Hub or Azure Virtual WAN & Spoke playground - LAB Builder

Table of contents

1. Table of contents
2. Deploy to Azure
3. Description
4. Scenario's
   1. Topology drawing - Hub & Spoke
   2. Topology drawing - Azure Virtual WAN
5. Deployment notes
   1. General
   2. Subnet Ip Address range usage
   3. Resource Names
6. Azure Monitor Agent, VM Insights and Dependency Agent
7. Spoke VNET peerings in a Fully Meshed topology (Whitout AVNM)
8. Azure Virtual Network Manager
9. Parameters overview
10. Updates
    1. Februari 2024 updates
    2. June 2023 updates
    3. May 2023 updates
    4. September 2022 updates
    5. July 2022 updates
    6. June 2022 updates
    7. May 2022 updates

Deploy to Azure

Description	Template
Deploy to Azure Subscription

:warning: Warning: This deployment is meant for Demo, Test, Learning, Training, Practice or Reproduction purposes ONLY!! Please don't deploy to production environments!!

Description

This Lab Builder is built for testing, training, learning, reproduce and demo purposes which allows for quickly repeatable deployments of a Azure Hub & Spoke topology. All components like: Azure Virtual Machines, Azure Firewalls, Azure Virtual Network Gateways, Azure Bastion Hosts and the number of Spokes are optional making this deployment suitable for every scenario!

Optionaly you can deploy:

• Azure Firewall (Standard or Premium) in the Hub (VNET or vWAN) incl. Route table
• Azure Virtual network manager (AVNM) with Hub & Spoke topology and optionally Directly Connected network group.
• Virtual Machines in Hub VNET and/or Spoke VNET's **
• Bastion Host in Hub VNET and/or Spoke VNET's ****
• Azure Monitor Agent and Dependency Agent on Virtual Machines
• Azure Firewall rule Collection group which enables spoke-to-spoke and internet traffic.
• Full meshed Spokes base on standard VNET peerings (Whitout AVNM)
• Simulated 'OnPremises' VNET with optional ***:
  • VPN Gateway
  • Site-2-Site VPN connection to Hub (VNET or vWAN)
  • Bastion Host
  • Virtual Machine

** On deployemnt you can specify the amount of Spoke VNET's to be deployed. VNET peerings will be deployed if both Hub and Spoke(s) are selected for deployement. When deploying together with AVNM the VNET peerings will be managed by AVNM.

*** To simulate OnPrem hybrid connectivity you can optionaly deploy a 'OnPrem' VNET. Optionaly deploy a Bastion Host, Virtual Machine and Virtual Network Gateway in the OnPrem VNET. When a Hub is also deployed with a VPN Gateway you can optionaly deploy a site-to-site VPN connection.

**** Azure Virtual Network Manager is onyl supported in 'VNET' Hub & Spoke topology.

Scenario's

With LAB Builder you can deploy 4 main scenario's.

1. Only deploy Spoke(s)
2. Only deploy VNET Hub or Azure Virtual Hub
3. Deploy Hub or vWAN Hub and Spoke(s)
4. Deploy Hub or vWAN Hub and Spoke(s) and OnPrem simulating Hybrid connectivity

Within these main scenario's there are multiple options (but not limited to this):

Topology drawing - Hub & Spoke

Topology drawing - Azure Virtual WAN

Deployment notes

General

• VNET Connections will be deployed when vWAN Hub and Spokes are selected
• VNET Peering will be deployed when Hub and Spoke are selected
• ICMPv4 Firewall rule will be enabled on Virtual Machines
• Windows VM image is Windows Server 2022 Datacenter Gen2
• Linux VM image is Ubuntu Server 22.04 LTS Gen2
• Route table incl. Default routes (Private and Public) will be deployed in vWAN Hub if Azure Firewall is selected.
• Route tables (UDR's) incl. Default route will be deployed if Azure Firewall is selected (0.0.0.0/0 -> Azure Firewall)
• Network Security group will be deplyed to 'default' subnets only
• At deployemt use a /16 subnet. every VNET (Hub and Spoke VNET's) will get a /24 subnet
• Hub VNET will always get the first available /24 subnet. eg. 172.16.0.0/24
• Spoke(s) VNET gets subsequent subnets. eg. 172.16.1.0/24, 172.16.2.0/24 etc.
• OnPrem VNET will always get the latest available /24 subnet. eg. 172.16.255.0/24
• see subnet details:

