We’re designing network architecture for a new ERP deployment across multiple Azure regions and debating between full mesh VNet peering versus hub-and-spoke topology. Our setup includes ERP application servers, database clusters, and integration services that need to communicate across 4 regions.
With VNet peering, we get direct connectivity and lower latency, but managing 12+ peering connections seems complex. Hub-and-spoke centralizes routing through Azure Firewall but adds an extra hop. We’re particularly concerned about database replication traffic between regions and how each topology affects scalability when we add more regions next year.
Has anyone implemented either approach for large-scale ERP deployments? What are the real-world tradeoffs for scalability and security isolation?
I’d push back on hub-and-spoke for database replication specifically. That extra hop and the firewall inspection can become a bottleneck when you’re replicating large transaction volumes. We use a hybrid approach - hub-and-spoke for application traffic, but direct VNet peering between database VNets to bypass the hub for replication. This gives you security centralization where it matters and performance where you need it.
We went with hub-and-spoke for our SAP deployment and haven’t regretted it. The centralized firewall in the hub VNet gives us consistent security policy enforcement across all regions. Yes, there’s an extra hop, but for ERP traffic it’s typically only 2-3ms additional latency. The real win is simplified management - we only maintain firewall rules in one place rather than across multiple peering connections.
Virtual WAN is worth considering but comes with tradeoffs. The managed routing is convenient but you lose some granular control over traffic paths. For ERP workloads where you need predictable routing for compliance, that can be problematic. Also, Virtual WAN’s pricing model can get expensive with high bandwidth usage - we calculated it would be 40% more expensive than self-managed hub-and-spoke for our cross-region replication traffic.