A ready to deploy, well-documented network topology for testing, inventing, learning, and experimenting with Azure networking.
What's New • Features • Quick Start • Architecture • Scenarios • FAQ • Contributing
| Date | Update |
|---|---|
| Feb 2026 | New scenario: Deploy an Azure Container Apps Environment fully internal — deploy ACA in internal mode within a hub-and-spoke topology, with network injection and private endpoint integration. |
This repository provides a preconfigured Azure hub-and-spoke network topology aligned with the Azure Enterprise-Scale Landing Zone reference architecture. Deploy it with a single click and use it as a sandbox for testing, studying, and experimenting with network configurations.
📖 Read this blog post for more insights about this project.
- 🏗️ Enterprise-like topology — Aligned with Microsoft's Cloud Adoption Framework
- 🚀 One-click deployment — Deploy entire environments with a single button
- 🔒 Security built-in — Azure Firewall and Azure Bastion automatically deployed
- 🌐 Multi-region support — you can deploy the playground in the region you prefer (default west/north europe)
- 📚 20+ guided scenarios — Step-by-step tutorials for real-world configurations
- 🔄 Modular design — Deploy only what you need (gateway, firewall, bastion, VMs)
- 🎨 Open-source diagrams — All architecture diagrams include draw.io source files, ready to customize for your own projects
- An active Azure subscription
- Permissions to create resources in your subscription
| # | Playground | Deploy |
|---|---|---|
| 1 | HUB 01 — Hub network + spokes 01, 02, 03 | |
| 2 | ON PREMISES — Simulated on-prem (France Central) | |
| 3 | ON PREMISES 2 — Simulated on-prem (Germany West Central) | |
| 4 | HUB 02 — Second hub + spokes 04-10 |
-
Open Azure Cloud Shell (Bash)
-
Clone the repository:
git clone https://github.com/nicolgit/hub-and-spoke-playground.git cd hub-and-spoke-playground -
Set variables for region and resource group name, create the target resource group:
LOCATION="westeurope" RESOURCE_GROUP="hub-and-spoke-playground" cd hub-and-spoke-playground/bicep/ az group create --name $RESOURCE_GROUP --location $LOCATION
-
Deploy the playground you need:
# HUB 01 — Hub network + spokes 01, 02, 03 az deployment group create --resource-group $RESOURCE_GROUP \ --template-file bicep/hub-01.bicep # ON PREMISES — Simulated on-prem (France Central) az deployment group create --resource-group $RESOURCE_GROUP \ --template-file bicep/on-prem.bicep # ON PREMISES 2 — Simulated on-prem (Germany West Central) az deployment group create --resource-group $RESOURCE_GROUP \ --template-file bicep/on-prem-2.bicep # ANY-TO-ANY — deploys hub-01 + Routing + firewall rules az deployment group create --resource-group $RESOURCE_GROUP \ --template-file bicep/hub-01.bicep --parameters anyToAnyRouting=true # HUB 02 — Second hub + spokes 04-10 az deployment group create --resource-group $RESOURCE_GROUP \ --template-file bicep/hub-02.bicep
💡 Tip: You can override default parameters using
--parameters paramName=value
To destroy all resources and stop incurring costs, simply delete the resource group:
az group delete --name $RESOURCE_GROUP --yes --no-wait \
--force-deletion-types Microsoft.Compute/virtualMachinesAll VMs are deployed with:
- Username:
nicola - Password:
password.123
⚠️ Security Note: Because this playground is intended to be active for only a few hours without public IPs, I also deploy a default username/password for all VMs. If you prefer, you can change these values to better fit your security standards.
The playground consists of two hub-and-spoke topologies and two simulated on-premises environments deployed across multiple Azure regions.
