Azure-to-Azure connectivity refers to connectivity between two Azure virtual networks in the same region or different regions. For instance, say you have a set of virtual machines deployed in East US and you want to establish connectivity to another set of servers deployed in West Europe. Here the connection is established between two Azure regions. Also, it’s not necessary that the connectivity is between two regions; it could be connectivity between resources in two different virtual networks created in the same region.
All resources deployed in a virtual network will be able to communicate with the Internet by default. This means the resource can initiate the connection to the Internet to get the time, download updates, etc. We already covered this in the previous chapter when we discussed system routes. For inbound connections, you need to set up public IP addresses or public load balancers. Regarding communication between Azure resources we have covered different methods such as deploying them to the same virtual network, service endpoints for communicating with Azure services, and private links for establishing a connection over a private IP address to Azure PaaS solutions. In this section, we are interested in communication between Azure resources deployed in two different virtual networks.
By default, each virtual network, regardless of whether they are in the same region or different regions, cannot communicate with each other unless you have one of the following methods established. Each virtual network will be an isolated network like you used to have on-premises. In on-premises, you used routers to connect two networks and enable communication; in Azure you have different methods available to enable this connection. Figure 4.1 shows each of the methods.
FIGURE 4.1 Reference architecture
In Figure 4.1, you can see that the jumpbox VM deployed in the jumpBoxSubnet of vnet-01 cannot communicate with vnet-02. The vnet-02 has two subnets, WebTier and DataTier, each holding web-vm and database-vm, respectively. The web and database VMs are able to communicate with each other as they are in the same virtual network. Your goal is to let the jumpbox VM communicate with web-vm. (We are not taking the NSG into account. Let’s assume that all ports are open for simplicity, though it’s not an ideal configuration for production workloads.) We will start with the easiest and least secure method: the Internet.
Leave a Reply