Infrastructure as Code with Bicep: Deploying a Hub-and-Spoke Network Topology

Hub-and-spoke is the recommended network topology for most Azure enterprise deployments. The hub virtual network acts as a central point of connectivity, hosting shared services like firewalls, VPN gateways, and DNS. Spoke networks connect to the hub via peering and contain workload-specific resources.

Architecture Overview

In a hub-and-spoke architecture:

• The hub VNET contains Azure Firewall, VPN Gateway, and shared services
• Spoke VNETs contain workload resources (VMs, App Services, databases)
• VNET peering connects each spoke to the hub
• User Defined Routes (UDR) force spoke traffic through the hub firewall

The Hub Module

Here is a Bicep module for the hub virtual network with Azure Firewall and gateway subnets:

The Spoke Module

Each spoke VNET peers back to the hub and routes traffic through the firewall:

Deploying the Architecture

Deploy the hub first, then each spoke:

Best Practices

When organizing a multi-file Bicep project, use this structure:

• main.bicep orchestrates the hub and spoke deployments
• modules/hub.bicep defines the hub VNET, firewall, and gateway
• modules/spoke.bicep is a reusable spoke template
• parameters/dev.bicepparam holds environment-specific parameters

This modular approach lets you add new spokes by calling the spoke module with different parameters. For a complete reference, see the Bicep documentation and the Entra ID Bicep templates announcement for identity resource management with Bicep.