this was really quick I suspect may take longer based on the number of Virtual Networks.
Reviewing the Deployment
To review the deployment I'm going to check the Peerings on my hub, and they're all there, as expected.
All connected and in sync.
Conclusion
In this post, we've looked at what the Hub & Spoke topology is, what Azure Virtual Network Manager is, how to configure it, and how to deploy a Hub & Spoke which can be done at scale, despite the small example for the demo.