Share via

Azure vNet Hub Spoke vs One VNet with multiple subnets and 3rd Party Firewall

rr-4098 2,311 Reputation points
2026-06-18T16:02:27.4066667+00:00

Here is my question...

If we deployed a single vNet with multiple subnet's but used a 3rd party enterprise firewall that included UDR's to route all traffic between subnets to the firewall, wouldn't this have the same effect as using a hub-spoke setup with less complexity?

Azure Virtual Network
Azure Virtual Network

An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.

0 comments

Answer accepted by question author

Marcin Policht 93,965 Reputation points MVP Volunteer Moderator
2026-06-19T20:51:50.74+00:00

For a small company, a single VNet with multiple subnets and centralized inspection through a third-party firewall might be sufficient. Scalability is more limited - but that likely becomes less relevant in your scenario. You still have the ability to control internal traffic without introducing the additional architectural layers, peering relationships, and operational overhead associated with a hub-and-spoke deployment. If all workloads belong to the same organization, are managed by the same IT team, and have similar security requirements, separate VNets may not provide measurable benefits.

From a security perspective, forcing all east-west traffic through a firewall using UDRs can still provide segmentation, IDS/IPS inspection, logging, application filtering, and centralized policy enforcement. The security outcome is driven more by the quality of firewall policy design and monitoring than by whether the workloads are separated into different VNets.

In addition, you should consider cost . Traditional hub-and-spoke architectures introduce additional Azure resources such as VNet peering, centralized gateways, Azure Firewall instances, Bastion hosts, route servers, or multiple NVAs. Even when the individual costs are not extremely high, they accumulate over time and increase both cloud spend and administrative effort.

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin

Was this answer helpful?

1 person found this answer helpful.
0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Venkatesan S 9,565 Reputation points Microsoft External Staff Moderator
    2026-06-19T19:11:20.8566667+00:00

    Hi @rr-4098 ,

    Thanks for reaching out in Microsoft Q&A forum,

    Using a single VNet with multiple subnets and a third-party firewall, combined with User Defined Routes (UDRs) to direct inter-subnet traffic through the firewall, can provide similar traffic inspection and security policy enforcement to a hub-and-spoke design. For smaller environments, this approach can also reduce architectural complexity.

    However, there are some important differences to consider:

    Isolation: In a hub-and-spoke architecture, each spoke is a separate VNet, providing stronger workload and administrative isolation.

    Scalability: Separate spoke VNets can be managed and scaled independently, each with its own address space and lifecycle.

    Governance and RBAC: Hub-and-spoke makes it easier to delegate ownership and apply separate access controls across teams, applications, or subscriptions.

    Shared Services: Centralized services such as Azure Firewall, VPN Gateway, ExpressRoute, Azure Bastion, and DNS can be hosted in the hub and shared across multiple spokes.

    Operational Management: As the number of subnets grows, maintaining routing and segmentation policies within a single VNet may become more complex compared to a centralized hub-and-spoke model.

    While a single-VNet design with firewall-enforced routing can achieve similar traffic inspection outcomes, it does not provide the same level of isolation, governance, and scalability that a hub-and-spoke architecture offers. The appropriate design choice depends on the organization's requirements, environment size, operational model, and long-term growth plans.

    For additional guidance, please refer to the following Microsoft documentation:

    Kindly let us know if the above helps or you need further assistance on this issue.

    Please do not forget to 210246-screenshot-2021-12-10-121802.pngand “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.