Azure Virtual Network Gateway - Access resources in other resource groups - azure

Let's take the following scenario:
I have a resource group in the East Region with 1 VM
I have a resource group in the West Region with 1 VM
Both of these VMs are only accessible via Private IP addresses. RDP via Public IP address is not an option. One would assume that in order for me to RDP to these machines, I would have to VPN into Azure's gateway first. However, I don't want to create a virtual gateway in every single resource group.
Is it possible for me to vpn into one resource (in one resource group), and access all of the machines in all other resource groups?

Yes, It's possible to do this with VNet peering(connecting VNets within the same Azure region). You could follow this to implement a hub-spoke network topology in Azure. In this case, the hub VNet is a peering VNet with allow gateway transit enabled and the spoke VNet is a peering VNet with use remote gateways enabled.
please note that you cannot use remote gateways or allow gateway transit with global peering(connecting VNets across Azure regions). Refer to requirements and constraints about global peering.
To use remote gateways or allow gateway transit, peered virtual
networks in must be in the same region.
so you have to move the peering VNets in the same region if the two VNets in each resource group are not in the same region.
Another option will create a separate VPN gateway in another resource group but this is not your expectation. Note that
A Point-to-Site client can only connect to resources in the VNet in
which the virtual network gateway resides.
Refer to VPN gateway FAQ.

You can use vnet peering with Use remote gateways checkbox enabled. You need to peer the vnets together and check use remote gateways on the second vnet (one without gateway).
Reading:
https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/hub-spoke
https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview

Related

Azure AKS vnet to another vnet communication

We have managed AKS Cluster and it has a few applications PODS. In the same subscription, we have a few servers in the different Resource Group and different VNET. We have a requirement to happen a communication between these two VNET's. I have configured vnet peering between two VNET's but we can see that the communication is not happening.
When I add a rule like "Allow port 443 from all networks" on to the NSG of Virtual machines then everything works fine.
Troubleshooting steps are done.
VNET Peering
Got an API Server IP Address from the "kubeconfig" file and added in the NSG of VM's in a diff RG.
But did not resolve an issue. Could you please help me to fix the issue.
AKS Resources are behind the Internal Load Balancer, so peering did not help. I had to use the Public IP Address provisioned during the AKS Creation process in the NSG. After adding PIP(Available in MC_rg-*** resource group) everything started working.
I would suggest to try connecting the VNET's through VPN gateways .
From an Azure virtual network, connecting to another virtual network is essentially the same as connecting to an on premises network via site-to-site (S2S) VPN.
You will need to go through the below listed steps :
Create VNetA and VNetB and the Corresponding Local Networks.
Create the Dynamic Routing VPN Gateways for each virtual network.
Connect the VPN Gateways.
Please find the referred document for implementing the same solution I have mentioned above .
For more information on difference of vnet peering and vnet gateway you can refer this document.

Connecting App Service to Load Balanced cluster in different Resource Groups

I have 2 separate resource groups in Azure:
Contains some Services including a Linux App Service hosting Python Django
Contains an ElasticSearch cluster which I created using the ARM template from here
I want to connect from the App service in (1) to the ElasticSearch service load balancer in (2)
I tried to create a virtual network peering using
az network vnet peering create -g $webResourceGroup -n web2es --vnet-name vnet --remote-vnet $remote_vnet --allow-vnet-access
where $webResourceGroup => (1) and $remote_vnet => (2)
However, when I try to do an HTTP request to the ElasticSearch Service, it just does not work.
How do I fix or troubleshoot this?
There are some requirements and constraints for virtual network peering.
Resources in one virtual network cannot communicate with the front-end
IP address of a Basic internal load balancer in a globally peered
virtual network. Support for Basic Load Balancer only exists within
the same region. Support for Standard Load Balancer exists for both,
VNet Peering and Global VNet Peering. Services that use a Basic load
balancer which will not work over Global VNet Peering are documented
here.
So, if the peered VNets are in a different region, you cannot connect to resources that are behind a Basic Load Balancer through the Front End IP of the Load Balancer. This restriction does not exist for a Standard Load Balancer. From the parameters, you will see that loadBalancerInternalSku or loadBalancerExternalSku is by default basic, you should use a standard load balancer.
Also, you should have integrated your app with an Azure Virtual Network. Please note that you cannot reach resources across global peering connections(VNets are located in different regions) when you are using Regional VNet Integration which requires the app and the VNet must be in the same region. If so, you need to use Gateway required VNet Integration and VNet peering with gateway transit.
If possible, you could create all resources like VNet, app service, cluster in the same region. Then you do not need a VPN gateway for your VNet Integration. This may have fewer limitations and easier to deploy in your scenario.
Hope this could help you.

