Azure Bastion - access VMs across peered networks? - azure

Is it possible to create an Azure Bastion service within one subscription (a hub subscription for example), and connect to VMs within a spoke subscription where the VNETs are peered together? The peered VNets all exist in the same region as the hub, and Bastion Service.

Currently, It's not possible.
You could vote up this feature request and MSFT is planning for it.

Related

is azure bastion compatible with virtual wan for use vnet to vnet via the virtual hub?

i have an architecture with virtual wan in azure.
i would like to have a vnet with share services (app gw, az bastion, ect...) connected with a hub. arround the virtual hub i have many vnet (projects) connected like the vnet share services. I observed that it's impossible to join the vm's of the projects with azure bastion. do you know if there is a way to shre my az bastion with all the vnets connected with the virtual hub into my vwan?
in the past I used az bastion in ahub and spoke architecture with vnet peering and it worked very well.
thanks for your returns!
Currently vWAN vnets doesn’t support Bastion deployments. You can only deploy Firewall as it is a Managed VNET.
If you wish you may leave your feedback here All the feedback you share in these forums will be monitored and reviewed by the Microsoft engineering teams responsible for building Azure.

Using private endpoints across Azure Subscription

If the two VNETs are peered, can a client in one VNET sitting in one Azure Subscription use Private Endpoint to a resource in another VNET setting in separate Azure Subscription?
Essentially, I am asking if Private Endpoints can be used across Azure subscriptions?
Of course Yes. You can see the description here:
The private endpoint can be reached from the same virtual network,
regionally peered VNets, globally peered VNets and on premises using
private VPN or ExpressRoute connections.
From this, it means the private endpoint can be reached from the globally peered VNets. And here is also a description for the global peering of VNet:
The ability to transfer data between virtual networks across Azure
subscriptions, Azure Active Directory tenants, deployment models, and
Azure regions.
So finally, the conclusion according to the two descriptions is that the private endpoint can be accessed across different subscriptions.

How to add user route to Azure App Services

I have an Azure VM with inside custom vpn to 172.254.254.0/24 route.
I am able to reach that VM from another azure VM adding an "user route" to a "route table" in that VM. It works perfectly.
Now I have an Azure App Services web application.
I need to add the route above too.
But I am stuck I am not able to do it.
Integrate your app with an Azure Virtual Network
The VNet Integration feature has two variations.
Regional VNet Integration - When connecting to Resource Manager VNets in the same region, you must have a dedicated subnet in the VNet you are integrating with.
Gateway required VNet Integration - When connecting to VNets in other regions or to a Classic VNet in the same region you need a Virtual Network gateway provisioned in the target VNet.
Gateway required VNet Integration only provides access to resources in the target VNet or in networks connected to the target VNet with peering or VPNs. Gateway required VNet Integration doesn't enable access to resources available across ExpressRoute connections or works with service endpoints.
Refer: https://learn.microsoft.com/en-us/azure/app-service/web-sites-integrate-with-vnet#enable-vnet-integration

Azure Virtual Network Gateway - Access resources in other resource groups

Let's take the following scenario:
I have a resource group in the East Region with 1 VM
I have a resource group in the West Region with 1 VM
Both of these VMs are only accessible via Private IP addresses. RDP via Public IP address is not an option. One would assume that in order for me to RDP to these machines, I would have to VPN into Azure's gateway first. However, I don't want to create a virtual gateway in every single resource group.
Is it possible for me to vpn into one resource (in one resource group), and access all of the machines in all other resource groups?
Yes, It's possible to do this with VNet peering(connecting VNets within the same Azure region). You could follow this to implement a hub-spoke network topology in Azure. In this case, the hub VNet is a peering VNet with allow gateway transit enabled and the spoke VNet is a peering VNet with use remote gateways enabled.
please note that you cannot use remote gateways or allow gateway transit with global peering(connecting VNets across Azure regions). Refer to requirements and constraints about global peering.
To use remote gateways or allow gateway transit, peered virtual
networks in must be in the same region.
so you have to move the peering VNets in the same region if the two VNets in each resource group are not in the same region.
Another option will create a separate VPN gateway in another resource group but this is not your expectation. Note that
A Point-to-Site client can only connect to resources in the VNet in
which the virtual network gateway resides.
Refer to VPN gateway FAQ.
You can use vnet peering with Use remote gateways checkbox enabled. You need to peer the vnets together and check use remote gateways on the second vnet (one without gateway).
Reading:
https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/hub-spoke
https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview

Azure , connecting two virtual machines without using virtual network gateway?

How to connect two virtual machines without using virtual network gateway in azure??
(The two vm's have been created in two different virtual networks)
Well, This are different Connectivity scenarios for Vnet to Vnet in Azure, and then you can connect your VMs from each other:
VNets are in a same location: Create a virtual network peering. It can work on different deployment models and subscriptions, but except different locations. Peering doesn't need Vnet gateway.
VNets are in different locations:Create a VPN Gateway to connect different VNets. This work on all different Vnets from different deployment models , subscriptions, locations.This need to create VPN gateway.
VNets are in different locations:You can use VPN software on your VM to connect each other if your VMs are in different location. This also doesn't need Vnet gateway.
VNets are in different locations:You can also add IIS service on your VMs, and you can connect VMs from public traffic.
If your Vnets are in same location , creating Vnet peering is best choice.

Resources