Azure VNet Peering Gateway Transit Hub and Spoke

If you read the documentation on the Azure docs page it is not clear that if you have VNets configured in a Hub and Spoke design, it is possible for each spoke to be able to communicate with each other without requiring Network Virtual Appliance (NVA).

This is possible using Gateway Transit and User Defined Routes without a Virtual Network Appliance. When configuring your Peering relationships, the Hub is configured for Gateway Transit, and each of the Spokes is configured to use the Remote Gateway on the Hub network.

Each of the Hubs then need to have UDR configured that uses the Next Hop Type “Virtual Appliance”, however, the next hop address does not have to be an appliance in the hub network. You can specify the internal IP of the VNet Gateway in the Hub network and all appears to work fine.

In the example below the hub network is configured for Gateway Transit on its side of the peering relationship, and the Gateway Subnet is 192.168.0/29. You should be able to ping the VNet Gateway on the fourth IP in that subnet, in this case, to confirm that the spoke networks can reach the gateway.

Next just make sure that you correctly define the UDR in the spoke networks and check that there are no Network Security Groups (NSGs) blocking connectivity and you should be able to communicate between the spoke networks.