This document explains connection methods that need to be used while connecting the On-premise network to spoke by passing multiple hubs.
For scenarios with a single Hub, all spokes peered to Hub and VPN-connected on-premise networks can talk to each other through the Hub network. You can address the target network by creating User Defined Routes (UDR). For these routes to work, you must choose the “use remote network’s gateway…” option on the spoke network part of the peering setting. In this way, UDRs would be helpful to get the connection to the destination.
In multiple hub scenarios, we may need to provide access from the remote network (another spoke or on-premise network) to a spoke that is located behind the second hub. You must apply some additional steps while accessing to target network by passing additional hubs.
The key point in the multiple-hub scenario is choosing the correct connection type between the hubs. If you need to connect the remote networks which are located behind the hubs, you need to use a Site-to-Site VPN connection.
When you create the Site-to-Site VPN, create and configure the local network gateway manually for each hub. The local network gateway helps you to define the remote network’s IP address spaces.
You can see a sample diagram of this connection type below.
To accomplish this connection please follow the steps below.
1- Create peering between spoke networks and relative hub networks.
Choose the “use remote network’s gateway” option on the spoke network side.
2- Create a site-to-site VPN connection between hubs
Create a local network gateway on each side to define the remote network’s IP address spaces
3- **ON-PREMISE** Create a site-to-site VPN connection between the on-prem and hub network which is located in the nearest region.
Create an address object for each remote network IP Address Space
Create a route for each remote network and select the VPN interface as the next hop
Create Access rules for each remote network as LAN to VPN. Do this in the reverse direction as well. (VPN to LAN)
4- Create UDR in each network (spoke, hub) to address the target network by pointing peered hub’s firewall IP as the next hop.