This chapter covers Azure network topology patterns, a core topic for AZ-305 Objective 4.2: Design networking solutions. Understanding how to architect virtual networks, connect them, and integrate with on-premises is critical; expect 15-20% of exam questions to touch network topology. We will dissect hub-and-spoke, mesh, and hybrid topologies, including Virtual WAN, VNet peering, and gateway configurations. Master these patterns to design scalable, secure, and cost-effective Azure networks.
Jump to a section
Imagine designing a city's transportation network. The city has multiple districts (virtual networks), each with its own local roads (subnets). To connect districts, you build highways (virtual network peering) with toll booths (Azure Firewall or network virtual appliances) at key junctions. Some districts need to connect to the outside world via a central airport (VPN/ExpressRoute gateway) that handles all inbound and outbound international flights (hybrid connectivity). The city also has a central train station (Azure Virtual WAN) that simplifies connections between districts and to the airport. If you want to control which vehicles can enter a district, you install checkpoint gates (network security groups) at district entrances. For high-security areas like government buildings (PaaS services with private endpoints), you build dedicated tunnels (private endpoints) so that no traffic ever touches public roads. The city planner must decide whether to use point-to-point highways (hub-and-spoke) or a fully meshed grid (mesh topology). Poor planning leads to traffic jams (latency), security breaches (inadequate segmentation), or costly over-engineering (unnecessary complexity). Azure's network topology patterns are the blueprints for this digital city.
1. Azure Network Topology Fundamentals
Azure network topology defines how virtual networks (VNets) are arranged and interconnected to support workloads, security, and connectivity requirements. The AZ-305 exam tests your ability to choose the right pattern based on business needs, cost, and operational complexity. The three primary patterns are hub-and-spoke, mesh (full or partial), and hybrid (connecting on-premises).
2. Hub-and-Spoke Topology
Hub-and-spoke is the most common pattern for enterprise workloads. The hub is a central VNet that hosts shared services such as Azure Firewall, VPN/ExpressRoute gateways, domain controllers, or jump boxes. Spoke VNets connect to the hub via VNet peering, and traffic flows through the hub for inspection or routing.
Mechanism: VNet peering establishes a low-latency, high-bandwidth connection between two VNets using the Microsoft backbone. Peering is non-transitive by default: if Spoke A is peered to Hub, and Spoke B is peered to Hub, Spoke A and B cannot communicate directly unless you explicitly enable gateway transit or add additional peerings. In hub-and-spoke, you enable 'Use remote gateways' on spoke peerings to allow spokes to use the hub's VPN/ExpressRoute gateway for hybrid connectivity. The hub typically uses a network virtual appliance (NVA) or Azure Firewall to inspect traffic between spokes.
Configuration:
Create hub VNet with subnets for gateways, firewalls, and management.
Create spoke VNets with workloads.
Peer each spoke to hub: two-way peering (hub->spoke and spoke->hub).
On spoke peering to hub, enable 'Allow gateway transit' (if hub has a gateway).
On hub peering to spoke, enable 'Use remote gateways' (if spoke needs to use hub's gateway).
Route tables: add user-defined routes (UDRs) in spoke subnets pointing default route (0.0.0.0/0) to the firewall's private IP in the hub.
Key Values:
Maximum VNet peerings per VNet: 500 (with limits on number of spokes per hub).
Peering latency: <2ms within region, cross-region ~10-20ms.
Gateway transit: only one gateway per hub can be shared.
3. Full Mesh Topology
In a full mesh, every VNet is directly peered to every other VNet. This pattern is suitable for scenarios requiring low latency between all pairs, but it does not scale due to peering limits and management overhead.
Mechanism: Each VNet must have a peering to every other VNet. Traffic flows directly without a central inspection point. To enforce security, you must apply NSGs or NVAs at each VNet boundary, which increases complexity.
Limitations:
Peering count: maximum 500 peerings per VNet, but each peering consumes two connections (one per direction). For n VNets, you need n*(n-1)/2 peerings. At 10 VNets, that's 45 peerings; at 32 VNets, you hit the 500 limit.
No central control: each VNet must be individually configured with routing and security.
Cost: each peering incurs egress charges (ingress is free), so cross-region mesh can be expensive.
4. Hybrid Network Topology (On-Premises Connectivity)
Hybrid topology extends Azure VNets to on-premises datacenters via VPN (site-to-site) or ExpressRoute. This is often combined with hub-and-spoke: the hub hosts the gateway, and spokes use gateway transit.
