In your mathematics class, you probably studied what transitive property is: if A=B and B=C, then A=C. However, this is not true in the case of peering. That is the reason why virtual network peering is called non-transitive.
For example, if you have vnet-A peered with vnet-B and vnet-B peered with vnet-C, this doesn’t mean that vnet-A is peered with vnet-C. If you would like to let the resources in vnet-A communicate with vnet-C, you should create an explicit peering between vnet-A and vnet-C. Hence, always make sure you have created peering between all the virtual networks that are required to communicate as the virtual network peering is non-transitive. Now let’s see how peering is implemented.
Implementing Virtual Network Peering
Virtual network peering is similar to how you connect two network switches together. You need to connect a cable to each switch that you want to communicate with and configure them. In the implementation of virtual network peering, you need to create a peering connection on both networks you want to peer. In short, you need to implement a reciprocal connection to implement the peering. Luckily, in the Azure portal, opening the peering blade of one virtual network lets you create the reciprocal connection from the same blade. This way, you don’t have to navigate to the other network to create the reciprocal connection.
When you are implementing cross-subscription peering, make sure that you have permissions on both subscriptions to manage the virtual network and the peering. In the case of cross-subscription and cross-tenant peering, the administrator of the peer network should at least grant you a Network Contributor role. Without this role, you will not be able to create a reciprocal connection on the other peer.
In Exercise 4.1, you will create two virtual networks in different regions, say, East US and West US. The virtual network vnet-01 is in East US, and vnet-02 is in West US. Both the virtual networks contain a default subnet with address ranges 172.16.0.0/24 and 192.168.0.0/24, respectively. In the default subnet of vnet-01, you have two VMs deployed. One VM is called the jumpbox-vm with a public IP address, and another VM is called vm-01 without the public IP address. In the default subnet of vnet-02, you have only a single VM vm-02 without a public IP address. Your goal is to establish peering between vnet-01 and vnet-02 so that you can connect to jumpbox-vm and then SSH to vm-01; from vm-01 you should be able to communicate with vm-02 using private IP addresses. You are using jumpbox-vm as an entry point to connect from the local machine to Azure. Figure 4.4 gives a high-level overview of the architecture.
FIGURE 4.4 Implementing virtual network peering
Setting up this infrastructure from scratch may take some time; you can use a PowerShell script in this GitHub repository to deploy the infrastructure shown in Figure 4.4.
https://github.com/rithinskaria/azure-infra/blob/main/peering.ps1
You can use your own username and password in the script by updating the variables or you can go with the default preconfigured values. All components will be deployed except the peering. You will create the peering in Exercise 4.1.
EXERCISE 4.1
Implementing Virtual Network Peering in the Azure Portal
- If you have successfully run the PowerShell script, all resources will be deployed. SSH to the jumpbox using the public IP address of the VM. To find the public IP address, you can navigate to Azure Portal ➢ Virtual Machines ➢ jumpbox-vm. Look for the public IP address in the Overview blade. Alternatively, you can use the DNS name also for connecting to the VM.
- You can use any terminal in your computer or the cloud shell to initiate a SSH connection to the VM. SSH can be initiated by running the command ssh @.
- You will be prompted to add the host to the list of allowed hosts. Continue by entering Y and hit Enter. Next, you will be prompted to enter the password; use the password you have used in the PowerShell script.
- Now you are going to SSH to your vm-01 from jumpbox-vm. You need to find the private IP address of vm-01 to SSH. As vm-01 and jumpbox-vm are part of the same virtual network, they will be able to communicate via a private IP address. You can find the private IP address by navigating to Azure Portal ➢ Virtual Machines ➢ vm-01 ➢ Overview ➢ Properties. Once you have the private IP address, run ssh from the console to connect to vm-01. You don’t have to specify the username as all your VMs use the same username.
Leave a Reply