Azure: Hub-Spoke #1

Azure, Networking 3 Minutes

Hi there

In this article I’ll demonstrate the following hub-spoke topology

Where the goal it’s to connect VM001 from Azure Subscription (A) to a physical printer located On-premises (C) passing through the VNET-to-VNET peering to (B) having this way a hub and spoke connection on Azure

TIPS!

  1. run an assessment on all Resource Groups on each Azure subscription and export them all as a backup
  2. make notes of all VNETs (virtual networks) and its address space an subnets to make sure you don’t have an virual network or subnets that will overlap source or target VNETs on different Azure subscriptions / Resource Groups during the VNET-to-VNET setup “peering”
  3. have one account on each Azure subscription with RBAC role as “network contributor” , send the proper invitation to these accounts, accept the invitation and log on https://portal.azure.com to make sure you can access target VNET properly
  4. have access to On-premises firewall as admin to add Azure subscription (A) VNET address space (IP address) to the site-to-site vpn networks (in our scenario we have a Sonicwall NSA)
  5. deploy a temporary vm (vm001) to Azure subscription (A) so you can perform the tests from (A) to (B) VNET-to-VNET as well to (C) on-premises network. (I’m using an Ubuntu 18.04.5 LTS from Azure marketplace)
  6. Configure the peering connection in the hub (subscription B) to allow gateway transit.
  7. Configure the peering connection in each spoke (subscrition A) to use remote gateways.
  8. Configure all peering connections (subscription A and B) to allow forwarded traffic.

If you have all previous items ready to go you can go the Setup phase

on Azure subscription (A)

  • Log on Azure portal
  • Go to the Azure Resource Group
  • Go to the VNET (virtual network) \ Properties
  • copy the Resource ID from this VNET (we’ll need that to setup the VNET-to-VNET peering from B to A)

on Azure subscription (B)

  • Go to the VNET (virtual network) \ properties
  • copy the Resource ID from this VNET (we’ll need that to setup the VNET-to-VNET peering from A to B)
  • Go to the VNET (virtual network) \ peeringsĀ 
  • click + add
    • at Name of the peering from SuperHub-vnet to remote virtual network:
    • at Virtual network deployment model check “I know my resource ID” and paste the VNET resource id from Azure subscripton (A)
    • at Directory: select the target azure subscription and click authenticate (you should be prompted to authenticate with the user who has access to target resource vnet on subscription (A)
    • select “enabled” for Allow virtual network access from SuperHub-vnet to remote virtual network and
      Allow forwarded traffic from remote virtual network to SuperHub-vnet
      Ā 
      Ā 
    • check “allow gatweay transit” on this peering (the one connected to the on-premises through an Azure Gateway / site-to-site vpn).
    • click OK to create the peering

on Azure subscription (A)

  • Go to the VNET (virtual network) \ properties
  • copy the Resource ID from this VNET (we’ll need that to setup the VNET-to-VNET peering from B to A)
  • Go to the VNET (virtual network) \ peeringsĀ 
  • click + add
    • at Name of the peering from SuperHub-vnet to remote virtual network:
    • at Virtual network deployment model check “I know my resource ID” and paste the VNET resource id from Azure subscripton (B)
    • at Directory: select the target azure subscription and click authenticate (you should be prompted to authenticate with the user who has access to target resource vnet on subscription (B)
    • select “enabled” for Allow virtual network access from SuperHub-vnet to remote virtual network and
      Allow forwarded traffic from remote virtual network to SuperHub-vnet
    • check “use remote gateways” on this peering (the one connected to B).
    • click OK to create the peering

check on both subscriptions the peering status asĀ Connected

 

Go to Subscription (A)

  • log on the VM: vm001 (ubuntu linux)
  • run the apt-get update
  • run the apt-get upgrade
  • run apt-get install apache2
  • run “systemctl status apache2” to start the apache web service on this vm
  • ping a vm IP address on Azure Resource group (subscription B)
  • ping 10.0.4.4
  • ping the printer IP address located on-premises
  • ping 10.10.1.75

 

Troubleshooting

  1. check on-premises firewall
    1. vpn settings and allowed networks through site-to-site vpn (on-premises to subscription B resource group)
    2. from an on-premises vm
    3. execute a ping 10.0.4.4 vm on subscription B
    4. execute a ping 10.100.1.7 vm on subscription A (our vm001 , apache)
    5. try http://10.100.1.7 and check the result



  2. check Azure vm001 (azure subscription A)
    1. open its virtual machine
    2. go to networking
    3. click on network interface
    4. click on effective routes and wait to load
    5. check if you can see on-premises IP address block 10.10.1.0/24
    6. check if you can see the other VNET-to-VNET network 10.0.4.0/24 (next hop type: VNet peering)



  3. check any VM available on azure subscription B
    1. open its virtual machine
    2. go to networking
    3. click on network interface
    4. click on effective routes and wait to load
    5. check if you can see on-premises IP address block 10.10.1.0/24 (next hop type: Virtual network gateway)
    6. check if you can see the other VNET-to-VNET network 10.100.0.0/16 (next hop type: VNet peering)



I hope that helps.

References
https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/hub-spoke

Check my Github repository

Thanks,

Thiago Beier
TwitterLinkedInFacebookRSS

Published by Thiago Beier

IT Solutions Architect

Published