Tutorial: Create a secured hub and spoke network

Tutorial: Create a secured hub and spoke network

In this article

In this tutorial, you’ll create a hub and spoke network topology using Azure Virtual Network Manager. You’ll then deploy a virtual network gateway in the hub virtual network to allow resources in the spoke virtual networks to communicate with remote networks using VPN. You’ll also configure a security configuration to block outbound network traffic to the internet on ports 80 and 443. Lastly, you’ll verify that configurations were applied correctly by looking at the virtual network and virtual machine settings.

Important

Azure Virtual Network Manager is currently in public preview.
This preview version is provided without a service level agreement, and it’s not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.
For more information, see Supplemental Terms of Use for Microsoft Azure Previews.

In this tutorial, you learn how to:

  • Create multiple virtual networks.
  • Deploy a virtual network gateway.
  • Create a hub and spoke network topology.
  • Create a security configuration blocking traffic on port 80 and 443.
  • Verify configurations were applied.

Prerequisite

  • An Azure account with an active subscription. Create an account for free.
  • Before you can complete steps in this tutorial, you must first create an Azure Virtual Network Manager instance.

Create virtual networks

This procedure walks you through creating three virtual networks. One will be in the West US region and the other two will be in the East US region.

  1. Sign in to the Azure portal.

  2. Select + Create a resource and search for Virtual network. Then select Create to begin configuring the virtual network.

  3. On the Basics tab, enter or select the following information:

    Screenshot of basics tab for hub and spoke virtual network.

    Setting
    Value

    Subscription
    Select the subscription you want to deploy this virtual network into.

    Resource group
    Select or create a new resource group to store the virtual network. This quickstart will use a resource group named myAVNMResourceGroup.

    Name
    Enter VNet-A-WestUS for the virtual network name.

    Region
    Select the West US region.

  4. Select Next: IP Addresses and configure the following network address space:

    Screenshot of IP addresses tab for hub and spoke virtual network.

    Setting
    Value

    IPv4 address space
    Enter 10.3.0.0/16 as the address space.

    Subnet name
    Enter the name default for the subnet.

    Subnet address space
    Enter the subnet address space of 10.3.0.0/24.

  5. Select Review + create and then select Create to deploy the virtual network.

  6. Repeat steps 2-5 to create two more virtual networks into the same resource group with the following information:

    Second virtual network:

    • Name: VNet-A-EastUS
    • Region: East US
    • IPv4 address space: 10.4.0.0/16
    • Subnet name: default
    • Subnet address space: 10.4.0.0/24

    Third virtual network:

    • Name: VNet-B-EastUS
    • Region: East US
    • IPv4 address space: 10.5.0.0/16
    • Subnet name: default
    • Subnet address space: 10.5.0.0/24

Deploy a virtual network gateway

Deploy a virtual network gateway into the hub virtual network. This virtual network gateway is necessary for the spokes to Use hub as a gateway setting.

  1. Select + Create a resource and search for Virtual network gateway. Then select Create to begin configuring the virtual network gateway.

  2. On the Basics tab, enter or select the following settings:

    Screenshot of create the virtual network gateway basics tab.

    Setting
    Value

    Subscription
    Select the subscription you want to deploy this virtual network into.

    Name
    Enter VNet-A-WestUS-GW for the virtual network gateway name.

    SKU
    Select VpnGW1 for the SKU.

    Generation
    Select Generation1 for the generation.

    Virtual network
    Select the VNet-A-WestUS for the VNet.

    Public IP address name
    Enter the name VNet-A-WestUS-GW-IP for the public IP.

  3. Select Review + create and then select Create after validation has passed. The deployment of a virtual network gateway can take about 30 minutes. You can move on to the next section while waiting for this deployment to complete.

Create a dynamic network group

  1. Go to your Azure Virtual Network Manager instance. This tutorial assumes you’ve created one using the quickstart guide.

  2. Select Network groups under Settings, and then select + Create to create a new network group.

    Screenshot of add a network group button.

  3. On the Create a network group screen, enter the following information:

    Screenshot of the Basics tab on Create a network group page.

    Setting
    Value

    Name
    Enter myNetworkGroupB for the network group name.

    Description
    Provide a description about this network group.

  4. Select Create to create the virtual network group.

  5. From the Network groups page, select the created network group from above to configure the network group.

    Screenshot of the network groups page.

  6. On the Overview page, select Create Azure Policy under Create policy to dynamically add members.

    Screenshot of the defined dynamic membership button.

  7. On the Create Azure Policy page, select or enter the following information:

    Screenshot of create a network group conditional statements tab.

    Setting
    Value

    Policy name
    Enter VNetAZPolicy in the text box.

    Scope
    Select Select Scopes and choose your current subscription.

    Criteria

    Parameter
    Select Name from the drop-down.

    Operator
    Select Contains from the drop-down.

    Condition
    Enter -EastUS to dynamically add the two East US virtual networks into this network group.

  8. Select Save to deploy the group membership.

  9. Under Settings, select Group Members to view the membership of the group based on the conditions defined in Azure Policy.

    Screenshot of dynamic group membership under Group Membership.

Create a hub and spoke connectivity configuration

  1. Select Configuration under Settings, then select + Add a configuration. Select Connectivity from the drop-down menu.

    Screenshot of configuration drop-down menu.

