Skip to main content
Nauman Munir
Back to Projects
Case StudyFinancial ServicesInfrastructure as Code

Centralizing Connectivity and Security with Azure VNet Peering in a Hub-and-Spoke Architecture

Implemented a hub-and-spoke Azure VNet peering architecture for a global financial services provider, centralizing connectivity and security while enabling scalable, compliant networking.

3 min read
12 weeks
Centralizing Connectivity and Security with Azure VNet Peering in a Hub-and-Spoke Architecture

Technologies

Azure Virtual Network (VNet) & VNet PeeringHub-and-Spoke TopologyAzure VPN GatewayAzure Route ServerNetwork Virtual Appliances (NVAs)Azure FirewallUser-Defined Routes (UDRs)Azure Network Security Groups (NSGs)Terraform for Automation

Challenges

Secure Inter-VNet ConnectivityCentralized ServicesHybrid ConnectivityConsistent Security PoliciesScalability

Solutions

Hub-and-Spoke ArchitectureCentralized SecurityHybrid IntegrationAutomated Onboarding

Key Results

Enforced uniform security via centralized NVA stack

centralized security

Simplified access to on-premises networks via hub VPN gateway

hybrid connectivity

Reduced costs by eliminating per-spoke gateways and firewalls

cost optimization

Enabled rapid spoke integration with automation

scalable onboarding

Ensured uniform security posture across environments

policy consistency

Centralizing Connectivity and Security with Azure VNet Peering in a Hub-and-Spoke Architecture

AMJ Cloud Technologies collaborated with a global financial services provider to migrate their data centers to Azure, implementing a hub-and-spoke architecture using VNet peering. This case study outlines how we centralized connectivity and security while ensuring scalability and compliance.

Situation

The client, operating across multiple continents, managed segmented workloads (customer portals, data analytics, backend processing, and security services) across separate Azure subscriptions. They required isolated yet interconnected environments to support compliance and autonomy.

Challenge

The client needed a network design that:

  • Enabled secure connectivity between VNets without public internet exposure.
  • Centralized critical services like VPN gateways and firewalls.
  • Supported routing to on-premises environments via a single gateway.
  • Enforced consistent security and traffic inspection across tiers.
  • Scaled across business units and subscriptions.
  • Minimized costs and avoided routing misconfigurations.

Solution: VNet Peering-Based Hub-and-Spoke Architecture

We designed a hub-and-spoke architecture using VNet peering, implemented over twelve weeks by a team of cloud architects and network engineers.

Action

Key components included:

  • Hub VNet Design:

    • Deployed a hub VNet per primary region with a VPN Gateway, Azure Route Server, Azure Firewall, NVAs, DNS forwarders, Bastion hosts, and Azure Monitor agents.

  • Spoke VNets:

    • Configured spoke VNets for business units (e.g., Retail Banking, Insurance) and environments (Dev, UAT, Prod), peered with the hub but not each other.

  • Peering Configuration:

    • Enabled “Use remote gateways” on hub-to-spoke peering and “Allow gateway transit” and “Traffic forwarding” on spoke-to-hub peering for centralized routing.

  • Routing & Service Chaining:

    • Used UDRs in spokes to route traffic through the hub’s NVA stack for inspection, preserving source IPs for compliance.

  • Security Controls:

    • Applied NSGs to restrict lateral movement and routed all traffic through the hub for centralized inspection.

  • Scalability Plan:

    • Defined non-overlapping CIDR blocks and automated peering with Terraform for rapid spoke onboarding.

  • Testing and Validation:

    • Validated secure connectivity, hybrid integration, and compliance through traffic and performance testing.

Results

The solution delivered significant outcomes:

  • Centralized Security Enforcement: All traffic was inspected via the hub’s NVA stack.
  • Simplified Hybrid Connectivity: The hub’s VPN gateway enabled seamless on-premises access.
  • Cost Optimization: Eliminated per-spoke gateways and firewalls, reducing costs.
  • Seamless Spoke Onboarding: Automated templates enabled rapid VNet integration.
  • Consistent Policy Management: Centralized rules ensured uniform security.

Challenges Addressed

  • Transitive Routing Limitations: Used NVAs for effective transitive routing.
  • Gateway Propagation Limits: Optimized routes with summarization to stay within limits.
  • Complex Route Management: Azure Route Server simplified dynamic route updates.

Technologies Used

  • Azure Virtual Network (VNet) & VNet Peering: Enabled secure connectivity.
  • Hub-and-Spoke Topology: Centralized services and routing.
  • Azure VPN Gateway: Supported hybrid connectivity.
  • Azure Route Server: Managed dynamic routing.
  • Network Virtual Appliances (NVAs): Facilitated traffic inspection.
  • Azure Firewall: Provided centralized security.
  • User-Defined Routes (UDRs): Controlled traffic flow.
  • Azure Network Security Groups (NSGs): Enforced granular security.
  • Terraform for Automation: Streamlined deployment.

Key Use Cases

This architecture is ideal for:

  • Organizations requiring centralized security and hybrid connectivity.
  • Multi-subscription environments needing scalable networking.
  • Businesses prioritizing cost efficiency and consistent policy enforcement.

Key Takeaways

The hub-and-spoke architecture with VNet peering provided a scalable, secure, and cost-effective network model. By centralizing connectivity and security, we enabled the client to support hybrid scenarios and future growth. AMJ Cloud Technologies delivers tailored cloud solutions for complex networking needs.

Architectural Diagram

Need a Similar Solution?

I can help you design and implement similar cloud infrastructure and DevOps solutions for your organization.

Let's Discuss Your ProjectView More Projects