You are browsing the archive for VNet peering.

Azure: Unable to connect to VMs in a peered VNet from P2S VPN

8:50 am in Azure, Azure Networking, Azure virtual network, P2S client, P2S VPN, RDP, VNet peering by Wim Matthyssen

These days when setting up a greenfield Azure IaaS environment for customers, we use the hub-spoke network topology with shared services. In this topology the HUB network is used as central point of connectivity and a place to host services that can be consumed by the different workloads hosted in the spoke VNets. All spokes are peered with this Hub network, to isolate all workloads. Whenever I work remotely on these environments, I mostly use a Point-to-Site (P2S) connection to securely connect to the different VNets from my client devices.

However last week while deploying a new environment for a customer, I stumbled upon a problem where I couldn’t RDP (private IP addresses) to the virtual machines (VMs) in the different spokes. The RDP access to the VM’s in the Hub VNet worked without any issues.

clip_image002

This is caused, because by design the P2S client will have routes listed for all VMs in the HUB VNet (which hosts the Virtual Network Gateway). However, even though the HUB VNet and the other VNets are connecting via peering, the P2S client will not have any routes presented in its configuration to discover the VMs in the other VNets. In order for the P2S client to be able to reach all VMs (trough for example RDP) located in the peered VNets, a static route for these VNets should be added in the routes.txt file of that specific connection. You can follow the steps below to get this working.

Solution

Open Run, type %appdata% and press Enter.

clip_image004

Open Microsoft – Network – Connections – Cm and select the right connection folder. Next, open the routes.txt file in Notepad (to open just double-click).

clip_image006

Remark

You can also find the correct path to the routes.txt file in the P2S VPN log file. You can open this file by opening your P2S connection and selecting on Properties instead of Connect. In the opened Properties page select View Log. Search for ActionPath, which will show you the location of the file.

clip_image008

clip_image010

End of remark.

In the opened routes.txt file, add the static routes for the other VNets.

For example:

ADD 10.6.0.0 MASK 255.255.240.0 default METRIC default IF default

ADD 10.7.0.0 MASK 255.255.240.0 default METRIC default IF default

ADD 10.8.0.0 MASK 255.255.240.0 default METRIC default IF default

clip_image012

Save the file, and connect again. You should now be able to RDP to all other VMs in the spoke VNets.

Hope this helps and for any questions feel free to contact me through my Twitter handle.

Wim Matthyssen (@wmathyssen)

Configuring VNet peering through the Azure Portal resulted in a Peering Status – Failed

12:19 pm in Azure, Azure Networking, Azure portal, Azure PowerShell, VNet, VNet peering by Wim Matthyssen

Virtual network peering is a mechanism that seamlessly connects two Azure virtual networks (VNets). Once peered, the virtual networks appear as one, and resources can be accessed from both VNets via their private IP Addresses.

While creating a new peering through the Azure Portal, it resulted in a created VNet Peer with a PEERING STATUS Failed. Deleting the Peering also failed. Probably something went wrong in the back or the Portal was stuck and giving failure, showing the Failed status as a result. Like in most cases when you are troubleshooting Azure issues, Azure PowerShell comes to the rescue.

By running below PowerShell script (copy and save as .ps1), I was able to get the resources updated using the get and set command, which successfully Connected the VNet peer.

PowerShell script

clip_image002

I hope the above script comes in handy whenever you face the same issue. Till next time.

Wim Matthyssen (@wmatthyssen)

How to connect an Azure ARM VNet to an ASM VNet using VNet Peering

4:25 pm in ARM, ASM, Azure, Azure virtual network, Cloud, DC, DNS, VNet peering by Wim Matthyssen

Hi all,

In this blog post I will show you how you can connect an Azure Resource Manager (ARM) virtual network (VNet) to a classic or Azure Service Manager (ASM) VNet using VNet Peering.

VNet Peering, which was made generally available (GA) on September 28th, is a mechanism that allows you to connect two VNets in the same region through the Azure backbone network as they were a single network. This means that you don’t need a VNet gateway anymore, like when you setup a VNet-to-VNet VPN connection. It will allow full connectivity between the entire address space of the peered VNets. So, for example when VNet peering is setup, all virtual machines in the peered VNets will be able to communicate with each other. If you’re interested you can read more about VNet Peering via following link: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview

Before we start setting things up, first some things to keep in mind:

  • VNet Peering requires that both VNets are located the same Azure region
  • The VNets must be in the same Azure Subscription (only for ARM – ASM VNet Peering)
  • The IP address space of both VNets must not overlap
  • Using your peer’s VNet gateway (UseRemoteGateways and AllowGatewayTransit settings) is not supported when peering with an ASM VNet
  • There is a small charge for data transferred between VNets using VNet Peering (inbound and outbound data transfer $ 0,01 per GB)
  • To be clear, you can find below a drawing of my ARM – ASM VNet Peering setup

clip_image002

After all this is said and shown, we can start

1) First of all login to the Azure portal and sign in with your Azure account

2) Select Virtual Networks

clip_image004

3) Select your ARM VNet (in my case AZU-Vnet-ARM)

clip_image006

4) Click Peerings (like you can see there is one connected device AZU-APP-01)

clip_image008

5) Click Add

clip_image010

6) In the Add Peering blade, name your link (in my case LinkToVNetASM). Under Peer details select Classic. Choose the correct Subscription and the ASM Virtual Network you want to peer with. Leave Allow virtual network access Enabled, this will allow communication between the two virtual networks. Then click OK

clip_image011

7) After clicking OK the peering link will be created

clip_image012

8) When done, the two virtual networks are peered and you will see the PEERING STATUS between the two virtual networks is in a Connected state

clip_image014

9) Like you can see, both VMs can ping each other. Don’t forget to allow ping through the Windows Firewall

clip_image016

clip_image018

10) After adding AZU-DC-01 (10.0.1.36) as DNS server to the AZU-Vnet-ARM VNet, I was able to add AZU-APP-01 to the azuvlab.local domain which was created an AZU-DC-01

clip_image020

clip_image022

clip_image024

This concludes this blog post. If you have any questions don’t hesitate to contact me via twitter.

Wim Matthyssen (@wmatthyssen)