Download the draw.io source file
📦 HUB 01 Components (click to expand)
Deployed via bicep/hub-01.json:
| Resource | Description |
|---|---|
hub-lab-net |
Hub VNet (West Europe) with 4 subnets |
hub-vm-01 |
VM deployed in hub-lab-net/default subnet |
spoke-01 |
Spoke VNet (West Europe) with spoke-01-vm |
spoke-02 |
Spoke VNet (West Europe) with spoke-02-vm |
spoke-03 |
Spoke VNet (North Europe) with spoke-03-vm |
| Azure Bastion | Secure RDP/SSH access without public IPs |
| Azure Firewall Premium | Traffic inspection and filtering |
| VPN Gateway | Hybrid connectivity to on-premises |
Download the draw.io source file
📦 ON PREMISES Components (click to expand)
Deployed via bicep/on-prem.json:
| Resource | Description |
|---|---|
on-prem-net |
VNet (France Central) simulating on-premises |
w10-onprem-vm |
Windows 11 client VM |
| Azure Bastion | Secure access |
| VPN Gateway | S2S connectivity to hub |
Download the draw.io source file
📦 ON PREMISES 2 Components (click to expand)
Deployed via bicep/on-prem-2.json:
| Resource | Description |
|---|---|
on-prem-2-net |
VNet (Germany West Central) simulating second on-premises |
lin-onprem |
1st Linux client VM |
lin-onprem-2 |
2nd Linux client VM |
| Azure Bastion | Secure access |
| VPN Gateway | S2S connectivity to hub |
Download the draw.io source file
📦 HUB 02 Components (click to expand)
Deployed via bicep/hub-02.json:
| Resource | Description |
|---|---|
hub-lab-02-net |
Second hub VNet (North Europe) |
spoke-04 to spoke-10 |
Seven additional spoke VNets |
| Azure Firewall Standard | Traffic filtering |
| Azure Bastion | Secure access |
| VPN Gateway | Hybrid connectivity |
Download the draw.io source file
📦 ANY-TO-ANY Routing (click to expand)
Deployed via bicep/hub-01.json with parameter anyToAnyRouting=true:
- Route tables forwarding spoke traffic through the firewall
- IP Groups and Azure Firewall policies enabling:
- ✅ Spoke-to-spoke communication
- 🚫 Blocked web categories (nudity, child inappropriate, pornography)
- ✅ Allowed HTTP(S) outbound traffic
Each scenario includes prerequisites, step-by-step solution, and validation tests.
| # | Scenario | Solutions |
|---|---|---|
| 1.1 | Any-to-any spoke communication | implemented using Azure Firewall • implemented using VNet Gateway • implemented using AVNM |
| 1.2 | Connect on-premises via VNet-to-VNet | implemented using VNet-to-VNet connection to on-premise • implemented using VNet-to-VNet connectio to on-premises-2 |
| 1.3 | Site-to-Site IPSec VPN | one connection without BGP • one connection With BGP • dual connection Active-Active with bgp • Dual Redundancy • Multiple Devices TO BE REVIEWED |
| 1.4 | Cross on-premises communication | implemented with Vnet-to-Vnet connection via Hub and BGP |
| 1.5 | Routing cross hubs with BGP | via VNet Gateway |
| 1.6 | Routing cross hubs without BGP | via Azure Firewall |
| # | Scenario | Solutions |
|---|---|---|
| 2.1 | Expose VMs via Firewall DNAT | DNAT Rules |
| 2.2 | North/South traffic inspection | using Azure Firewall |
| 2.3 | Secure web workloads | using Azure Firewall + Application Gateway WAF |
| 2.4 | Manage outbound internet traffic | using Azure Firewall |
| # | Scenario | Solutions |
|---|---|---|
| 3.1 | Cloud DNS for FQDN resolution | Azure DNS |
| 3.2 | DNS resolution from on-premises | Azure Firewall • Private DNS Resolver |
| # | Scenario | Solutions |
|---|---|---|
| 4.1 | Web server | install a Web Server on a LinuxVirtual machine |
| 4.2 | Point-to-Site VPN | using Certificate Auth • using Always-On |
| 4.3 | Publish internal web apps | using Application Gateway • using Azure Front Door |
| 4.3 | Publish SFTP endpoint | using Azure Firewall |
| 4.4 | Azure OpenAI with private APIM | using APIM + AOAI |
| 4.5 | Azure Elastic SAN | deploy and connect to a Windows Server VM |
| 4.6 | Azure Container Apps | deploy a fully internal environment |
| # | Scenario | Solutions |
|---|---|---|
| 5.1 | Azure Firewall logs | Log Analytics |
| 5.2 | Network troubleshooting | Network Watcher |
💡 Missing a scenario? Open an issue and let us know!
How much does it cost to run this playground?
The cost depends on the components you deploy and how long you keep them running. The main cost drivers are:
- Azure Firewall Premium: ~$1.75/hour
- VPN Gateway (VpnGw1): ~$0.19/hour
- Virtual Machines: varies by SKU (Standard_D2_v5 ~$0.10/hour)
- Azure Bastion: ~$0.19/hour
💡 Tip: Delete the resource group when not in use to avoid unexpected charges and redeploy it when you need it, this is the real value of this project!
Can I use this in production?
This playground is designed for learning and testing purposes. While it follows enterprise-scale landing zone patterns, you should review and adapt security settings, naming conventions, and SKUs before using it in a production environment.
Where can I find the source files for the network diagrams? What software do you use for the diagrams?
All diagrams are created with draw.io and the source files are available in the images/ folder with .drawio extension. You can download them and use them as a starting point for your own architecture diagrams — same style, same icons!
Contributions are welcome! Please read our Contributing Guide and Code of Conduct before submitting a PR.
This project is licensed under the MIT License — see the LICENSE file for details.
Made with ❤️ in Italy 🇮🇹 by nicolgit
Powered by contributors from around the world
