Edit

Create a hub-and-spoke topology in Azure - Portal

In this article, you learn how to create a hub-and-spoke topology with Azure Virtual Network Manager. With this configuration, you select a virtual network to act as a hub and all spoke virtual networks have bi-directional peering with only the hub by default. You also can enable direct connectivity between spoke virtual networks in the same spoke network group and enable the spoke virtual networks to use the gateway in the hub virtual network.

Prerequisites

Create a network group

This section helps you create a network group containing the virtual networks you're using as the spokes for the hub-and-spoke topology.

Note

This how-to guide assumes you created an Azure Virtual Network Manager instance using the quickstart guide.

  1. Browse to your resource group, and select your Virtual Network Manager resource.

  2. Under Settings, select Network groups. Then select + Create.

  3. On the Create a network group pane, enter or select the following information, and then select Create:

    Setting Value
    Name Enter a name for your network group.
    Description (Optional) Provide a description of this network group.
    Member type Select Virtual network from the dropdown menu.

  4. Confirm that the new network group is now listed on the Network groups pane.

Define network group members

Azure Virtual Network Manager provides you with two methods for adding membership to a network group. You can manually add virtual networks or use Azure Policy to conditionally add virtual networks to the network group. This how-to manually adds membership. For information on defining group membership with Azure Policy, see Define network group membership with Azure Policy.

Manually adding virtual networks

To manually add the desired virtual networks to your network group for use in your connectivity configuration, follow these steps:

  1. From the list of network groups, select your network group and select Add virtual networks under Manually add members on the network group page.

  2. On the Manually add members pane, select all desired virtual networks and select Add.

  3. To review the network group membership that you manually added, select Group Members on the Network Group page under Settings.

Create a hub-and-spoke connectivity configuration

This section guides you through creating a hub-and-spoke configuration with the network group you created in the previous section.

  1. Select Configurations under Settings, then select + Create.

  2. Select Connectivity configuration from the drop-down menu to begin creating a connectivity configuration.

  3. On the Basics page, enter the following information, and select Next: Topology >.

    Setting Value
    Name Enter a name for this configuration.
    Description (Optional) Enter a description about what this configuration does.

  4. On the Topology tab, select the Hub and spoke topology under Topology.

  5. Select the Delete existing peerings checkbox if you want to remove all previously created virtual network peerings between virtual networks in the network groups included in this configuration. Then select Select a hub.

  6. On the Select a hub pane, select the virtual network intended as the hub virtual network and select Select.

  7. Select + Add network groups.

  8. On the Add network groups page, select the network groups you want to add to this configuration as spokes. Then select Add to save.

  9. Select the settings you want to enable for each spoke network group. The following three options appear next to each network group name under Spoke network groups:

    • Direct connectivity: Select Enable peering within network group if you want to establish connectivity between virtual networks in the network group. By default, this connectivity will only be established between virtual networks in this network group that belong to the same region.
    • Global Mesh: This option is only selectable if direct connectivity is enabled. Select Enable mesh connectivity across regions if you want to establish connectivity across regions for all virtual networks in this network group.
    • Gateway: Select Use hub as a gateway if you have a virtual network gateway in the hub virtual network that you want the virtual networks of this spoke network group to use to pass traffic to on-premises.

  10. Select Review + Create > Create to create the hub-and-spoke connectivity configuration.

Deploy the hub-and-spoke configuration

To have this configuration take effect in your environment, you need to deploy the configuration to the regions in which your selected virtual networks reside.

  1. Select Deployments under Settings, then select Deploy a configuration.

  2. On the Deploy a configuration page, select the following settings:

    Setting Value
    Configurations Select Include connectivity configurations in your goal state .
    Connectivity configurations Select the name of the configuration you created in the previous section.
    Target regions Select all the regions that apply to virtual networks you select for the configuration. You might choose to select a subset of regions at a time if you want to gradually roll out this configuration.

  3. Select Next and then select Deploy to complete the deployment.

  4. The deployment displays in the list for the selected region. The deployment of the configuration can take a few minutes to complete. Select the Refresh button to check on the status of the deployment.

    Screenshot of configuration deployment in progress status.