VPN Gateway:
Policy-based VPN: supports up to 10 tunnel endpoints, uses static routing.
Route-based VPN: supports up to 30 tunnels (VpnGw1-5), uses BGP for dynamic routing. Required for forced tunneling and coexistence with ExpressRoute.
Default: route-based (recommended for production).
SKU throughput: VpnGw1 (650 Mbps), VpnGw2 (1 Gbps), VpnGw3 (1.25 Gbps), etc.
Active-Active mode: deploy two instances for higher availability (requires two public IPs).
ExpressRoute:
Private connection from on-premises to Azure via MPLS provider.
Two SKUs: Local (single region, up to 10 Gbps), Standard (any region in same geopolitical area), Premium (global connectivity).
Redundancy: two circuits from different providers recommended.
Bandwidth: 50 Mbps to 100 Gbps.
FastPath: bypasses the gateway for high-performance workloads (requires ExpressRoute Gateway UltraPerformance).
Coexistence: VPN and ExpressRoute can coexist on the same gateway (using route-based VPN). Azure prefers ExpressRoute over VPN for the same routes. If both paths are available, traffic uses ExpressRoute.
5. Azure Virtual WAN
Azure Virtual WAN (vWAN) is a managed service that simplifies large-scale hub-and-spoke and hybrid topologies. It provides a central hub that automatically connects spokes, branch offices (via VPN/SD-WAN), and ExpressRoute circuits.
Components:
Virtual hub: a Microsoft-managed VNet that contains gateways (VPN, ExpressRoute, point-to-site) and routing infrastructure.
Virtual network connections: spokes connect to the hub without explicit peerings.
Branch connectivity: site-to-site VPN, Point-to-site VPN, ExpressRoute, or SD-WAN (via Network Virtual Appliance integration).
Routing: hub automatically propagates routes between spokes and branches. You can define custom route tables.
Benefits:
No peering limits: each virtual hub supports up to 1000 VNet connections.
Centralized management: all connectivity and routing in one place.
Built-in security: Azure Firewall Manager can be integrated.
Global mesh: multiple hubs can be connected via hub-to-hub peering (using ExpressRoute or VPN).
Limitations:
Higher cost per hub (gateway instances).
Less control: you cannot deploy custom NVAs in the hub (unless using NVA in a spoke with routing).
Regional: hubs are regional; cross-region traffic flows via Microsoft backbone.
6. Choosing the Right Topology
Exam scenarios typically present requirements like: - "Multiple workloads need to share a common firewall and VPN gateway" -> Hub-and-spoke. - "Low latency between all VNets with fewer than 10 VNets" -> Full mesh (but hub-and-spoke often still preferred for manageability). - "Global presence with many branch offices" -> Virtual WAN. - "Isolated workloads that must not communicate" -> Separate VNets with no peering (or use NSGs).
Decision Factors:
Number of VNets: >10? Hub-and-spoke or vWAN.
Need for central inspection? Hub-and-spoke with firewall.
Global connectivity? vWAN with multiple hubs.
Existing on-premises? Hybrid with ExpressRoute or VPN.
Cost sensitivity? Hub-and-spoke with single gateway vs. mesh (many peerings).
7. Security and Routing Considerations
Network Security Groups (NSGs): Applied at subnet or NIC level. In hub-and-spoke, apply NSGs on spoke subnets to filter traffic from hub and other spokes.
Azure Firewall: Stateful, managed firewall in hub. Supports FQDN filtering, threat intelligence, SNAT/DNAT. Deployed in a dedicated subnet (AzureFirewallSubnet).
User-Defined Routes (UDRs): Forced tunneling: route all internet-bound traffic through firewall or on-premises. In hub-and-spoke, create a route table in spoke subnets with 0.0.0.0/0 next hop to firewall IP.
BGP: Used with VPN and ExpressRoute gateways to propagate on-premises routes. In Virtual WAN, BGP is automatic between hub and spokes/branches.
8. Verification Commands
Although Azure is GUI-based, you can use Azure CLI or PowerShell for verification:
# List VNet peerings
az network vnet peering list --resource-group MyRG --vnet-name HubVNet --output table
# Check effective routes on a NIC
az network nic show-effective-route-table --resource-group MyRG --name MyVMNic
# Verify VPN connection status
az network vpn-connection show --resource-group MyRG --name MyVPNConn --query 'connectionStatus'
# List ExpressRoute circuit status
az network express-route list --resource-group MyRG --query '[].{Name:name, Status:serviceProviderProvisioningState}'9. Interaction with Other Azure Services
Azure DNS: Private DNS zones can be linked to VNets for name resolution across peered VNets. In hub-and-spoke, you can create a private DNS zone in the hub and link spokes.