Not able to associate more than 1 subnet to Kubernetes cluster via AKS

When I create kubernetes cluster from kubernetes service of azure in the networking tab , I have the option to create my own virtual network.
Let's say I created a virtual network with 3 subnets , still in the networking tab options , I can only associate 1 of these subnet to my cluster.
Is it a restriction in AKS?
If so, why it allows to create more than 1 subnet in virtual network?
Not sure but you only can specific one subnet when you create an AKS cluster on the Azure portal. It seems a restriction in AKS. Read the prerequisites. At least, you need one subnet, one AKS cluster. Also, AKS supports a single pool for now.
Don't create more than one AKS cluster in the same subnet.
With advanced networking in AKS, you can deploy a AKS cluster in a existing virtual network and define these subnet names and IP address ranges. IP addresses for the pods and the cluster's nodes are assigned from the specified subnet within the virtual network. So you need to plan IP addressing for your cluster. You should consider doing upgrade and scaling operations when you determine the number of IP addresses.
The reason it allows to create more than 1 subnet in virtual network is that essentially you could create many subnets with valid CIDR block in a VNet. You can create VMs in other subnets or create a dedicated Gatewaysubnet used for VPN gateway in the existing VNet. With advanced networking, this existing virtual network often provides connectivity to an on-premises network using Azure ExpressRoute or Site-to-Site VPN.
Also, it's welcome to give feedback on Azure AKS to improve this feature. Hope this helps.

Can't Access Azure Application Gateway through peered VNET

I have two peered VNETs in Azure and I also have an Application Gateway in one of them. I have a couple VMs inside both VNETs and I want to access the Application Gateway from the VMs by its private IP (which is set up). This works from the VNET that the gateway resides in but I can't access it from the other peered network. I can access all the VMs between the networks by their private IPs no problem. What can I be missing? (I am not really that familiar with networking, so it can be something basic...).
Thank you for any suggestion!
You can check if the two peered virtual networks are located in a different region.
If you are using a Global Vnet peering(Vnet to Vnet region is different), there are some limitations that you can not use Global Vnet peering to communicate with VIPs of load balancers in another region. Application Gateway is actually a layer-7 load balancer.
Resources in one virtual network cannot communicate with the IP
address of an Azure internal load balancer in the peered virtual
network. The load balancer and the resources that communicate with it
must be in the same virtual network.
References: How to setup Global VNet peering in Azure
APIM is a service based on Azure Load balancer. For Stv1 APIM Azure uses Basic Load balancer which does not allow traffic via global peering.
[Refer this][1]
In order to facilitate traffic via global peering need to use stv2 APIM.[Refer this][2]
[1]: https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-manage-peering?tabs=peering-portal#requirements-and-constraints
[2]: https://learn.microsoft.com/en-us/azure/api-management/virtual-network-concepts?tabs=stv1#network-resource-requirements

Azure , connecting two virtual machines without using virtual network gateway?

How to connect two virtual machines without using virtual network gateway in azure??
(The two vm's have been created in two different virtual networks)
Well, This are different Connectivity scenarios for Vnet to Vnet in Azure, and then you can connect your VMs from each other:
VNets are in a same location: Create a virtual network peering. It can work on different deployment models and subscriptions, but except different locations. Peering doesn't need Vnet gateway.
VNets are in different locations:Create a VPN Gateway to connect different VNets. This work on all different Vnets from different deployment models , subscriptions, locations.This need to create VPN gateway.
VNets are in different locations:You can use VPN software on your VM to connect each other if your VMs are in different location. This also doesn't need Vnet gateway.
VNets are in different locations:You can also add IIS service on your VMs, and you can connect VMs from public traffic.
If your Vnets are in same location , creating Vnet peering is best choice.

Resources