How to configure routing between Azure virtual networks?

networking azure routing gateway virtual-network

I'm designing an Azure environment which will contain multiple virtual networks, and a requirement is for all networks to be connected; a VM in any network should be able to talk to another VM in any other network.

I could connect those networks using a full mesh topology, but this would quickly get out of hand as the number of networks increases, and I really don't want to have to set up and manage n(n - 1)/2 VPN connections.

I'd rather connect them using a hub-and-spoke topology, maybe using multiple hubs if the Azure limit of 10 connections per virtual network is reached. However, I'm stuck with a problem: there doesn't seem to be a way to handle routing in Azure.

Let's say, for the sake of simplicity, that I have three virtual networks:

  • Network A - 10.10.1.0/24
  • Network B - 10.10.2.0/24
  • Network C - 10.10.3.0/24

I want to connect Network A to Network B, and Network B to Network C; I don't want a direct connection between networks A and C: I want Network A to talk to Network C via Network B.

This would be a complete non-issue if I had control of the gateways; a couple of static routes would quickly and effectively solve the problem.

However, in Azure I can't find a way to define additional routes for virtual networks, thus I can't tell the gateway for Network A "send traffic addressed for Network C to Network B" (and vice versa).

How can this be achieved in Azure?


Ok, this can be done, but it's definitely not as easy as it could (and should) be.

Basically, the trick is using Azure's "local networks" to configure Azure gateways as we want, even if we can't directly touch their configuration.

In order to set up a connection between two Azure virtual networks, you need to define two matching "local networks", and then have each network connect to the "local network" corresponding to the other one; this is already a not-so-straight process, but at least there is some documentation about it. Having more than a single connection for a given virtual network is even more complex, because you can't handle that from the management portal (or PowerShell), and have instead to manually edit the network configuration files; however, even this can be done.

But what about routing? In the scenario described in this question, and assuming Network B is correctly connected to both Network A and Network C, how can we route traffic between these two networks?

We can do that by using the local network definitions; basically, we have to tell Network A's gateway that its connection to Network B is not only good to reach Network B's IP subnet, but also Network C's one; and we'll of course tell the reverse to Network C's gateway.

We already have to define four local networks:

  • Local Network A (from the point of view of Virtual Network B): 10.10.1.0/24
  • Local Network C (from the point of view of Virtual Network B): 10.10.3.0/24
  • Local Network B (from the point of view of Virtual Network A): 10.10.2.0/24
  • Local Network B (from the point of view of Virtual Network C): 10.10.2.0/24

We'll modify them as such:

  • Local Network A (from the point of view of Virtual Network B): 10.10.1.0/24
  • Local Network C (from the point of view of Virtual Network B): 10.10.3.0/24
  • Local Network B (from the point of view of Virtual Network A): 10.10.2.0/24 and 10.10.3.0/24
  • Local Network B (from the point of view of Virtual Network C): 10.10.2.0/24 and 10.10.1.0/24

This way, when Network A connects to Network B, it will use this connection to also route packets directed to Network C. When Network B's gateway will receive them, it will already know how to handle them, and it will route them via its connection to Network C; and vice versa.

As an added bonus, this works for site-to-site connections outside Azure, too. If you want to throw in the mix a VPN to your company HQ and f.e. connect it to Network B (thus creating a Y-shaped topology), you can tell Network A and Network B they can reach your company HQ via their connection to Network B, in the exact same way.


Azure has introduced vNet Peering if you do not want to bother with VPN every time you want to connect 2 networks :

https://docs.microsoft.com/en-us/azure/virtual-network/create-peering-different-deployment-models

https://azure.microsoft.com/en-us/resources/videos/virtual-network-vnet-peering/

It might worth to have a look because it gets ride of the getways that were a pain in the neck to manage.

If you want more information on how to implemnt it, I created a thread on my blob for that very purpose and how to use PFSENSE on Azure . ( PFSENSE is free and I package a VHD for that if you want a free router )

https://mouradcloud.westeurope.cloudapp.azure.com/blog/blog/2018/07/19/build-azure-hub-and-spoke-using-pfsense-nva-udr-vnet-peering-and-vpn-on-local-router/

enter image description here

Related

Simple EXPECT script to execute remote command and displat output
Batch file to MASS ping group of computers on network by name, check reply, and resolve hostname
linux router setup
"He has yet to" vs. "he is yet to"
Are there other idioms like "a stone's throw away" that both describe an activity and act as a measurement?
"have been working" vs. "have worked"
Adjective + to infinitive vs. gerund
"Seem", "appear", "look" — how to differentiate?
What is the category name for words like notwithstanding, forthwith, etc...?
Favourite untranslatables [closed]
In which cases would you say, "I am seeing" instead of "I see"?
Is "many a times" correct?