3

I've been playing around with Azure's vnet offerings and I can't seem to get a simple network topology working. I am using the Resource Manager model. It seems that Azure's capabilities for even the simplest set ups is incredibly limited. The scenario that I want to model is one where I have one local network trying to communicate with Azure using a PolicyBased (IKEv1) VPN, and various clients that need to connect to the network independently (P2S). PolicyBased VNetGateways do not support P2S, so I need to have two gateways, which seems to be the root of the problem.

My setup then becomes this:

 _____                       _______             ______        
|LAN  |                     |VNet1  |           |VNet2 |       
|  M0 |--S2S (PolicyBased)--|       |--Peering--|  VM  |--P2S--(Client1)
|_____|                     |_______|           |______|

And what I need to accomplish is:

  1. Client1 must be able to communicate with VM
  2. VM must be able to communicate with M0

Issue 2 is the one that I can't get to work. A machine in VNet2 is able to communicate with a machine in VNet1, and a machine in VNet1 can see M0. However, VM cannot see M0. I can get it to work if I remove the vnet gateway in VNet2 required for P2S and having VNet1 act as a gateway for VNet2, but this obviously fails requirement 1.

Any suggestions? In the documentation for VNet peering they seem to hint that RouteTables (UDR) could be a solution. That is, routing requests from a subnet to a Network Virtual Appliance (NVA). However, I can't find any lightweight NVA's for simple routing, and I'm not sure if this would even work.

Shui shengbao
  • 18,746
  • 3
  • 27
  • 45
F.A.
  • 602
  • 1
  • 7
  • 15

2 Answers2

2

NVA route would work, but would require additional configuration. But what you are trying to achieve won't work as of current Azure networking.

4c74356b41
  • 69,186
  • 6
  • 100
  • 141
  • Is there an example of using an NVA route to accomplish the desired traffic pattern? I have a very similar situation that I'm looking to resolve. Any pointers or docs you can add to your answer would be appreciated. – user959729 Jan 17 '18 at 23:44
  • why dont you ask the guy you accepted the answer from? https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/dmz/nva-ha – 4c74356b41 Jan 18 '18 at 05:22
2

For now, Azure does not support your scenario.

VNet peering is between two virtual networks, and there is no derived transitive relationship. So, Vnet1 and Vnet2 could communicate with private IP, but VM cannot see M0. More information about peering please refer to this link. UDR also could not achieve your scenario, maybe you could refer to this question.

Community
  • 1
  • 1
Shui shengbao
  • 18,746
  • 3
  • 27
  • 45
  • Virtual network (VNet) peering enables you to connect two VNets in the same region through the Azure backbone network. peering only works on two VNets and there is no derived transitive relationship. User defined routes are only applied to Azure VMs and cloud services. More information please refer to this [link](https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview). – Shui shengbao Mar 03 '17 at 02:32
  • I suppose it does, but I can't say I'm not a bit disappointed. – F.A. Mar 03 '17 at 15:56
  • @"Shengbao Shui - MSFT" and @"F.A."Is there an example of using an NVA route to accomplish the desired traffic pattern? I have a very similar situation that I'm looking to resolve. Any pointers or docs you can add to your answer would be appreciated. I have looked at the Hub/Spoke architecture (https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/hub-spoke) and this is close to what I'm looking for. The example shows Spoke to Spoke communication. For my scenario, I need to communicate back on-prem through my Express Route from a spoke VNET. – user959729 Jan 18 '18 at 15:15