Tutorial: Create a secured hub and spoke network

  • Article
  • 6 minutes to read

In this tutorial, you'll create a hub and spoke network topology using Azure Virtual Network Manager. You'll then deploy a virtual network gateway in the hub virtual network to allow resources in the spoke virtual networks to communicate with remote networks using VPN. You'll also configure a security configuration to block outbound network traffic to the internet on ports 80 and 443. Lastly, you'll verify that configurations were applied correctly by looking at the virtual network and virtual machine settings.

Important

Azure Virtual Network Manager is currently in public preview. This preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see Supplemental Terms of Use for Microsoft Azure Previews.

In this tutorial, you learn how to:

  • Create multiple virtual networks.
  • Deploy a virtual network gateway.
  • Create a hub and spoke network topology.
  • Create a security configuration blocking traffic on port 80 and 443.
  • Verify configurations were applied.

Prerequisite

Create virtual networks

This procedure walks you through creating three virtual networks. One will be in the West US region and the other two will be in the East US region.

  1. Sign in to the Azure portal.

  2. Select + Create a resource and search for Virtual network. Then select Create to begin configuring the virtual network.

    Screenshot of create a virtual network page.

  3. On the Basics tab, enter or select the following information:

    Screenshot of basics tab for hub and spoke virtual network.

    Setting Value
    Subscription Select the subscription you want to deploy this virtual network into.
    Resource group Select or create a new resource group to store the virtual network. This quickstart will use a resource group named myAVNMResourceGroup.
    Name Enter VNet-A-WestUS for the virtual network name.
    Region Select the West US region.

  4. On the IP Addresses tab, configure the following network address space:

    Screenshot of IP addresses tab for hub and spoke virtual network.

    Setting Value
    IPv4 address space Enter 10.3.0.0/16 as the address space.
    Subnet name Enter the name default for the subnet.
    Subnet address space Enter the subnet address space of 10.3.0.0/24.

  5. Select Review + create and then select Create to deploy the virtual network.

    Screenshot of validation page for hub and spoke virtual network.

  6. Repeat steps 2-5 to create two more virtual networks into the same resource group with the following information:

    Second virtual network:

    • Name: VNet-A-EastUS
    • Region: East US
    • IPv4 address space: 10.4.0.0/16
    • Subnet name: default
    • Subnet address space: 10.4.0.0/24

    Third virtual network:

    • Name: VNet-B-EastUS
    • Region: East US
    • IPv4 address space: 10.5.0.0/16
    • Subnet name: default
    • Subnet address space: 10.5.0.0/24

Deploy a virtual network gateway

Deploy a virtual network gateway into the hub virtual network. This virtual network gateway is necessary for the spokes to Use hub as a gateway setting.

  1. Select + Create a resource and search for Virtual network gateway. Then select Create to begin configuring the virtual network gateway.

    Screenshot of create a virtual network gateway page.

  2. On the Basics tab, enter or select the following settings:

    Screenshot of create the virtual network gateway basics tab.

  3. Select Review + create and then select Create after validation has passed. The deployment of a virtual network gateway can take about 30 minutes. You can move on to the next section while waiting for this deployment to complete.

    Screenshot of create a virtual network gateway validation page.

Create a network group

  1. Go to your Azure Virtual Network Manager instance. This tutorial assumes you've created one using the quickstart guide.

  2. Select Network groups under Settings, and then select + Add to create a new network group.

    Screenshot of add a network group button.

  3. On the Basics tab, enter the following information:

    Screenshot of the create a network group basics tab.

    Setting Value
    Name Enter myNetworkGroupB for the network group name.
    Description Provide a description about this network group.

  4. Select the Conditional statements tab. For the Parameter select Name from the drop-down. For the Operator select Contains. For the Condition, enter VNet-. This conditional statement will add the three previously created virtual networks into this network group.

    Screenshot of create a network group conditional statements tab.

  5. Select Evaluate if you need to verify the virtual networks selected.

    Screenshot of effective virtual networks page.

  6. Select Review + create and then select Create once validation has passed.

    Screenshot of create network group validation page.

Create a hub and spoke connectivity configuration

  1. Select Configuration under Settings, then select + Add a configuration.

    Screenshot of add a configuration button for Network Manager.

  2. Select Connectivity from the drop-down menu.

    Screenshot of configuration drop-down menu.

  3. Enter and select the following information for the connectivity configuration:

    Screenshot of add a connectivity configuration page.

    Setting Value
    Name Enter HubA for the name of the configuration
    Description Provide a description about what this connectivity configuration will do.
    Topology Select Hub and spoke.

  4. When you select the Hub and spoke topology, more fields will appear. Select the following settings:

    Screenshot of selecting a hub for the connectivity configuration.

