AzureTerraformMar 2026

Implementing Azure Hub-Spoke VNET with Terraform

1

Define Hub Network

Initialize your provider and create the central Hub Virtual Network.

resource "azurerm_virtual_network" "hub" {
  name                = "hub-vnet-prod"
  address_space       = ["10.0.0.0/16"]
  location            = "East US"
  resource_group_name = azurerm_resource_group.main.name
}
2

Establish Bidirectional Peering

Connect your spoke networks to the hub. Remember to allow forwarded traffic for NVA routing.

resource "azurerm_virtual_network_peering" "hub_to_spoke" {
  name                      = "peer-hub-to-spoke"
  virtual_network_name      = azurerm_virtual_network.hub.name
  remote_virtual_network_id = azurerm_virtual_network.spoke.id
  allow_forwarded_traffic   = true
}

Security Architecture Note

"Always deploy a Firewall in the Hub VNET. All traffic from spokes should be routed through the Hub for inspection before reaching the internet."