Subnet Ip Address range usage

Spoke VNET's subnets:

Hub VNET subnets:

Azure virtual WAN Hub subnet:

OnPrem VNET subnets:

Resource Names

Azure Monitor Agent, VM Insights and Dependency Agent

• Azure Monitor Agent will be deployed on all VM's (Windows and Linux)
• Data collection rule (DCR) will be deployed in Hub Resource group and associated with all VM's
• Data collection rule includes all configuration for VMInsights including Service Map (Dependency agent)
• Dependency Agent will be installed on Windows VM's only.

Spoke VNET peerings in a Fully Meshed topology (Whitout AVNM)

• With this option all Spoke VNET's will be directly connected using standard VNET peerings.

• 

• When you directly connect spoke virtual networks to each other in a fully meshed topology, you need to consider the potentially high number of virtual network peerings required

• 

• ref to MS docs: Patterns and topologies for inter-spoke communication

Azure Virtual Network Manager

When deploying a Hub you can also deploy a Azure Virtual Network Manager (AVNM). AVNM will be deployed in the HUB resource group and will add the Spoke VNET's as 'static' members of the Network Group. Connectivity configuration is added to support HUB&Spoke topology. Configuration will be deployed using a Deployment Script and User Assigned Identity.

:warning: Warning: You will need to have 'Owner' rights on the HUB resource group to deploy AVNM. The deployment script will create a User Assigned Identity and assign the 'Network Contributor' role to the HUB resource group. This is required to run the Deployment Script which deploys the AVNM configuration.

Parameters overview

Updates

Februari 2024 updates

• Enable Azure vWAN Routing Intent Policy with Azure Firewall
• Update Bicep code to use function CIDRSubet and CIDRHost

June 2023 updates

• Deploy Azure Virtual Network Manager (AVNM) to manage VNET Peerings

May 2023 updates

• Deploy Azure Monitor Agent on Windows and Linux VM's
• Deploy Dependency Agent (Service Map) on Windows VM's
• Deploy Data Collections Rule (DCR) with VMInsights (Performance and Map) enabled
• Select an existing Log Analytics Workspace to be used with AMA/DA and DCR
• Deploy VNET peerings between Spoke VNET's in a fully Meshed topology

September 2022 updates

• Enable Azure Firewall DNS proxy and set VNET DNS to Firewall IP address
• Enable Diagnostic settings to log to existing LogAnalytics workspace
• Deploy Microsoft Monitoring agent if existing LogAnalytics is selected

July 2022 updates

• Multi Subscription deployment. You can now specify different Subscriptions for HUB, Spokes and Onprem deployments
• Virtual machine Sizes. You can now specify different VM Sizes for HUB, Spokes and OnPrem deployments
• Vitual machine Os Types. You can now specify Windows or Linux for HUB, Spokes and OnPrem deployments
• Bastion Host SKU Types. You van noew specify Bastion SKU Basic or Standard for HUB, Spokes and OnPrem deployments
• Updated this ReadMe file

June 2022 updates

• BGP support for VPN site-to-site (VNET and vWAN)
• Azure Virtual WAN support. Choose between Azure vWAN or VNET for Hub deployments

May 2022 updates

• Add default Firewall Network & Application rules
• Deploy separate VNET (simulate OnPrem) and deploy VPN gateways including Site-to-Site tunnel
• remove static Resource Group names
• use CIDR notation as Address Space (Instead of first two octets
• Virtual machine OS Type. Windows and Linux support
• Virtual Machine SKU size selection
• Virtual machine boot diagnostics (Managed storage account)
• Virtual machine delete option of Disk and Nic
• Tags support for resources deployed