19_Azure Hub‐and‐Spoke Network with Application Gateway and NAT Gateway_HTTP_Traffic_Test - Nirvan-Pandey/Azure_DOC GitHub Wiki
This lab demonstrates how to deploy an Azure Application Gateway in a hub-and-spoke network topology, where the frontend is public-facing and the backend is hosted in a private subnet. We will use Azure Virtual Network peering to route HTTP traffic securely from the Application Gateway to a private virtual machine running a web server. It also includes a NAT Gateway to enable secure, controlled outbound internet access from the private subnet.
This lab simulates a secure enterprise deployment using Azure services:
-
Application Gateway handles incoming public HTTP traffic.
-
Web VM in Spoke VNet receives traffic through private IP.
-
Hub-and-Spoke architecture enables centralized control.
-
NAT Gateway provides secure outbound access from private subnets.
The Application Gateway in the hub will serve as a layer 7 load balancer, routing external traffic to the private VM in the spoke.
Create two resource groups:ab.
-
Hub_RG → For shared services like Application Gateway.
-
Spoke_RG → For application server and NAT Gateway.
In this step, we will create the virtual networks that define the core of our network topology:
🔹 Hub VNet
- Address space: 10.0.0.0/24
- Subnet: AppGatewaySubnet with address range like 10.0.0.128/25 & Hub_Public_Subnet to host public VMs.
- Purpose: This virtual network will host shared services. The AppGatewaySubnet is a dedicated subnet required by Azure to deploy the Application Gateway. No other services should be deployed into this subnet.
🔹 Spoke VNet
- Address space: 10.1.0.0/24
- Subnet: Application_Subnet with address range like 10.1.1.0/24
- Purpose: This network will host the private virtual machine that runs the web server. It is isolated from public access and reachable only via the Application Gateway. We have made it Application_Subnet as private.
This setup allows us to simulate real-world enterprise architectures, where traffic must flow securely through shared gateways and firewalls
Create VNet Peering between Hub and Spoke to allow traffic flow.
Allow traffic in both directions.
Hub_VNet Side:
Spoke_VNet Side:
Deploy a VM in Hub_Public_Subnet to manage internal resources.
Create a Linux VM (Ubuntu) in Application_Subnet with no public IP
ssh Username@<Application_Private_IP>
ssh [email protected]/24
Install HTTP server (e.g., Apache or IIS).Since we are using Ubuntu Linux, the Apache HTTP server package is called apache2, not httpd (which is typical for CentOS/RHEL).
- Update your package list
sudo apt update
- Install Apache:
sudo apt install -y apache2
- Verify Apache Is Running
sudo systemctl status apache2
- Installing net-tools package
The net-tools package installs legacy networking utilities like ifconfig, netstat, and route for managing and troubleshooting network configurations on Linux systems.
apt install net-tools
- Checking Status
netstat -plan | grep -i 80
- Navigate to /var/www/html/
cd /var/www/html
- Creating a index file
vi index.html
- Paste the below content
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1" />
<title>Welcome</title>
<style>
body {
background-color: #D8DBE2;
font-family: Ubuntu, Verdana, sans-serif;
display: flex;
justify-content: center;
align-items: center;
height: 100vh;
margin: 0;
color: #333;
font-size: 2em;
}
</style>
</head>
<body>
Welcome to Application Server
</body>
</html>
cat index.html
- Installing Firewall
sudo apt install -y firewalld
- After install, start and enable firewalld
sudo systemctl enable firewalld
sudo systemctl start firewalld
sudo firewall-cmd --state
sudo firewall-cmd --zone=public --add-port=80/tcp --permanent
sudo firewall-cmd --reload
sudo firewall-cmd --zone=public --list-ports
To allow outbound internet access from AppVM without a public IP. Step 1: Create Public IP for NAT
Step 2: Create NAT Gateway
Step 3: Associate with Subnet
In Azure Portal, search for Public IP addresses.
-
Choose the same Resource Group as your VNet.
-
Enter a Name (e.g., AppGatewayPublicIP).
-
SKU: Standard
-
IP assignment: Static
-
Leave other options default.
-
Click Review + create, then Create.
-
Select your Resource Group.
-
Give your Application Gateway a Name (e.g., AppGateway).
-
Region: Select the same region as your VNet.
-
SKU tier: Standard V2 (make sure to select Standard_v2 SKU).
-
Instance count: Select based on your need (minimum 2 recommended).
-
Enable autoscaling if desired
Add the private IP of the VM.
Now we can see the backend pool is Added.
Configure HTTP listener and backend settings.
- Add Backend setting
- Now we have added both the Listener and Backend Targets, Click on Add.
Review and Create
Target /index.html.
- Copy the Public IP of Application Gateway:
- Open a browser and navigate to:
http://<Application-Gateway-Public-IP>
You should see the content of the web page hosted on the private VM.
✅ Deployed hub-and-spoke Azure topology
✅ Application Gateway enabled secure access to private backend
✅ NAT Gateway provided secure outbound internet access
✅ Followed Azure best practices for enterprise architecture
This setup improves network security, scalability, and follows cloud best practices for hybrid and enterprise-grade architectures.