Hub-Spoke communication using vNet Peering and User Defined Routes

Brass Contributor

Keyword : 

  • Hub VNet. Virtual network used to deploy the Hub, The hub is the central point of connectivity to host services and internet. Services deployed in Hub vnet can be consumed by the different workloads hosted in the spoke VNets.
  • Workload subnet. The subnets defined in the Spoke Vnets..
  • Spoke VNets. Spokes can be used to isolate workloads in their own VNets, managed separately from other spokes. Each workload might include multiple tiers, with multiple subnets connected through Azure load balancers.
  • VNet peering. To establish communication between two VNets.
  • Azure Firewall Azure Firewall is deployed in the hub, which provides an additional layer of security.

MohamedT_Trabelsi_10-1636454801634.png

 

Scenario : 

SPOKE networks must communicate with each other, but peering between them was not allowed.

Problem : 

 

-- SPOKE 1 is peered with the HUB network 

-- HUB is peered with SPOKE 2

-- No communication between SPOKE 1 and SPOKE 2 

 

Solutions : 

1- a Network Virtual Appliance (NVA) from the market place  : a VM with a configured Firewall/Router within the HUB and configure it to forward traffic to and from the Spoke1 & 2. 

 

2- a Virtual Gateway attached to the HUB network : enable communication between spokes with the defined routes. 

 

We will see the 2nd solution

 

1- Create the Hub Vnet (10.2.0.0/16) 

MohamedT_Trabelsi_7-1636453197510.png

2- Create the spoke1 Vnet (10.3.0.0/16) 

MohamedT_Trabelsi_6-1636453179459.png

 

3- Create the spoke2 Vnet (10.4.0.0/16) 

MohamedT_Trabelsi_8-1636453268478.png

 

We have 03 Vnets : 

MohamedT_Trabelsi_9-1636454017180.png

 

3- Configure peering  

 

**** With Portal Azure 

Hub <> Spoke1

MohamedT_Trabelsi_0-1636468462783.png

 

MohamedT_Trabelsi_2-1636468499632.png

 

 

 

Hub <> Spoke2

MohamedT_Trabelsi_1-1636468476517.png

MohamedT_Trabelsi_3-1636468524989.png

 

 

******************************************************************************

Or you can do it  **** With PowerShell Script 

 

example : create peering  Hub <> Spoke1

MohamedT_Trabelsi_1-1636459124192.png

 

 

$SpokeRG = "Networks"
$SpokeRM = "spoke1"
$HubRG = "Networks"
$HubRM = "centralHub"

$spokermvnet = Get-AzVirtualNetwork -Name $SpokeRM -ResourceGroup $SpokeRG
$hubrmvnet = Get-AzVirtualNetwork -Name $HubRM -ResourceGroup $HubRG

Add-AzVirtualNetworkPeering `
-Name SpokeRMtoHubRM `
-VirtualNetwork $spokermvnet `
-RemoteVirtualNetworkId $hubrmvnet.Id `
-UseRemoteGateways

Add-AzVirtualNetworkPeering `
-Name HubRMToSpokeRM `
-VirtualNetwork $hubrmvnet `
-RemoteVirtualNetworkId $spokermvnet.Id `
-AllowGatewayTransit

******************************************************************************

 

4- Create a Virtual Network Gateway

MohamedT_Trabelsi_0-1636456755187.png

MohamedT_Trabelsi_1-1636456781721.png

 

It's created now 😉 

 

MohamedT_Trabelsi_0-1636457696716.png

 

5- Now, go back to the Peering section of each of the SPOKE Networks and configure “Use Remote gateways” option

 

6- Create the route tables and define users routes needed for the SPOKE to SPOKE communication 

 

MohamedT_Trabelsi_2-1636466649417.png

 

Add route : 

 

--The Gateway subnet : CIDR /29  ==> The first and last IP are reserved for azure services. 

--The internal IP address will be from the 4 ==> 10.2.1.4

 

****RT of Spoke01

The Address prefix must be the network of the Spoke2 Virtual Network 10.4.0.0/16

Virtual appliance : Next hop type

Next hop address : internal address of the Virtual Network Gateway 10.2.1.4

MohamedT_Trabelsi_0-1636466571146.png

****RT of Spoke02

The Address prefix must be the network of the Spoke2 Virtual Network 10.3.0.0/16

Virtual appliance : Next hop type

Next hop address : internal address of the Virtual Network Gateway 10.2.1.4

 

MohamedT_Trabelsi_1-1636466592201.png

 

7- Associate these Route tables with our Virtual Networks 

 

In the Route table field select, Spoke1RouteTable and click Save

***Vnet Spoke1

MohamedT_Trabelsi_0-1636466794437.png

***Vnet Spoke2

MohamedT_Trabelsi_1-1636466812293.png

 

===> The two SPOKE Virtual Networks are able to communicate with each other via the HUB

 

8- Testing

--Create two windows VMs  ===> The first  in Spoke 1 network and the second The VM  in Spoke 2 network 

--Allow ICMP ping in the firewall of the 02 VMs 

 

MohamedT_Trabelsi_0-1636467624594.png

 

First VM in Spoke 1 network 

MohamedT_Trabelsi_0-1636467847806.png

 

Second VM in Spoke 2 network 

MohamedT_Trabelsi_1-1636467915006.png

 

====> The result of the test : 

 

Ping from VM1 To VM2 

MohamedT_Trabelsi_3-1636468068276.png

 

Ping from VM2 to VM1

MohamedT_Trabelsi_2-1636468027868.png

 

 

0 Replies