Network Topology & Connectivity
How to design hub-spoke networks, Virtual WAN, DNS, and hybrid connectivity for enterprise landing zones.
Network Topology Options
Decision Tree
Comparison
| Feature | Hub-Spoke | Virtual WAN |
|---|---|---|
| Branch connectivity | Manual VPN setup | Automated |
| Spoke-to-spoke | Via hub NVA/Firewall | Native |
| Global reach | Complex | Built-in |
| Max spokes | ~200 (practical) | 500+ |
| NVA support | Full control | Limited partners |
| Cost | Pay per resource | Per hub + connections |
| Complexity | Higher | Lower |
| Best for | Traditional enterprise | Global, branch-heavy |
Hub-Spoke Architecture
Reference Design
Hub Components
| Component | Purpose | Sizing |
|---|---|---|
| Azure Firewall | Traffic inspection, NAT | Premium for TLS inspection |
| ExpressRoute Gateway | Private connectivity | Ultra for > 10 Gbps |
| VPN Gateway | Branch/P2S connectivity | VpnGw2-5 based on throughput |
| Bastion | Secure VM access | Standard for session recording |
| DNS | Private DNS resolution | Azure DNS Private Resolver |
IP Address Planning
Enterprise Network: 10.0.0.0/8 (reserved for Azure)
├── Hub: 10.0.0.0/16
│ ├── GatewaySubnet: 10.0.1.0/24 (ExpressRoute/VPN)
│ ├── AzureFirewallSubnet: 10.0.3.0/24
│ ├── AzureFirewallManagementSubnet: 10.0.4.0/24
│ ├── AzureBastionSubnet: 10.0.5.0/24
│ └── DNS: 10.0.6.0/24
│
├── Corp Spokes: 10.1.0.0/14 (10.1-4.x.x)
│ ├── Spoke 1: 10.1.0.0/16
│ ├── Spoke 2: 10.2.0.0/16
│ └── ...
│
├── Online Spokes: 10.16.0.0/14 (10.16-19.x.x)
│
├── Data Platform: 10.32.0.0/14
│
└── Sandbox: 10.64.0.0/14
Bicep: Hub VNet
param location string = 'eastus'
param hubAddressPrefix string = '10.0.0.0/16'
resource hubVnet 'Microsoft.Network/virtualNetworks@2023-05-01' = {
name: 'vnet-hub-prod-${location}-001'
location: location
properties: {
addressSpace: {
addressPrefixes: [hubAddressPrefix]
}
subnets: [
{
name: 'GatewaySubnet'
properties: {
addressPrefix: '10.0.1.0/24'
}
}
{
name: 'AzureFirewallSubnet'
properties: {
addressPrefix: '10.0.3.0/24'
}
}
{
name: 'AzureFirewallManagementSubnet'
properties: {
addressPrefix: '10.0.4.0/24'
}
}
{
name: 'AzureBastionSubnet'
properties: {
addressPrefix: '10.0.5.0/24'
}
}
]
}
}
resource firewall 'Microsoft.Network/azureFirewalls@2023-05-01' = {
name: 'afw-hub-prod-${location}-001'
location: location
properties: {
sku: {
name: 'AZFW_VNet'
tier: 'Premium'
}
ipConfigurations: [
{
name: 'fw-ipconfig'
properties: {
subnet: {
id: '${hubVnet.id}/subnets/AzureFirewallSubnet'
}
publicIPAddress: {
id: firewallPip.id
}
}
}
]
firewallPolicy: {
id: firewallPolicy.id
}
}
}
Virtual WAN Architecture
Reference Design
Virtual WAN SKUs
| Feature | Basic | Standard |
|---|---|---|
| VNet connections | ✅ | ✅ |
| S2S VPN | ✅ | ✅ |
| P2S VPN | ❌ | ✅ |
| ExpressRoute | ❌ | ✅ |
| Hub-to-hub | ❌ | ✅ |
| Azure Firewall | ❌ | ✅ |
| Use for | Simple scenarios | Enterprise |
Bicep: Virtual WAN
resource virtualWan 'Microsoft.Network/virtualWans@2023-05-01' = {
name: 'vwan-contoso-prod-001'
location: location
properties: {
type: 'Standard'
allowBranchToBranchTraffic: true
allowVnetToVnetTraffic: true
}
}
resource hub 'Microsoft.Network/virtualHubs@2023-05-01' = {
name: 'vhub-prod-eastus-001'
location: 'eastus'
properties: {
virtualWan: {
id: virtualWan.id
}
addressPrefix: '10.0.0.0/23'
sku: 'Standard'
}
}
resource hubFirewall 'Microsoft.Network/azureFirewalls@2023-05-01' = {
name: 'afw-vhub-eastus-001'
location: 'eastus'
properties: {
sku: {
name: 'AZFW_Hub'
tier: 'Premium'
}
virtualHub: {
id: hub.id
}
hubIPAddresses: {
publicIPs: {
count: 1
}
}
firewallPolicy: {
id: firewallPolicy.id
}
}
}
DNS Architecture
Azure Private DNS Design
Required Private DNS Zones
| Service | Zone |
|---|---|
| Storage Blob | privatelink.blob.core.windows.net |
| Storage File | privatelink.file.core.windows.net |
| Storage Queue | privatelink.queue.core.windows.net |
| Storage Table | privatelink.table.core.windows.net |
| SQL Database | privatelink.database.windows.net |
| Cosmos DB | privatelink.documents.azure.com |
| Key Vault | privatelink.vaultcore.azure.net |
