This blog post is written as a guide for peering Lab Services with an on-premise network. Every network architecture is different and so this post is not intended as a detailed step-by-step instructional document. Rather, the intention of this document is to give guidance for the general steps and mention any possible issues that may arise with common network architectures.
The document discusses connecting to an on-premise network. It is assumed that on-premise network has a network gateway to which a VPN tunnel (site-to-site or ExpressRoute) may be connected. Details regarding how to setup an on-premise network will not be covered in this document. It is important to know the following information before proceeding.
The diagram below shows the architecture of the solution that will be used. There is an on-premise network with a vpn gateway. Since virtual networks created for a classroom lab cannot be connected directly to an on-premise network, we will create a virtual network in the as the lab account. This virtual network will be connected via a VPN tunnel to the on-premise network. It will also be peered to the virtual network created in the Azure Lab Services subscription for your classroom lab. The virtual network in the same subscription as the lab account is the glue that makes the scenario work.
A couple notes before we get started:
Follow the instructions at how to manage lab accounts to create your lab account. Don’t worry about peering vnets yet. We need to setup our vnet first.
Connections must be created in both directions to be complete. First, let’s start with the hub gateway to on-prem gateway connection.
Second, create the connection from the on-prem network to the Azure virtual network. Once that hub to on-prem connection is made, the on-prem to hub connection must be made by the person or team maintaining the on-premise network. The same shared key must be used.
Each row in the connections blade for virtual network can be clicked to open the connection details blade. The status will tell you if the bi-direction connection is complete or not.
Peer the lab account to the hub vnet by following instructions at https://docs.microsoft.com/en-us/azure/lab-services/classroom-labs/how-to-connect-peer-virtual-netwo.... Remember the hub-vnet must be in the same subscription and region as the lab account to be seen in the drop down.
IMPORTANT: The vnet peering on the lab account must be done before any labs are created. Previously created template machines or student virtual machines are not updated.
IMPORTANT: Also, it is important to set an address range for the new lab to use. If not specified Lab Services will default to something like 10.x.0.0/16. If you used any of the default ranges making the hub vnet, the lab services lab vnets could overlap the hub vnet’s address space causing issues.
Make sure to specify an address range large enough to hold all the lab you wish to create. A subnet with a /23 subnet is created for each lab. (/23 CIDR range creates a maximum of 512 addresses.) For example, a /21 address range will be large enough to create 4 labs for that lab account. Azure side adds these addresses to the total vnet address spaces for the vnet gateway. The onpremises vpn must include the lab vnet address space as well as the hub vnet address space for traffic to flow over the peering branches.
You are now ready to start creating labs. Make sure to check any NSG settings on the on-premise network to all traffic from the Lab Services hosted VMs to the on-premise server.
If you want to test that a lab vm can connect to an onpremise machine, it is common to use ping. Ping is a tool available on both Windows and Linux that sends messages using the ICMP. By default, Azure VMs block the ICMP. To use ping, you will need to add a firewall rule on the Azure VM to allow ping, update any NSG rules blocking ICMP and possibly update the firewall rules on the destination resource in the on-premise environment.
Alternately, if the resource you want to reach is available on a different port, you can use the Test-Connection PowerShell cmdlet.
Test-netconnection <ip> -Port <portnumber>
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.