Network design

HybridOps.Studio uses a single-hub hybrid fabric with Google Network Connectivity Center (NCC) as the connectivity hub. On‑prem and Azure attach as routed spokes using route‑based IPsec + BGP. The design is implemented and verified through repeatable platform runs with evidence capture.

Topology summary

• On‑prem: Proxmox SDN provides VLAN-backed tenant networks for platform services and workloads.
• Edges: CSR1000v and VyOS provide routed connectivity to the hub (multi‑WAN is additive).
• Hub: GCP HA VPN + Cloud Router terminate BGP peers and attach to NCC.
• Azure: Azure VPN Gateway peers with GCP Cloud Router for transitive reachability and DR/burst placement.

Routing and address contract

Addressing, ASNs, tunnel link networks, and route filters are defined in the network routing contract.

Primary topology

flowchart TB
  subgraph OnPrem["On‑prem (Site‑A)"]
    direction TB
    EDGE1["CSR1000v (edge)"]
    EDGE2["VyOS (edge)"]
    SDN["Proxmox SDN (VLAN VNets)"]
  end

  subgraph GCP["GCP hub"]
    direction TB
    HAVPN["HA VPN"]
    CR["Cloud Router (BGP)"]
    HUBVPC["Hub VPC"]
    NCC["NCC (hub)"]
    HAVPN --> CR --> HUBVPC --> NCC
  end

  subgraph Azure["Azure spoke"]
    direction TB
    AZGW["VPN Gateway (BGP)"]
    VNET["VNet (AKS/AVD/workloads)"]
    AZGW --> VNET
  end

  EDGE1 -. IPsec+BGP .-> HAVPN
  EDGE2 -. IPsec+BGP .-> HAVPN
  AZGW -. IPsec+BGP .-> CR

Design intent

• Routing is explicit and filtered. Only approved prefixes are exchanged.
• Kubernetes pod/service CIDRs are not advertised by default; exposure uses ingress/LB patterns unless a routed use case requires otherwise.
• DR and burst are controlled routing/policy events with evidence and rollback steps defined in runbooks.

References

• ADR-0109: NCC primary hub with routed Azure spoke connectivity
• ADR-0101: VLAN allocation strategy
• Network routing contract