| ACR | privatelink.azurecr.io |
| AKS | privatelink.{region}.azmk8s.io |
| Event Hub | privatelink.servicebus.windows.net |
| Service Bus | privatelink.servicebus.windows.net |
Bicep: DNS Private Resolver
resource dnsResolver 'Microsoft.Network/dnsResolvers@2022-07-01' = {
name: 'dnspr-hub-prod-001'
location: location
properties: {
virtualNetwork: {
id: hubVnet.id
}
}
}
resource inboundEndpoint 'Microsoft.Network/dnsResolvers/inboundEndpoints@2022-07-01' = {
parent: dnsResolver
name: 'inbound'
location: location
properties: {
ipConfigurations: [
{
privateIpAllocationMethod: 'Dynamic'
subnet: {
id: '${hubVnet.id}/subnets/snet-dns-inbound'
}
}
]
}
}
resource outboundEndpoint 'Microsoft.Network/dnsResolvers/outboundEndpoints@2022-07-01' = {
parent: dnsResolver
name: 'outbound'
location: location
properties: {
subnet: {
id: '${hubVnet.id}/subnets/snet-dns-outbound'
}
}
}
Hybrid Connectivity
ExpressRoute Design
ExpressRoute SKUs
| SKU | Bandwidth | Global Reach | Metro | Circuits/Region |
|---|---|---|---|---|
| Local | 1-10 Gbps | ❌ | Same metro | - |
| Standard | 50 Mbps - 10 Gbps | ❌ | Same geo | 10 VNets |
| Premium | 50 Mbps - 100 Gbps | ✅ | Global | Unlimited |
VPN Backup
Network Security
Azure Firewall Policy Hierarchy
Firewall Rules Structure
resource firewallPolicy 'Microsoft.Network/firewallPolicies@2023-05-01' = {
name: 'afwp-hub-prod-001'
location: location
properties: {
sku: {
tier: 'Premium'
}
threatIntelMode: 'Deny'
intrusionDetection: {
mode: 'Deny'
}
}
}
resource networkRuleCollection 'Microsoft.Network/firewallPolicies/ruleCollectionGroups@2023-05-01' = {
parent: firewallPolicy
name: 'DefaultNetworkRuleCollectionGroup'
properties: {
priority: 200
ruleCollections: [
{
ruleCollectionType: 'FirewallPolicyFilterRuleCollection'
name: 'AllowInfrastructure'
priority: 100
action: {
type: 'Allow'
}
rules: [
{
ruleType: 'NetworkRule'
name: 'AllowDNS'
sourceAddresses: ['10.0.0.0/8']
destinationAddresses: ['*']
destinationPorts: ['53']
ipProtocols: ['UDP', 'TCP']
}
{
ruleType: 'NetworkRule'
name: 'AllowNTP'
sourceAddresses: ['10.0.0.0/8']
destinationAddresses: ['*']
destinationPorts: ['123']
ipProtocols: ['UDP']
}
]
}
]
}
}
NSG Best Practices
resource nsg 'Microsoft.Network/networkSecurityGroups@2023-05-01' = {
name: 'nsg-app-prod-001'
location: location
properties: {
securityRules: [
{
name: 'AllowHTTPS'
properties: {
priority: 100
direction: 'Inbound'
access: 'Allow'
protocol: 'Tcp'
sourceAddressPrefix: 'VirtualNetwork'
destinationAddressPrefix: '*'
destinationPortRange: '443'
sourcePortRange: '*'
}
}
{
name: 'DenyAllInbound'
properties: {
priority: 4096
direction: 'Inbound'
access: 'Deny'
protocol: '*'
sourceAddressPrefix: '*'
destinationAddressPrefix: '*'
destinationPortRange: '*'
sourcePortRange: '*'
}
}
]
}
}
Network Monitoring
Network Watcher Capabilities
| Tool | Purpose |
|---|---|
| Connection Monitor | End-to-end connectivity |
| NSG Flow Logs | Traffic analysis |
| Traffic Analytics | Visual insights |
| Packet Capture | Troubleshooting |
| IP Flow Verify | NSG rule testing |
| Next Hop | Routing verification |
Bicep: Flow Logs
resource flowLog 'Microsoft.Network/networkWatchers/flowLogs@2023-05-01' = {
name: 'nw-${location}/fl-${nsg.name}'
location: location
properties: {
targetResourceId: nsg.id
storageId: storageAccount.id
enabled: true
flowAnalyticsConfiguration: {
networkWatcherFlowAnalyticsConfiguration: {
enabled: true
workspaceResourceId: logAnalytics.id
trafficAnalyticsInterval: 10
}
}
retentionPolicy: {
days: 90
enabled: true
}
format: {
type: 'JSON'
version: 2
}
}
}
Quick Reference Card
| Concept | Recommendation |
|---|---|
| Topology | Hub-spoke for most, Virtual WAN for 30+ branches |
| Hub sizing | /16 minimum for growth |
| Spoke sizing | /16 per spoke, /24 per subnet |
| DNS | Centralized Private DNS in hub |
| Firewall | Premium for TLS inspection |
| ExpressRoute | Premium for global reach |
| Backup connectivity | S2S VPN as ER backup |
Next Steps
Continue to Security Baseline to learn about Microsoft Defender, encryption, and compliance controls.