Back to Main AZ-104 Hub
Capstone Project 2

Secure Enterprise Hub-and-Spoke Network

Combine Azure Policy, RBAC, VNet Peering, and Custom Routing (UDRs) to build a centralized, secure networking backbone for an entire organization.

The Scenario: Your organization has multiple departments (HR and Finance) that need isolated cloud environments ("Spokes"). However, the security team mandates that all inbound/outbound internet traffic must pass through a central, highly governed "Hub" network for deep packet inspection. You must build this architecture from scratch.

Phase 1: Governance & Identity

Before deploying any infrastructure, we need to enforce compliance rules and delegate administrative access properly.

  1. Sign in to the Azure Portal and navigate to Microsoft Entra ID. Create a new Security Group named NetworkAdmins-Group.
  2. Navigate to Management Groups and create a new group named Contoso-Corp-MG. Move your Azure Subscription into this Management Group.
  3. Inside the Management Group, go to Access control (IAM). Add a Role Assignment granting the Network Contributor role to your NetworkAdmins-Group.
  4. Navigate to Policy > Assignments. Assign the built-in policy Require a tag on resources at the Management Group scope. Set the required tag name to Department.

Phase 2: Hub & Spoke Virtual Networks

We will now build the core network foundation. We need one Hub and two Spokes. Because of our Policy in Phase 1, you MUST apply the Department tag to these resources or deployment will fail!

  1. Create a Resource Group named AZ104-HubSpoke-RG with the tag Department: IT.
  2. Create the Hub Virtual Network named Hub-VNet with address space 10.0.0.0/16. Create a subnet named GatewaySubnet (10.0.1.0/24). (Note: It must be named exactly GatewaySubnet for Azure Firewalls/VPNs).
  3. Create the first Spoke Virtual Network named HR-Spoke with address space 10.1.0.0/16. Subnet: Workloads (10.1.1.0/24).
  4. Create the second Spoke Virtual Network named Finance-Spoke with address space 10.2.0.0/16. Subnet: Workloads (10.2.1.0/24).
  5. Establish VNet Peering. Peer the Hub to HR, and the Hub to Finance. Do not peer HR directly to Finance. You can automate this step using Cloud Shell:
az network vnet peering create -g AZ104-HubSpoke-RG -n HubToHR --vnet-name Hub-VNet --remote-vnet HR-Spoke --allow-vnet-access
az network vnet peering create -g AZ104-HubSpoke-RG -n HubToFinance --vnet-name Hub-VNet --remote-vnet Finance-Spoke --allow-vnet-access

Phase 3: Centralized Security & Routing

Currently, the spokes can talk to the hub, but their internet traffic still goes directly out to the web. We will deploy a central firewall in the Hub and force the spokes to use it.

  1. Deploy an Azure Firewall into the Hub-VNet (inside the GatewaySubnet). Assign it a Public IP. Once deployed, note its private IP address (e.g., 10.0.1.4).
  2. Search for Route tables and create a new one named Spoke-UDR (User Defined Route).
  3. Open the Route Table and go to Routes > + Add.
  4. Configure the route to hijack internet traffic:
    • Route name: Force-Internet-To-Hub
    • Destination type: IP Addresses
    • Destination IP addresses/CIDR ranges: 0.0.0.0/0 (This represents all internet traffic)
    • Next hop type: Virtual appliance
    • Next hop address: [Enter the Private IP of your Azure Firewall from step 1]
  5. Go to the Subnets tab on the Route Table and click + Associate. Associate this Route Table with the Workloads subnets in both HR-Spoke and Finance-Spoke.
Project Complete!
You have successfully implemented a secure Hub-and-Spoke architecture. If a Virtual Machine in the HR department tries to download a file from the internet, the Route Table hijacks the request (0.0.0.0/0) and forwards it to the Azure Firewall in the Hub. The security team now has a single, central chokepoint to audit, block, or allow all enterprise traffic!
Follow on LinkedIn