  2. On the Basics tab, enter and select the following information for the connectivity configuration:

    Screenshot of add a connectivity configuration page.

    Setting
    Value

    Name
    Enter HubA for the name of the configuration

    Description
    Provide a description about what this connectivity configuration will do.

  3. Select Next: Topology >. Select Hub and Spoke under the Topology setting. This will reveal other settings.

    Screenshot of selecting a hub for the connectivity configuration.

  4. Select Select a hub under Hub setting. Then, select VNet-A-WestUS to serve as your network hub and select Select.

    Screenshot of Select a hub configuration.

  5. Under Spoke network groups, select + add. Then, select myNetworkGroupB for the network group and select Select.

    Screenshot of Add network groups page.

  6. After you’ve added the network group, select the following options. Then select add to create the connectivity configuration.

    Screenshot of settings for network group configuration.

    Setting
    Value

    Direct Connectivity
    Select the checkbox for Enable connectivity within network group. This setting will allow spoke virtual networks in the network group in the same region to communicate with each other directly.

    Hub as gateway
    Select the checkbox for Use hub as a gateway.

    Global Mesh
    Leave Enable mesh connectivity across regions option unchecked. This setting isn’t required as both spokes are in the same region

  7. Select Next: Review + create > and then create the connectivity configuration.

Deploy the connectivity configuration

Make sure the virtual network gateway has been successfully deployed before deploying the connectivity configuration. If you deploy a hub and spoke configuration with Use the hub as a gateway enabled and there’s no gateway, the deployment will fail. For more information, see use hub as a gateway.

  1. Select Deployments under Settings, then select Deploy configuration.

    Screenshot of deployments page in Network Manager.

  2. Select Include connectivity configurations in your goal state and HubA as the Connectivity configurations setting. Then select West US and East US as the target regions and select Next.

    Screenshot of deploy a configuration page.

  3. Select Deploy. You should now see the deployment show up in the list for those regions. The deployment of the configuration can take several minutes to complete.

    Screenshot of deployment in progress in deployment list.

Create security configuration

  1. Select Configuration under Settings again, then select + Create, and select SecurityAdmin from the menu to begin creating a SecurityAdmin configuration.

  2. Enter the name mySecurityConfig for the configuration, then select Next: Rule collections.

    Screenshot of Security Admin configuration page.

  3. Enter the name myRuleCollection for the rule collection and select myNetworkGroupB for the target network group. Then select + Add.

    Screenshot of add a rule collection page.

  4. Enter and select the following settings, then select Add:

    Screenshot of add a rule page and rule settings.

    Setting
    Value

    Name
    Enter DENY_INTERNET

    Description
    Enter This rule blocks traffic to the internet on HTTP and HTTPS

    Priority
    Enter 1

    Action
    Select Deny

    Direction
    Select Outbound

    Protocol
    Select TCP

    Destination port
    Enter 80, 443

  5. Select Add to add the rule collection to the configuration.

    Screenshot of save button for a rule collection.

  6. Select Review + create and Create to create the security admin configuration.

Deploy the security admin configuration

  1. Select Deployments under Settings, then select Deploy configurations.

  2. Under Configurations, Select Include security admin in your goal state and the mySecurityConfig configuration you created in the last section. Then select West US and East US as the target regions and select Next.

    Screenshot of deploying a security configuration.

  3. Select Next and then Deploy. You should now see the deployment show up in the list for the selected region. The deployment of the configuration can take about 15-20 minutes to complete.

Verify deployment of configurations

Verify from a virtual network

  1. Go to VNet-A-EastUS virtual network and select Network Manager under Settings. You’ll see the HubA connectivity configuration applied.

    Screenshot of connectivity configuration applied to the virtual network.

  2. Select Peerings under Settings. You’ll see virtual network peerings created by Virtual Network Manager with AVNM in the name.

    Screenshot of virtual network peerings created by Virtual Network Manager.

  3. Select the SecurityAdmin tab to see the security admin rules applied to this virtual network.

    Screenshot of security admin rules applied to the virtual network.

Verify from a VM

  1. Deploy a test Windows VM into VNet-A-EastUS.

  2. Go to the test VM created in VNet-A-EastUS and select Networking under Settings. Select Outbound port rules and you’ll see the security admin rule applied.

    Screenshot of test VM's network security rules.

  3. Select the network interface name.

    Screenshot of test VM's network settings.

  4. Then select Effective routes under Help to see the routes for the virtual network peerings. The 10.3.0.0/16 route with the next hop of VNetGlobalPeering is the route to the hub virtual network. The 10.5.0.0/16 route with the next hop of ConnectedGroup is route to the other spoke virtual network. All spokes virtual network will be in a ConnectedGroup when Transitivity is enabled.

    Screenshot of effective routes from test VM network interface.

Clean up resources

If you no longer need the Azure Virtual Network Manager, you’ll need to make sure all of following is true before you can delete the resource:

  • There are no deployments of configurations to any region.
  • All configurations have been deleted.
  • All network groups have been deleted.

Use the remove components checklist to make sure no child resources are still available before deleting the resource group.

Next steps

Learn how to block network traffic with a Security admin configuration.