Azure Hub and Spoke ARM Template Ready-to-Deploy Reusable Solution
Azure Hub and Spoke ARM Template Ready-to-Deploy Reusable Solution
Overview
This ARM template deploys a **Hub-and-Spoke network topology in Microsoft Azure**, following enterprise-grade design principles used in production landing zones and scalable cloud architectures.
The deployment includes:
* One Hub Virtual Network (VNet)
* One Spoke Virtual Network (VNet)
* One subnet in each VNet
* Bidirectional VNet peering between Hub and Spoke
This design is the foundation for:
* Centralized networking
* Secure traffic inspection
* Hybrid connectivity (VPN / ExpressRoute)
* Multi-spoke expansion
Architecture Design
Hub VNet
The Hub acts as the central point for:
* Shared services (DNS, AD, Firewall)
* Connectivity (VPN Gateway, ExpressRoute)
* Traffic inspection and routing
Spoke VNet
The Spoke is designed for:
* Application workloads
* Isolation of environments
* Scalable expansion (multiple spokes)
VNet Peering
Two peerings are created:
* Hub → Spoke
* Spoke → Hub
This ensures:
* Full bidirectional communication
* Low latency (Microsoft backbone)
* No need for gateways for internal traffic
Resources Deployed
The template creates the following Azure Resources:
1. Microsoft.Network/virtualNetworks (Hub)
2. Microsoft.Network/virtualNetworks (Spoke)
3. Microsoft.Network/virtualNetworks/virtualNetworkPeerings (Hub → Spoke)
4. Microsoft.Network/virtualNetworks/virtualNetworkPeerings (Spoke → Hub)
Key Features
* Fully Parameterized Design
* Deterministic Deployment (No race conditions)
* Custom DNS Support
* Optional DDoS Protection
* Gateway Transit Ready (Future Expansion)
* Clean Dependency Structure
* Reusable for Dev / Test / Production Environments
Prerequisites
Before using this template, ensure:
* Azure Subscription is Active
* Resource Group exists (e.g., RG-ARM-TEMPLATES)
* Azure CLI or Cloud Shell is available
* Proper Permissions (Contributor or Higher)
Files Included
* template.json
Contains the full infrastructure definition
* parameters.json
Contains environment-specific values
* deploy.ps1
PowerShell script for validation, simulation, and optional deployment
Deployment Process
Step 1 – Upload Files to Cloud Shell
Upload the following files:
* template.json
* parameters.json
* deploy.ps1
Step 2 – Validate Template
Run:
az deployment group validate
--resource-group RG-ARM-TEMPLATES
--template-file template.json
--parameters parameters.json
Step 3 – Run WHAT-IF (Simulation Only)
Run:
az deployment group what-if
--resource-group RG-ARM-TEMPLATES
--template-file template.json
--parameters parameters.json
Step 4 – Optional Deployment
Only if required:
az deployment group create
--resource-group RG-ARM-TEMPLATES
--template-file template.json
--parameters parameters.json
Testing and Validation
Validation Completed
The following tests were successfully performed:
1. Template-only validation (no parameters)
2. Template with inline parameters
3. Template with parameters.json
4. Azure WHAT-IF simulation
WHAT-IF Results
Expected and confirmed output:
Resource changes: 4 to create
Resources Validated:
* Hub VNet
* Spoke VNet
* Hub → Spoke Peering
* Spoke → Hub Peering
Key Validation Outcomes
* No ARM syntax errors
* No dependency issues
* No race conditions
* No invalid configurations
* All parameters resolved successfully
* Azure control plane accepted configuration
Important Notes
* This process does NOT deploy resources unless explicitly executed
* WHAT-IF mode is safe and does not incur cost
* CIDR ranges must not overlap when modified
* Gateway transit parameters should only be enabled when a VPN gateway exists
Best Practices
* Use separate Address Spaces for each VNet
* Keep Hub for shared services only
* Add additional Spokes for each Application or Environment
* Integrate Azure Firewall or NVA in Hub for Traffic Inspection
* Use Custom DNS for Enterprise Environments
* Expand using Modular Templates
Future Enhancements
This template can be extended to include:
* VPN Gateway (Site-to-Site / Point-to-Site)
* Azure Firewall in Hub
* Network Security Groups (NSGs)
* Route Tables (UDR)
* Multiple Spokes
* Private Endpoints
* ExpressRoute integration
Summary
This Hub-and-Spoke ARM template is:
* Fully validated
* Enterprise-ready
* Deterministic and reliable
* Safe to deploy
* Designed for scalability
It provides a solid networking foundation for any Azure environment and aligns with modern cloud architecture standards.
Support
For questions or custom template requests, please contact:
ITCloudAcademy Support Team
Email: support@ITCloudAcademy.net
Email: info@ITCloudAcademy.net
Website: http://www.itcloudacademy.net
Support Hours:
Monday to Friday
9:00 AM to 6:00 PM MST