Azure Bastion: Deploy in hub to provide secure RDP/SSH access to VMs in all peered spokes (requires peering to hub).
Azure Private Link: Private endpoints for PaaS services (e.g., SQL Database, Storage) can be deployed in spoke VNets, accessible via peering.
Azure Load Balancer: Internal load balancers in hub can distribute traffic to spoke workloads (requires peering and routing).
10. Common Pitfalls
Non-transitive peering: assuming spoke-to-spoke traffic flows through hub without UDRs or NVAs. It does not; you must configure routing.
Gateway transit misconfiguration: enabling 'Allow gateway transit' on the wrong side (must be on spoke peering to hub).
Overlapping IP addresses: hub and spoke must not have overlapping address spaces if you plan to peer. Plan IP addressing carefully.
Forgetting to update route tables after adding new spokes: each spoke must have UDRs pointing to the firewall.
ExpressRoute and VPN coexistence: if both are active, ensure BGP routing is correctly configured to prefer ExpressRoute.
Design IP Address Plan
Define VNet address spaces (e.g., 10.0.0.0/16 for hub, 10.1.0.0/16 for spoke1, 10.2.0.0/16 for spoke2). Ensure no overlap. Reserve /24 for gateway subnet (GatewaySubnet), /26 for Azure Firewall (AzureFirewallSubnet), and /27 for Bastion (AzureBastionSubnet). Plan for future expansion by leaving gaps. This step determines whether peering is possible (overlapping IPs prevent peering).
Create Hub VNet with Gateway
Deploy the hub VNet with required subnets. Create a VPN or ExpressRoute gateway in the GatewaySubnet. This gateway allows spoke VNets to connect to on-premises via gateway transit. Choose the gateway SKU based on throughput needs. For production, enable Active-Active mode for VPN. The gateway creation can take 30-45 minutes.
Deploy Firewall in Hub
Create Azure Firewall in the AzureFirewallSubnet. Configure firewall policy with rules for inbound, outbound, and spoke-to-spoke traffic. Enable DNS proxy for FQDN filtering. Note the firewall's private IP address (e.g., 10.0.1.4) for use in UDRs. Deploying Azure Firewall also takes about 5-10 minutes.
Create Spoke VNets and Peer to Hub
For each spoke, create the VNet with non-overlapping address space. Create two peerings: hub->spoke (with 'Allow gateway transit' disabled, 'Use remote gateways' disabled) and spoke->hub (with 'Allow gateway transit' disabled, 'Use remote gateways' enabled). This allows spoke to use hub's gateway. Verify peering status shows 'Connected'.
Configure Route Tables and NSGs
In each spoke, create a route table for workload subnets. Add a route: 0.0.0.0/0 with next hop 'Virtual appliance' and the firewall's private IP. Associate the route table with workload subnets. Apply NSGs to subnets to allow only necessary traffic. For spoke-to-spoke traffic, ensure the firewall's rules allow it. Test connectivity from a test VM in one spoke to another.
Scenario 1: Multi-tier Application with Centralized Security
A financial services company runs a three-tier application (web, app, database) in separate spoke VNets. The hub contains Azure Firewall for inspection and a VPN gateway for branch office connectivity. The company requires that all internet-bound traffic goes through the firewall for logging. They also need to isolate the database tier from direct access from other spokes.
Configuration: Each spoke has UDRs pointing 0.0.0.0/0 to the firewall. NSGs on the database subnet only allow traffic from the app subnet (via private IPs). The hub firewall has rules to allow HTTP/HTTPS from internet to web tier, and SQL traffic from app to database. VPN gateway uses BGP to advertise on-premises routes.
Scale: 10 spokes, each with multiple subnets. The hub firewall handles ~5 Gbps throughput. Issues arise when developers add new spokes without updating UDRs, causing traffic to bypass the firewall. The solution is to use Azure Policy to enforce route table association.
Scenario 2: Global Enterprise with Virtual WAN
A multinational corporation with offices in 20 countries uses Azure Virtual WAN to connect all branches. Each region has a virtual hub with ExpressRoute circuits from local providers. Spoke VNets for regional workloads connect to the nearest hub. Hubs are interconnected via Microsoft backbone (hub-to-hub peering).
Benefits: Simplified management – no need to configure individual VPN tunnels for each branch. Centralized routing policies. The company uses Azure Firewall Manager to enforce security policies globally.
