VPN Deployment Architectures

When deploying a VPN across multiple sites, you must choose an architecture that matches your organization’s connectivity, performance, and security needs. The three most common VPN architectures are hub-and-spoke, full mesh, and hybrid models.

Hub-and-spoke architecture connects all remote sites (spokes) to a central location (the hub). Each spoke can communicate with the hub, but not directly with other spokes. This design simplifies management and is cost-effective for organizations with many branch offices that mainly access central resources. However, if spokes need to communicate with each other, their traffic must be routed through the hub, which can cause latency and create a single point of failure.

Full mesh architecture establishes a direct VPN tunnel between every site. All sites can communicate directly, improving performance and redundancy. This model is ideal for organizations where sites need to share data frequently. However, as the number of sites increases, the number of tunnels grows rapidly, making management complex and less scalable.

Hybrid architecture combines elements of both models. Some sites connect directly to each other (mesh), while others use the hub-and-spoke model. This approach allows you to optimize for both performance and manageability, tailoring connectivity to each site’s needs.

Each architecture comes with trade-offs:

• Hub-and-spoke:
  • Easy to manage;
  • Scales well for many sites;
  • Centralized control;
  • Single point of failure at the hub.
• Full mesh:
  • Direct site-to-site communication;
  • High redundancy;
  • Complex to manage as sites increase.
• Hybrid:
  • Flexible and customizable;
  • Balances performance and complexity;
  • Requires careful planning.

Choosing the right architecture depends on your organization’s size, traffic patterns, and redundancy requirements.

Imagine a multinational company with headquarters in New York, regional offices in London and Singapore, and dozens of smaller branch offices worldwide. If most communication is between branches and headquarters, a hub-and-spoke model is efficient and simple to manage. However, if regional offices need to exchange large amounts of data directly, a hybrid or full mesh model may be more suitable. For example, you might set up a full mesh between major offices for speed and resilience, while smaller branches connect via hub-and-spoke to their nearest regional hub.

# Example routing table for a hub-and-spoke VPN deployment
# This table is for a spoke router connecting to the hub

Destination     Gateway         Interface
10.0.0.0/24     192.168.100.1   vpn0      # Headquarters subnet via VPN hub
10.1.0.0/24     192.168.100.1   vpn0      # London office subnet via VPN hub
10.2.0.0/24     192.168.100.1   vpn0      # Singapore office subnet via VPN hub
0.0.0.0/0       192.168.100.1   vpn0      # Default route: all other traffic through VPN hub

This routing table from a spoke site in a hub-and-spoke VPN deployment shows that all traffic destined for other corporate sites—such as the headquarters, London, and Singapore offices—is sent through the VPN hub. Even internet-bound traffic (the default route) is directed to the hub, which can then apply security policies or provide internet access. This setup ensures centralized management and monitoring, but it also means that if the hub goes down, spokes lose connectivity to each other and to external networks.