Note

If you're currently using virtual network peerings created outside of Azure Virtual Network Manager and want to manage your topology and connectivity with Azure Virtual Network Manager, you have a few options for deployment to eliminate or minimize downtime to your network:

  1. Deploy Azure Virtual Network Manager connectivity configurations on top of existing peerings. Connectivity configurations are fully compatible with preexisting manual peerings. When you deploy a connectivity configuration, by default Azure Virtual Network Manager reuses existing peerings that achieve the connectivity described in the configuration and establishes additional connectivity as needed. This means that you aren't required to delete any existing peerings between the hub and spoke virtual networks.
  2. Fully manage connectivity with Azure Virtual Network Manager. If you want to fully manage connectivity from a single control plane, you can opt to Delete existing peerings to remove all previously created peerings from the network groups' virtual networks targeted in this configuration upon deployment.

Confirm configuration deployment

  1. See view applied configurations.

  2. To test direct connectivity between spoke virtual networks, deploy a virtual machine into each spoke virtual network. Then initiate an ICMP request from one virtual machine to the other.

Use a Virtual WAN hub as the hub

Important

Using an Azure Virtual WAN hub in Azure Virtual Network Manager hub-and-spoke connectivity configurations is currently in preview. While in preview, functionality, availability, and other aspects of this feature might change in response to feedback.

This preview version is provided without a service level agreement, and isn't recommended for production workloads. Certain features might not be supported or can have constrained capabilities. It is only available in the following Azure regions:

  • West Central US
  • Australia Central
  • Australia Southeast
  • Brazil South
  • Canada Central
  • North Europe
  • France South
  • Germany Northeast
  • Germany West Central
  • Central India
  • West India
  • Japan East
  • Korea Central
  • Malaysia South
  • Malaysia West
  • Mexico Central
  • Norway West
  • Qatar Central
  • South Africa North
  • Sweden Central
  • Switzerland West
  • Taiwan North
  • UAE Central
  • East US
  • West US
  • West US 2

For more information, see Supplemental Terms of Use for Microsoft Azure Previews.

This section shows how to create an Azure Virtual Network Manager hub-and-spoke connectivity configuration where the hub is a Virtual WAN hub.

Prerequisites

  • Read about Hub-and-spoke topology behavior with hub virtual networks and Virtual WAN hubs.
  • Have an existing Azure Virtual Network Manager instance and at least one network group.
  • Have an existing Virtual WAN and virtual hub.
  • Have permission to create or update connectivity configurations in Azure Virtual Network Manager and create or select connection policies in Virtual WAN.

Create the connectivity configuration

  1. In the Azure portal, go to your Network manager instance.

  2. Select Configurations under Settings, then select + Create.

  3. Select Connectivity configuration.

  4. On the Basics tab, enter a name and optional description, then select Next: Topology >.

Select the Virtual WAN hub and connection policy

  1. On the Topology tab, select Hub and spoke, then select Select a hub.

  2. In the Select a hub pane, select your Virtual WAN hub, then select Select.

  3. Select Select connection policy.

  4. Select an existing connection policy, or select Create new to create a policy that is applied to Virtual WAN virtual network connections created or updated by this connectivity configuration.

  5. A connection policy defines routing behavior for the virtual network connections, including route table association and propagation, route maps, and internet security behavior. For more information, see Connection policy.

Add spoke network groups

  1. Select + Add network groups.

  2. On the Add network groups page, select one or more network groups to use as spokes, then select Add.

When this connectivity configuration is deployed:

  • For virtual networks that aren't already connected to the selected Virtual WAN hub, Azure Virtual Network Manager creates Virtual WAN virtual network connections and applies the selected connection policy.
  • For virtual networks that are already connected to the selected Virtual WAN hub, Azure Virtual Network Manager updates the existing connections to apply the selected connection policy.

Create, deploy, and validate

  1. Select Review + Create > Create to create the connectivity configuration.

  2. Open Deployments under Settings, then select Deploy a configuration.

  3. On the deployment page, select Include connectivity configurations in your goal state, select your new connectivity configuration, select the target regions, and then select Deploy.

  4. In your Virtual WAN resource, go to Virtual network connections and verify that the expected spoke virtual network connections are in a connected state.

  5. In the virtual hub, review effective routes to confirm route behavior reflects the selected connection policy.

Next steps

  • Last updated on