Create a hub and spoke topology with Azure Virtual Network Manager (Preview)
Mục Lục
Create a hub and spoke topology with Azure Virtual Network Manager (Preview)
In this article
In this article, you’ll learn how to create a hub and spoke network topology with Azure Virtual Network Manager. With this configuration, you select a virtual network to act as a hub and all spoke virtual networks will have bi-directional peering with only the hub by default. You also can enable direct connectivity between spoke virtual networks and enable the spoke virtual networks to use the virtual network gateway in the hub.
Important
Azure Virtual Network Manager is currently in public preview.
This preview version is provided without a service level agreement, and it’s not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.
For more information, see Supplemental Terms of Use for Microsoft Azure Previews.
Prerequisites
- Read about Hub-and-spoke network topology.
- Created a Azure Virtual Network Manager instance.
- Identify virtual networks you want to use in the hub-and-spokes configuration or create new virtual networks.
Create a network group
This section will help you create a network group containing the virtual networks you’ll be using for the hub-and-spoke network topology.
-
Go to your Azure Virtual Network Manager instance. This how-to guide assumes you’ve created one using the quickstart guide.
-
Select Network Groups under Settings, then select + Create.
-
On the Create a network group page, enter a Name for the network group. This example will use the name myNetworkGroup. Select Add to create the network group.
-
You’ll see the new network group added to the Network Groups page.
-
Once your network group is created, you’ll add virtual networks as members. Choose one of the options: Manually add membership or Create policy to dynamically add members.
Define network group members
Azure Virtual Network manager allows you two methods for adding membership to a network group. You can manually add virtual networks or use Azure Policy to dynamically add virtual networks based on conditions. Choose the option below for your mesh membership configuration:
Manually adding members
To manually add the desired virtual networks for your Mesh configuration to your Network Group, follow the steps below:
-
From the list of network groups, select your network group and select Add virtual networks under Manually add members on the network group page.
-
On the Manually add members page, select all the virtual networks and select Add.
-
To review the network group membership manually added, select Group Members on the Network Group page under Settings.
Dynamic membership with Azure Policy
To dynamically add members using Azure Policy, follow the steps below:
-
From the list of network groups, select your network group and select Create Azure Policy under Create policy to dynamically add members.
-
On the Create Azure Policy page, create a conditional statement to populate your network group. You can choose different conditional parameters including Name and Tags.
-
To review the network group membership based on the conditions defined in Azure Policy, select Group Members on the Network Group page under Settings
Create a hub and spoke connectivity configuration
This section will guide you through how to create a hub-and-spoke configuration with the network group you created in the previous section.
-
Select Configuration under Settings, then select + Add a configuration.
-
Select Connectivity configuration from the drop-down menu to begin creating a connectivity configuration.
-
On the Add a connectivity configuration page, enter, or select the following information:
Setting
ValueName
Enter a name for this configuration.Description
Optional Enter a description about what this configuration will do.Topology
Select the Hub and spoke topology.Hub
Select a virtual network that will act as the hub virtual network.Existing peerings
Select this checkbox if you want to remove all previously created VNet peering between virtual networks in the network group defined in this configuration. -
Then select + Add network groups.
-
On the Add network groups page, select the network groups you want to add to this configuration. Then select Add to save.
-
You’ll see the following three options appear next to the network group name under Spoke network groups:
- Direct connectivity: Select Enable peering within network group if you want to establish VNet peering between virtual networks in the network group of the same region.
- Global Mesh: Select Enable mesh connectivity across regions if you want to establish VNet peering for all virtual networks in the network group across regions.
- Gateway: Select Use hub as a gateway if you have a virtual network gateway in the hub virtual network that you want this network group to use to pass traffic to on-premises.
Select the settings you want to enable for each network group.
-
Finally, select Add to create the hub-and-spoke connectivity configuration.
Deploy the hub and spoke configuration
To have this configuration take effect in your environment, you’ll need to deploy the configuration to the regions where your selected virtual networks are created.
-
Select Deployments under Settings, then select Deploy a configuration.
-
On the Deploy a configuration select the following settings:
Setting
ValueConfiguration type
Select Connectivity.Configurations
Select the name of the configuration you created in the previous section.Target regions
Select all the regions that apply to virtual networks you select for the configuration. -
Select Deploy and then select OK to commit the configuration to the selected regions.
-
The deployment of the configuration can take up to 15-20 minutes, select the Refresh button to check on the status of the deployment.
Confirm deployment
-
See view applied configuration.
-
To test direct connectivity between spokes, deploy a virtual machine into each spokes virtual network. Then initiate an ICMP request from one virtual machine to the other.
Next steps
- Learn about Security admin rules
- Learn how to block network traffic with a SecurityAdmin configuration.