    Settings Value
    Hub Select VNet-A-West as the hub virtual network.
    Existing peerings Leave this option unchecked.
    Spoke network groups Select Add network groups and add myNetworkGroupB to the configuration.

  5. After you've added the network group, select the following options. Then select add to create the connectivity configuration.

    Screenshot of settings for network group configuration.

    Setting Value
    Transitivity Select the checkbox for Enable peering within network group. This setting will allow spoke virtual networks in the network group in the same region to communicate with each other directly.
    Global Mesh Leave this option unchecked. Since both spokes are in the same region this setting is not required.
    Gateway Select Use hub as a gateway.

Deploy the connectivity configuration

Make sure the virtual network gateway has been successfully deployed before deploying the connectivity configuration. If you deploy a hub and spoke configuration with Use the hub as a gateway enabled and there's no gateway, the deployment will fail. For more information, see use hub as a gateway.

  1. Select Deployments under Settings, then select Deploy a configuration.

    Screenshot of deployments page in Network Manager.

  2. Select the configuration type of Connectivity and the HubA configuration you created in the last section. Then select West US and East US as the target region and select Deploy.

    Screenshot of deploy a configuration page.

  3. Select OK to confirm you want to overwrite any existing configuration and deploy the security admin configuration.

    Screenshot of deployment confirmation message.

  4. You should now see the deployment show up in the list for those regions. The deployment of the configuration can take about 15-20 minutes to complete.

    Screenshot of deployment in progress in deployment list.

Create security configuration

  1. Select Configuration under Settings again, then select + Add a configuration.

    Screenshot of adding another configuration for Network Manager.

  2. Select SecurityAdmin from the menu to begin creating a SecurityAdmin configuration.

    Screenshot of SecurityAdmin in drop-down menu.

  3. Enter the name mySecurityConfig for the configuration, then select + Add a rule collection.

    Screenshot of Security Admin configuration page.

  4. Enter the name myRuleCollection for the rule collection and select myNetworkGroupB for the target network group. Then select + Add a rule.

    Screenshot of add a rule collection page.

  5. Enter and select the following settings, then select Add:

    Screenshot of add a rule page.

  6. Select Save to add the rule collection to the configuration.

    Screenshot of save button for a rule collection.

  7. Select Add to create the security admin configuration.

    Screenshot of add button to create configuration.

Deploy the security admin configuration

  1. Select Deployments under Settings, then select Deploy a configuration.

    Screenshot of security deployments page in Virtual Network Manager.

  2. Select the configuration type of SecurityAdmin and the mySecurityConfig configuration you created in the last section. Then select West US and East US as the target region and select Deploy.

    Screenshot of deploying a security configuration.

  3. Select OK to confirm you want to overwrite any existing configuration and deploy the security admin configuration.

    Screenshot of confirmation message for deploying a security configuration.

  4. You should now see the deployment show up in the list for the selected region. The deployment of the configuration can take about 15-20 minutes to complete.

    Screenshot of security deployment in progress in deployment list.

Verify deployment of configurations

Verify from a virtual network

  1. Go to VNet-A-WestUS virtual network and select Network Manager under Settings. You'll see the HubA connectivity configuration applied.

    Screenshot of connectivity configuration applied to the virtual network.

  2. Select Peerings under Settings. You'll see virtual network peerings created by Virtual Network Manager with AVNM in the name.

    Screenshot of virtual network peerings created by Virtual Network Manager.

  3. Select the SecurityAdmin tab to see the security admin rules applied to this virtual network.

    Screenshot of security admin rules applied to the virtual network.

Verify from a VM

  1. Deploy a test Windows VM into VNet-A-EastUS.

  2. Go to the test VM created in VNet-A-EastUS and select Networking under Settings. Select Outbound port rules and you'll see the security admin rule applied.

    Screenshot of test VM's network security rules.

  3. Select the network interface name.

    Screenshot of test VM's network settings.

  4. Then select Effective routes under Support + troubleshooting to see the routes for the virtual network peerings. The 10.3.0.0/16 route with the next hop of VNetGlobalPeering is the route to the hub virtual network. The 10.5.0.0/16 route with the next hop of ConnectedGroup is route to the other spoke virtual network. All spokes virtual network will be in a ConnectedGroup when Transitivity is enabled.

    Screenshot of effective routes from test VM network interface.

Clean up resources

If you no longer need the Azure Virtual Network Manager, you'll need to make sure all of following is true before you can delete the resource:

  • There are no deployments of configurations to any region.
  • All configurations have been deleted.
  • All network groups have been deleted.

Use the remove components checklist to make sure no child resources are still available before deleting the resource group.

Next steps

Learn how to block network traffic with a Security admin configuration.