Tutorial: Create a secured hub and spoke network
Mục Lục
Tutorial: Create a secured hub and spoke network
In this article
In this tutorial, you’ll create a hub and spoke network topology using Azure Virtual Network Manager. You’ll then deploy a virtual network gateway in the hub virtual network to allow resources in the spoke virtual networks to communicate with remote networks using VPN. You’ll also configure a security configuration to block outbound network traffic to the internet on ports 80 and 443. Lastly, you’ll verify that configurations were applied correctly by looking at the virtual network and virtual machine settings.
Important
Azure Virtual Network Manager is currently in public preview.
This preview version is provided without a service level agreement, and it’s not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.
For more information, see Supplemental Terms of Use for Microsoft Azure Previews.
In this tutorial, you learn how to:
- Create multiple virtual networks.
- Deploy a virtual network gateway.
- Create a hub and spoke network topology.
- Create a security configuration blocking traffic on port 80 and 443.
- Verify configurations were applied.
Prerequisite
- An Azure account with an active subscription. Create an account for free.
- Before you can complete steps in this tutorial, you must first create an Azure Virtual Network Manager instance.
Create virtual networks
This procedure walks you through creating three virtual networks. One will be in the West US region and the other two will be in the East US region.
-
Sign in to the Azure portal.
-
Select + Create a resource and search for Virtual network. Then select Create to begin configuring the virtual network.
-
On the Basics tab, enter or select the following information:
Setting
ValueSubscription
Select the subscription you want to deploy this virtual network into.Resource group
Select or create a new resource group to store the virtual network. This quickstart will use a resource group named myAVNMResourceGroup.Name
Enter VNet-A-WestUS for the virtual network name.Region
Select the West US region. -
Select Next: IP Addresses and configure the following network address space:
Setting
ValueIPv4 address space
Enter 10.3.0.0/16 as the address space.Subnet name
Enter the name default for the subnet.Subnet address space
Enter the subnet address space of 10.3.0.0/24. -
Select Review + create and then select Create to deploy the virtual network.
-
Repeat steps 2-5 to create two more virtual networks into the same resource group with the following information:
Second virtual network:
- Name: VNet-A-EastUS
- Region: East US
- IPv4 address space: 10.4.0.0/16
- Subnet name: default
- Subnet address space: 10.4.0.0/24
Third virtual network:
- Name: VNet-B-EastUS
- Region: East US
- IPv4 address space: 10.5.0.0/16
- Subnet name: default
- Subnet address space: 10.5.0.0/24
Deploy a virtual network gateway
Deploy a virtual network gateway into the hub virtual network. This virtual network gateway is necessary for the spokes to Use hub as a gateway setting.
-
Select + Create a resource and search for Virtual network gateway. Then select Create to begin configuring the virtual network gateway.
-
On the Basics tab, enter or select the following settings:
Setting
ValueSubscription
Select the subscription you want to deploy this virtual network into.Name
Enter VNet-A-WestUS-GW for the virtual network gateway name.SKU
Select VpnGW1 for the SKU.Generation
Select Generation1 for the generation.Virtual network
Select the VNet-A-WestUS for the VNet.Public IP address name
Enter the name VNet-A-WestUS-GW-IP for the public IP. -
Select Review + create and then select Create after validation has passed. The deployment of a virtual network gateway can take about 30 minutes. You can move on to the next section while waiting for this deployment to complete.
Create a dynamic network group
-
Go to your Azure Virtual Network Manager instance. This tutorial assumes you’ve created one using the quickstart guide.
-
Select Network groups under Settings, and then select + Create to create a new network group.
-
On the Create a network group screen, enter the following information:
Setting
ValueName
Enter myNetworkGroupB for the network group name.Description
Provide a description about this network group. -
Select Create to create the virtual network group.
-
From the Network groups page, select the created network group from above to configure the network group.
-
On the Overview page, select Create Azure Policy under Create policy to dynamically add members.
-
On the Create Azure Policy page, select or enter the following information:
Setting
ValuePolicy name
Enter VNetAZPolicy in the text box.Scope
Select Select Scopes and choose your current subscription.Criteria
Parameter
Select Name from the drop-down.Operator
Select Contains from the drop-down.Condition
Enter -EastUS to dynamically add the two East US virtual networks into this network group. -
Select Save to deploy the group membership.