Problems: Cost – each hub incurs gateway costs. Latency for inter-region traffic is slightly higher than ExpressRoute Global Reach, but acceptable. Misconfiguration of custom route tables can cause blackholing; they rely on default routing.
Scenario 3: Hybrid Migration with Hub-and-Spoke
A healthcare provider migrates on-premises workloads to Azure. They set up a hub with ExpressRoute (1 Gbps) and a VPN gateway as backup. Spokes host different departments (HR, Finance, Clinical). Each spoke has its own private DNS zones. The hub hosts a jump box and management tools.
Challenge: Coexistence of VPN and ExpressRoute – BGP routes from both paths must be managed to prefer ExpressRoute. They use route-based VPN and set local preference BGP attribute on ExpressRoute connections. The migration takes 6 months, during which they maintain overlapping IPs by using site-to-site VPN with network address translation (NAT) on premises.
Failure case: During a test, a misconfigured UDR in a spoke sent traffic to a non-existent firewall IP, causing an outage. Recovery required deleting the route and re-associating the correct route table. They learned to use Azure Monitor alerts for route table changes.
What AZ-305 Tests on Network Topology (Objective 4.2)
Identify the appropriate topology based on requirements: hub-and-spoke for centralized security and shared services; mesh for low latency with few VNets; Virtual WAN for global branch connectivity.
Understand VNet peering limitations: non-transitive, maximum 500 peerings per VNet, gateway transit only one direction.
Gateway transit: know that spokes can use hub's gateway only if 'Use remote gateways' is enabled on spoke-to-hub peering and 'Allow gateway transit' is enabled on hub-to-spoke peering.
ExpressRoute vs VPN: ExpressRoute is private, consistent latency, higher bandwidth; VPN is over internet, lower cost, slower. Coexistence possible with route-based VPN.
Virtual WAN: know its components (virtual hub, connections, routing) and that it supports up to 1000 VNet connections per hub.
Common Wrong Answers and Why Candidates Choose Them
"Full mesh is best for any number of VNets" – Candidates think direct peering is always faster. Reality: mesh does not scale beyond ~30 VNets due to peering limits and management complexity. Hub-and-spoke is preferred for more than 10 VNets.
"Gateway transit allows spokes to communicate directly" – They assume transit implies spoke-to-spoke traffic goes through the gateway. Actually, gateway transit only provides hybrid connectivity; spoke-to-spoke traffic requires a firewall or NVA with UDRs.
Mistake: Assuming VNet Peering works transitively – Correct rule: Peering is NOT transitive. You must create a direct peering between each pair of VNets, or route through a hub VNet with a network virtual appliance.
"Virtual WAN is cheaper than hub-and-spoke for small deployments" – Candidates overlook gateway costs per hub. For a single region with few spokes, hub-and-spoke is cheaper.
Specific Numbers and Terms on the Exam
Maximum VNet peerings per VNet: 500.
Virtual WAN hub supports up to 1000 VNet connections.
VPN gateway SKU throughputs: VpnGw1 (650 Mbps), VpnGw2 (1 Gbps), VpnGw3 (1.25 Gbps).
ExpressRoute bandwidths: 50 Mbps to 100 Gbps.
Coexistence requires route-based VPN.
FastPath requires ExpressRoute Gateway UltraPerformance.
Edge Cases
Forced tunneling: if you set 0.0.0.0/0 UDR to firewall, ensure firewall can route internet traffic; otherwise, VMs lose internet access.
Private endpoints: they use a private IP in the VNet; if you peer that VNet to another, the private endpoint is accessible only if the other VNet has DNS resolution configured.
Global VNet peering: supported across regions but incurs egress costs; not supported for China regions (use VPN or ExpressRoute).
How to Eliminate Wrong Answers
If a question asks for "lowest cost" and "few VNets", eliminate Virtual WAN (higher cost) and ExpressRoute (monthly fee). Consider VPN gateway with hub-and-spoke.
If "centralized security" is required, eliminate mesh (no central inspection).
If "global branch connectivity" is needed, eliminate hub-and-spoke with a single hub (spokes far away have high latency). Choose Virtual WAN with multiple hubs.
If "high availability for hybrid connectivity" is needed, look for Active-Active VPN or dual ExpressRoute circuits.
Hub-and-spoke is the recommended topology for most enterprise scenarios with >2 VNets.
VNet peering is non-transitive; you must explicitly route traffic between spokes.
Gateway transit allows spokes to use the hub's VPN/ExpressRoute gateway, not for spoke-to-spoke traffic.
