top of page
Writer's pictureBrett Borschel

Can a hub-spoke cloud architecture help increase security and reduce costs?

Updated: Dec 31, 2021


If your company is like most, your cloud probably looks like the picture above. This is to be expected unless you have mature change control procedures that are rigorously enforced to maintain a standardized network architecture.

The main problems with the full or partial cloud architecture are:

  1. Security rules are hard to maintain - The default NSG rule being "allow any peered virtual networks" will mean almost no restrictions without adding additional restriction.

  2. Application sprawl - Developers write code for widgets that rely on other resources, which call other databases... Who knows what the applications are actually doing when it comes time to push to the application to production? What if you are asked to move the entire workload to another cloud or back to on-prem?

  3. Duplicate resource costs - There can be a tendency to pay for multiple app gateways, firewalls, AD servers, and databases per each virtual network when a single resource leveraged to multiple upstream networks will work.


Alternatively, using the "hub-spoke" model shared resources in the hub can be leveraged to support multiple spoke network resources saving costs, increasing security and scalability.

Services that are used for multiple spoke resources should be built in the hub and protected by NSG rules. Resources like Domain Controllers, Express Route Gateways, App Gateways, Azure Firewalls, NAT Gateways, third party NVAs, and Bastion segments should all be located in the hub network to best economize Azure service costs.


The hub-spoke model also allows for securely connecting multiple spoke networks to a shared services spoke by routing the traffic through an Azure firewall in the hub.

In this example, multiple development environments are given access to a shared database subscription by using user defined routes to point network traffic to the hub Azure firewall and allowed by a firewall policy rule to connect through the security appliance.


To learn more about securing hub-spoke virtual networks see this document: https://docs.microsoft.com/en-us/azure/firewall-manager/secure-hybrid-network


1,756 views1 comment

Recent Posts

See All

1 Comment


Rafal Celt
Rafal Celt
Dec 21, 2021

Couldn't agree more. We know it fist hand how scattered subscriptions can get and how hard it is to get handle of everything developers were capable to cook up in shot time period. Hub and spoke is a great method to give network team some resemblance of WAN and a path to sustainable sanity in complex Cloud environment.

Like
Post: Blog2_Post
bottom of page