-
Under Settings, select Group Members to view the membership of the group based on the conditions defined in Azure Policy.
Create a hub and spoke connectivity configuration
-
Select Configuration under Settings, then select + Add a configuration. Select Connectivity from the drop-down menu.
-
On the Basics tab, enter and select the following information for the connectivity configuration:
Setting
ValueName
Enter HubA for the name of the configurationDescription
Provide a description about what this connectivity configuration will do. -
Select Next: Topology >. Select Hub and Spoke under the Topology setting. This will reveal other settings.
-
Select Select a hub under Hub setting. Then, select VNet-A-WestUS to serve as your network hub and select Select.
-
Under Spoke network groups, select + add. Then, select myNetworkGroupB for the network group and select Select.
-
After you’ve added the network group, select the following options. Then select add to create the connectivity configuration.
Setting
ValueDirect Connectivity
Select the checkbox for Enable connectivity within network group. This setting will allow spoke virtual networks in the network group in the same region to communicate with each other directly.Hub as gateway
Select the checkbox for Use hub as a gateway.Global Mesh
Leave Enable mesh connectivity across regions option unchecked. This setting isn’t required as both spokes are in the same region -
Select Next: Review + create > and then create the connectivity configuration.
Deploy the connectivity configuration
Make sure the virtual network gateway has been successfully deployed before deploying the connectivity configuration. If you deploy a hub and spoke configuration with Use the hub as a gateway enabled and there’s no gateway, the deployment will fail. For more information, see use hub as a gateway.
-
Select Deployments under Settings, then select Deploy configuration.
-
Select Include connectivity configurations in your goal state and HubA as the Connectivity configurations setting. Then select West US and East US as the target regions and select Next.
-
Select Deploy. You should now see the deployment show up in the list for those regions. The deployment of the configuration can take several minutes to complete.
Create security configuration
-
Select Configuration under Settings again, then select + Create, and select SecurityAdmin from the menu to begin creating a SecurityAdmin configuration.
-
Enter the name mySecurityConfig for the configuration, then select Next: Rule collections.
-
Enter the name myRuleCollection for the rule collection and select myNetworkGroupB for the target network group. Then select + Add.
-
Enter and select the following settings, then select Add:
Setting
ValueName
Enter DENY_INTERNETDescription
Enter This rule blocks traffic to the internet on HTTP and HTTPSPriority
Enter 1Action
Select DenyDirection
Select OutboundProtocol
Select TCPDestination port
Enter 80, 443 -
Select Add to add the rule collection to the configuration.
-
Select Review + create and Create to create the security admin configuration.
Deploy the security admin configuration
-
Select Deployments under Settings, then select Deploy configurations.
-
Under Configurations, Select Include security admin in your goal state and the mySecurityConfig configuration you created in the last section. Then select West US and East US as the target regions and select Next.
-
Select Next and then Deploy. You should now see the deployment show up in the list for the selected region. The deployment of the configuration can take about 15-20 minutes to complete.
Verify deployment of configurations
Verify from a virtual network
-
Go to VNet-A-EastUS virtual network and select Network Manager under Settings. You’ll see the HubA connectivity configuration applied.
-
Select Peerings under Settings. You’ll see virtual network peerings created by Virtual Network Manager with AVNM in the name.
-
Select the SecurityAdmin tab to see the security admin rules applied to this virtual network.
Verify from a VM
-
Deploy a test Windows VM into VNet-A-EastUS.
-
Go to the test VM created in VNet-A-EastUS and select Networking under Settings. Select Outbound port rules and you’ll see the security admin rule applied.
-
Select the network interface name.
-
Then select Effective routes under Help to see the routes for the virtual network peerings. The
10.3.0.0/16
route with the next hop ofVNetGlobalPeering
is the route to the hub virtual network. The10.5.0.0/16
route with the next hop ofConnectedGroup
is route to the other spoke virtual network. All spokes virtual network will be in a ConnectedGroup when Transitivity is enabled.
Clean up resources
If you no longer need the Azure Virtual Network Manager, you’ll need to make sure all of following is true before you can delete the resource:
- There are no deployments of configurations to any region.
- All configurations have been deleted.
- All network groups have been deleted.
Use the remove components checklist to make sure no child resources are still available before deleting the resource group.
Next steps
Learn how to block network traffic with a Security admin configuration.