Azure Network Topology Solution for our Case

Question

Hello ,

we create in our Azure many subscriptions per country ( France , India , USA,Canada )
we have only one subscription connected to onpremise office ( Canada Subscription to canada onpremise network with site to site VPN )
what is the best solution to connect other subscriptions (FRANCE,India,USA ) with their onpremise networks and keep vnet of theses countries connected to the Canada vnet and onpremise because is the head office .should we create for each country a Vpn site to site link to its vnet in azure ?i need an optimized solution please

Regards,
Ali

Answer 1

Hello @APTOS

Azure recommends to use hub-spoke topology to achieve your goal - Connect regional VNETs (FRANCE,India,USA ) with their onpremise networks and keep vnet of theses countries connected to the Canada region VNET.

The hub virtual network acts as a central point of connectivity to many spoke virtual networks. The hub can also be used as the connectivity point to your on-premises networks. The spoke virtual networks peer with the hub and can be used to isolate workloads.
The benefits of using a hub and spoke configuration include cost savings, overcoming subscription limits, and workload isolation.

https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/hub-spoke?tabs=cli

Your case expands hub-spoke architecture with an alternate solution, referencing hub-spoke network topology in Azure and implementation of a secure hybrid network.
The hub is a virtual network in Azure that acts as a central point of connectivity to your on-premises network. The spokes are virtual networks that peer with the hub and can be used to isolate workloads. Traffic flows between the on-premises offices and the hub through an ExpressRoute or VPN gateway connection. The main differentiator of this approach is the use of Azure Virtual WAN (VWAN) to replace hubs as a managed service.

https://learn.microsoft.com/en-us/azure/architecture/networking/hub-spoke-vwan-architecture

Azure Virtual WAN is a networking service that brings many networking, security, and routing functionalities together to provide a single operational interface. These functionalities include branch connectivity (via connectivity automation from Virtual WAN Partner devices such as SD-WAN or VPN CPE), Site-to-site VPN connectivity, remote user VPN (Point-to-site) connectivity, private (ExpressRoute) connectivity, intra-cloud connectivity (transitive connectivity for virtual networks), VPN ExpressRoute inter-connectivity, routing, Azure Firewall, and encryption for private connectivity.

Answer 2

Hi @APTOS ,

are the Azure resources (VMs, vNets, .....) deployed in different Azure regions in the different Azure Subscriptions?
If so an individual VPN Site To Site VPN per region might make sense.
But this requires a "clean" IP address concept without overlapping IP address ranges of the on-premises and Azure vNets/subnets.

----------

(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards
Andreas Baumgarten

Answer 3

thanks for your reply .which kind of peering should to deploy with Region Vnets and Head Office Vnet please ?we need all vnets connect to onpremise network head office too

Answer 4

@Andriy Bilous If I may ask a follow up question to your best practices recommendation around Azure's hub-spoke suggested architecture - in a VPN environment complexity is the only true roadblock to a complete mesh any-to-any which would then remove a possible single point of failure being the hub site. In a perfect mesh no single site going off-line could affect the rest of the sites. Is there another reason, besides the complexity to setup and maintain a perfect mesh that Azure suggests hub-spoke? Thank you