Skip to main content
Version: 1.4

Azure Hub and Spoke

A common pattern within Azure networking is a hub and spoke topology, where a central backbone enables transitive routing, allowing for centrally managed access controls, egress, and so forth.

Note

Beyond VPC peering we also supports the ability to use the hub network as a gateway for all traffic. Allowing users to control their egress traffic via an virtual appliance for example.

We have following requirements

  • We want to hook up our networks into a centrally managed hub network in a specific workspace.
  • We want all traffic regardless of whether it's private or public via the transit network in the workspace.
  • We want the management network to be isolated from the rest of the hub network and connect only to private clusters.
  • We want to scope the connection to a single workspace.

Network Topology

The following depicts the intended network topology we can looking to achieve.

Topology

Peering Definition

In this example, you define two peering rules to:

  1. Connect the Wayfinder management network to all private clusters.
  2. For workspace wsk, connect the private cluster networks into the hub.

First you must define the rule that connects the management network to all private clusters.

Note

The example below is to demonstrate the flexibility of the definition. A more likely situation would be to route all traffic via the hub network and forgo any direct peering between the management and workspace networks.

1 - Connect the Wayfinder management network to all private clusters

---
apiVersion: networking.appvia.io/v1alpha1
kind: PeeringRule
metadata:
name: management
spec:
filters:
allocation:
type: all
selectors:
matchExpressions:
- key: appvia.io/stage
operator: Exists
- key: networking.appvia.io/peering # only private clusters
operator: In
values: ["true"]
connection:
type: peering
peering:
enableAutoApproval: true

2 - Connect the private cluster networks into the hub for workspace wsk

---
apiVersion: networking.appvia.io/v1alpha1
kind: PeeringRule
metadata:
name: hub
spec:
filters:
allocation:
type: workspace
workspaces:
- wsk
selectors:
matchExpressions:
- key: appvia.io/stage
operator: Exists

# Cloud account which has the permissions to accept peering
cloudAccount:
name: hub
namespace: ws-admin

connection:
type: peering
peering:
enableAutoApproval: true
network:
# the vpc identifier
identifier: <RESOURCE_GROUP/VNET_ID>
# the aws region of the network
location: eu-west-2
note

You can also define and manage peering rules in the UI: Wayfinder settings > Networking > Peering rules.

Route all traffic via the Hub

Topology

Taking another example.

  • We want to hook up our networks into a centrally managed hub network.
  • We want all traffic egress traffic via the hub network.
---
apiVersion: networking.appvia.io/v1alpha1
kind: PeeringRule
metadata:
name: hub
spec:
filters:
allocation:
type: all
selectors:
matchExpressions:
- key: appvia.io/stage
operator: Exists

# Cloud account which has the permissions to accept peering
cloudAccount:
name: hub
namespace: ws-admin

connection:
type: peering
peering:
enableAutoApproval: true
network:
# is the subscription
account: 111111111
# the virtual network identifier
identifier: <AZURE_PEERING_DESTINATION_VNET_RESOURCE_ID>
providerDetails:
azure:
# indicates we want to use the hub as a gateway for all egress traffic
enableUseRemoteGateway: true