19_Azure Hub‐and‐Spoke Network with Application Gateway and NAT Gateway_HTTP_Traffic_Test - Nirvan-Pandey/Azure_DOC GitHub Wiki

19_1: Introduction

This lab demonstrates how to deploy an Azure Application Gateway in a hub-and-spoke network topology, where the frontend is public-facing and the backend is hosted in a private subnet. We will use Azure Virtual Network peering to route HTTP traffic securely from the Application Gateway to a private virtual machine running a web server. It also includes a NAT Gateway to enable secure, controlled outbound internet access from the private subnet.

This lab simulates a secure enterprise deployment using Azure services:

  • Application Gateway handles incoming public HTTP traffic.

  • Web VM in Spoke VNet receives traffic through private IP.

  • Hub-and-Spoke architecture enables centralized control.

  • NAT Gateway provides secure outbound access from private subnets.

19_2: Architecture Overview

image

The Application Gateway in the hub will serve as a layer 7 load balancer, routing external traffic to the private VM in the spoke.

19_3: Create Resource Group

Create two resource groups:ab.

  • Hub_RG → For shared services like Application Gateway.

  • Spoke_RG → For application server and NAT Gateway.

image

19_4: Create Virtual Networks (Hub & Spoke)

In this step, we will create the virtual networks that define the core of our network topology:

🔹 Hub VNet

  • Address space: 10.0.0.0/24
  • Subnet: AppGatewaySubnet with address range like 10.0.0.128/25 & Hub_Public_Subnet to host public VMs.
  • Purpose: This virtual network will host shared services. The AppGatewaySubnet is a dedicated subnet required by Azure to deploy the Application Gateway. No other services should be deployed into this subnet.

image

🔹 Spoke VNet

  • Address space: 10.1.0.0/24
  • Subnet: Application_Subnet with address range like 10.1.1.0/24
  • Purpose: This network will host the private virtual machine that runs the web server. It is isolated from public access and reachable only via the Application Gateway. We have made it Application_Subnet as private.

image

This setup allows us to simulate real-world enterprise architectures, where traffic must flow securely through shared gateways and firewalls

19_5: Peer Hub and Spoke VNets

Create VNet Peering between Hub and Spoke to allow traffic flow.

Allow traffic in both directions.

Hub_VNet Side:

image

Spoke_VNet Side:

image

19_6: Deploy Jump Server VM in Hub

Deploy a VM in Hub_Public_Subnet to manage internal resources.

image

19_7: Deploy Application Server VM in Spoke

Create a Linux VM (Ubuntu) in Application_Subnet with no public IP

image

19_8: Install and Configure Apache Web Server

19_8_1: SSH into the Jump VM → then SSH into AppVM:

ssh Username@<Application_Private_IP>

image

19_8_2: Install Apache

Install HTTP server (e.g., Apache or IIS).Since we are using Ubuntu Linux, the Apache HTTP server package is called apache2, not httpd (which is typical for CentOS/RHEL).

  • Update your package list
sudo apt update

image

image

  • Install Apache:
sudo apt install -y apache2

image

image

  • Verify Apache Is Running
sudo systemctl status apache2

image

  • Installing net-tools package

The net-tools package installs legacy networking utilities like ifconfig, netstat, and route for managing and troubleshooting network configurations on Linux systems.

apt install net-tools

image

  • Checking Status
netstat -plan | grep -i 80

image

19_8_3: Create a simple index.html

  • Navigate to /var/www/html/
cd /var/www/html

image

  • Creating a index file
vi index.html
  • Paste the below content
<!DOCTYPE html>
<html lang="en">
<head>
  <meta charset="UTF-8" />
  <meta name="viewport" content="width=device-width, initial-scale=1" />
  <title>Welcome</title>
  <style>
    body {
      background-color: #D8DBE2;
      font-family: Ubuntu, Verdana, sans-serif;
      display: flex;
      justify-content: center;
      align-items: center;
      height: 100vh;
      margin: 0;
      color: #333;
      font-size: 2em;
    }
  </style>
</head>
<body>
  Welcome to Application Server
</body>
</html>
cat index.html

image

19_8_4: Allow port 80 with firewall

  • Installing Firewall
sudo apt install -y firewalld

image

  • After install, start and enable firewalld
sudo systemctl enable firewalld
sudo systemctl start firewalld

image

sudo firewall-cmd --state
sudo firewall-cmd --zone=public --add-port=80/tcp --permanent
sudo firewall-cmd --reload
sudo firewall-cmd --zone=public --list-ports

image

19_9: Configure NAT Gateway (Spoke)

To allow outbound internet access from AppVM without a public IP. Step 1: Create Public IP for NAT

Step 2: Create NAT Gateway

Step 3: Associate with Subnet

image

image

image

image

image

image

image

19_10: Create a Public IP Address

In Azure Portal, search for Public IP addresses.

  • Choose the same Resource Group as your VNet.

  • Enter a Name (e.g., AppGatewayPublicIP).

  • SKU: Standard

  • IP assignment: Static

  • Leave other options default.

  • Click Review + create, then Create.

image

19_11: Deploy Application Gateway in Hub

19_11_1: Application Gateway

image

  • Select your Resource Group.

  • Give your Application Gateway a Name (e.g., AppGateway).

  • Region: Select the same region as your VNet.

  • SKU tier: Standard V2 (make sure to select Standard_v2 SKU).

  • Instance count: Select based on your need (minimum 2 recommended).

  • Enable autoscaling if desired

image

19_11_2: Frontend: Public IP

image

19_11_3:Backend Pool

Add the private IP of the VM.

image

image

Now we can see the backend pool is Added.

image

19_11_4: Routing Rule

Configure HTTP listener and backend settings.

image

image

19_11_5: Backend Targets:

image

  • Add Backend setting

image

  • Now we have added both the Listener and Backend Targets, Click on Add.

image

image

image

Review and Create

19_11_6: Health Probe:

Target /index.html.

image

19_12: Test the Setup

  • Copy the Public IP of Application Gateway:

image

  • Open a browser and navigate to:
http://<Application-Gateway-Public-IP>

You should see the content of the web page hosted on the private VM.

image

19_13: Summary and Learnings

✅ Deployed hub-and-spoke Azure topology

✅ Application Gateway enabled secure access to private backend

✅ NAT Gateway provided secure outbound internet access

✅ Followed Azure best practices for enterprise architecture

This setup improves network security, scalability, and follows cloud best practices for hybrid and enterprise-grade architectures.

⚠️ **GitHub.com Fallback** ⚠️