Hub-spoke is the standard network architecture for enterprise cloud. It provides centralised traffic inspection, consistent security boundaries and scalable governance. This guide covers implementation across Azure, AWS and GCP.
๐ก Quick start: TCOIQ gives instant AI-powered results in 60 seconds. Built by Wekams. Free at tcoiq.com.
Central hub VNet/VPC contains shared services and security controls. All workload VNets/VPCs (spokes) connect to hub but not to each other. All inter-spoke traffic passes through hub for inspection. Hub contains: cloud firewall, network gateway, Bastion/Session Manager, DNS, centralised logging.
Mesh: VPCs peered directly to each other. Works for 2-3 VPCs. With 10 VPCs: 45 peering connections. With 20: 190 connections. Hub-spoke: each spoke has exactly one connection (to hub). Any-to-any connectivity through hub routing. Security policy enforced centrally. New spokes connect to hub only.
Hub VNet: Azure Firewall (or NVA), Azure Bastion, ExpressRoute Gateway, VPN Gateway, Azure DNS Private Resolver. Spoke VNets peered to hub with Use Remote Gateways enabled. UDRs force spoke traffic through Azure Firewall. Azure Virtual WAN for very large deployments (50+ spokes).
TGW is a cloud router connecting VPCs and on-prem. Central inspection VPC with AWS Network Firewall attached to TGW. Workload VPCs as spokes attached to TGW. On-prem connected via Direct Connect or VPN to TGW. TGW route tables control traffic flow.
Host project owns VPC and subnets. Service projects use host project subnets without owning them. Centralised network management with project isolation. Cloud NAT in host project for all service project egress. Cloud Armor WAF policies applied centrally. Hierarchical firewall policies at org/folder level.
AI-powered results in 60 seconds. No consultant needed. Free plan available.
Get Network Architecture Assessed โ