A company has multiple Azure virtual networks (VNets) in different regions and an on-premises data center connected via ExpressRoute. They need to implement a hub-and-spoke topology where a hub VNet hosts shared network virtual appliances (NVAs) for traffic inspection. All traffic between spokes and between spokes and on-premises must be routed through the hub. The company wants to minimize the administrative overhead of configuring and maintaining routing. Which Azure solution should they implement?
Trap 1: Use VNet peering with user-defined routes (UDRs) in each spoke and…
While this is possible, it requires manual configuration and maintenance of UDRs in each spoke and managing BGP with Route Server, increasing administrative overhead.
Trap 2: Create a single large VNet and use network security groups (NSGs)…
A single VNet does not scale well for cross-region connectivity and does not provide the necessary routing through NVAs without complex configuration.
Trap 3: Use Azure Firewall in the hub VNet and configure forced tunneling…
Forced tunneling requires manual route configuration and does not automatically handle transitive routing between spoke VNets; it also requires careful management of routes.
- A
Use Azure Virtual WAN with a secured virtual hub.
Azure Virtual WAN provides a managed hub-and-spoke architecture with automatic routing. A secured virtual hub can integrate NVAs or Azure Firewall, and it handles transitive routing between spokes and on-premises without manual route tables or UDRs.
- B
Use VNet peering with user-defined routes (UDRs) in each spoke and Azure Route Server.
Why wrong: While this is possible, it requires manual configuration and maintenance of UDRs in each spoke and managing BGP with Route Server, increasing administrative overhead.
- C
Create a single large VNet and use network security groups (NSGs) to isolate traffic.
Why wrong: A single VNet does not scale well for cross-region connectivity and does not provide the necessary routing through NVAs without complex configuration.
- D
Use Azure Firewall in the hub VNet and configure forced tunneling via custom routes.
Why wrong: Forced tunneling requires manual route configuration and does not automatically handle transitive routing between spoke VNets; it also requires careful management of routes.