Azure Virtual WAN is best for global branch connectivity with many spokes and locations.
Full mesh is only suitable for small deployments (<10 VNets) requiring direct low-latency paths.
ExpressRoute provides private, consistent, high-bandwidth connectivity; VPN is internet-based and lower cost.
Coexistence of VPN and ExpressRoute requires a route-based VPN gateway and BGP.
Always plan IP address spaces to avoid overlap between VNets you intend to peer.
Use Azure Policy to enforce route table associations and NSG rules for consistency.
For forced tunneling, ensure the firewall or NVA can route internet traffic, or VMs lose internet access.
These come up on the exam all the time. Here's how to tell them apart.
Hub-and-Spoke
Centralized security and shared services (firewall, gateway).
Scales to many spokes (up to 500 peerings per hub, but practical limit ~100).
Non-transitive peering requires explicit routing for spoke-to-spoke.
Lower management overhead for large numbers of VNets.
Cost-effective: single gateway, fewer peerings.
Full Mesh
Direct connectivity between all VNets (lowest latency).
Does not scale: n*(n-1)/2 peerings required; limit of 500 peerings per VNet.
No central inspection point; each VNet must manage its own security.
High management overhead for >10 VNets.
Higher cost: many peerings (especially cross-region) and no shared gateway.
Mistake
VNet peering is transitive, so if VNet A is peered to B and B to C, A can reach C.
Correct
VNet peering is non-transitive. A can only reach B directly, not C. To enable A-to-C communication, you must either peer A directly to C or route through a hub.
Mistake
Gateway transit allows spokes to communicate with each other through the hub's gateway.
Correct
Gateway transit only allows spokes to use the hub's VPN/ExpressRoute gateway for hybrid connectivity. Spoke-to-spoke traffic does not automatically go through the gateway; you need a firewall or NVA with UDRs to route inter-spoke traffic.
Mistake
Azure Virtual WAN is always more cost-effective than hub-and-spoke.
Correct
Virtual WAN incurs higher costs due to managed hub infrastructure (gateways, routing). For small deployments (1-2 regions, few spokes), hub-and-spoke is cheaper.
Mistake
You can use any gateway SKU for ExpressRoute coexistence with VPN.
Correct
Coexistence requires a route-based VPN gateway. Policy-based VPN gateways do not support BGP and cannot coexist with ExpressRoute.
Mistake
Full mesh topology is always the best choice for low latency.
Correct
While full mesh provides direct paths, it does not scale beyond ~30 VNets due to peering limits and management complexity. Hub-and-spoke often achieves similar latency with better manageability.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
The maximum is 500 peerings per VNet. This includes both local and global peerings. However, practical limits are lower due to routing complexity. For hub-and-spoke, you can have up to 500 spokes if each spoke is peered only to the hub, but you may hit other limits like route table entries.
Yes, you can use both simultaneously with a route-based VPN gateway. This is called coexistence. Azure prefers ExpressRoute routes over VPN routes for the same prefix. BGP is used to exchange routes. You must configure both connections on the same gateway and ensure the VPN is route-based.
Spoke-to-spoke traffic does not flow automatically. You need to deploy a network virtual appliance (NVA) or Azure Firewall in the hub and create user-defined routes (UDRs) in each spoke's subnets pointing the spoke's address space to the NVA/firewall's private IP. The NVA/firewall must then route traffic between spokes.
Azure Firewall is a managed, stateful firewall with built-in high availability and auto-scaling. It supports FQDN filtering, threat intelligence, and SNAT/DNAT. Third-party NVAs (e.g., from Palo Alto, Fortinet) offer more advanced features like SSL inspection, IPS/IDS, and custom routing. The choice depends on security requirements and existing investments.
Use Virtual WAN when you have many branch offices (site-to-site VPN or SD-WAN), multiple regions, or need to connect many VNets (up to 1000 per hub). It simplifies management by providing a central hub with automatic routing and integrated security. For a single region with few spokes, hub-and-spoke is simpler and cheaper.
Yes, global VNet peering allows peering across any Azure region (except China regions, which require VPN or ExpressRoute). Global peering uses the Microsoft backbone and incurs egress costs for traffic crossing regions. Performance is still good, but latency is higher than local peering.
VNet peering fails if the address spaces overlap. You must ensure no overlap before peering. If you need to connect VNets with overlapping IPs, you must use a VPN gateway with NAT or redesign the IP plan.
You've just covered Azure Network Topology Patterns — now see how well it sticks with free AZ-305 practice questions. Full explanations included, no account needed.
Done with this chapter?