Azure Transport Vnet implements Hub-spoke model S2S connection

Many small partners on Azure have the need for vnet connectivity. Vnet Gateway is now available in Azure in a cross-region scenario to enable interoperability via the S2S, which can be achieved through vnet peering in the same region. The above is a simple two vnet interoperability scenario, when there are more than one vnet to achieve the interoperability between any and any, through this 22 interconnection method workload and complexity is significantly too high. Is there any way to realize the interoperability of any of the full Mesh more easily? The answer is Hub-spoke, but here's the problem. Transit Vnet is not supported for the Azure network vnet peering native to the vnet peering scenario (that is, if Vnet a,b,c,vnet A and vnet B are established peer,vnet B with vnet c to establish peer, at this time A and B support interoperability, B and C support interoperability, but a and C does not have an interoperability relationship, if necessary interoperability that vnet B to play the role of transit vnet).

Currently azure can act as a routing-forwarding role by creating an instance in the hub vnet, enabling the transit vnet to perform. This approach is relatively complex, and users need to consider the high availability of instances themselves. This article shows you how to implement a transit vnet with the Vnet gateway provided by Azure native.

Test Environment Description:

Vnet-hub:172.16.0.0/16

Vnet-spoke1:172.17.0.0/16

Vnet-spoke2:172.18.0.0/16

Vnet-spoke1 in vm:172.17.0.4

Vnet-spoke2 in vm:172.18.0.4

Preparatory work:

1. Vnet Gateway exists in the hub vnet

The configuration method (the parameters are in italics, the actual configuration can be replaced according to the requirements):

1. Create peering in the hub vnet to the Spoke1 vnet and Spoke2 vnet

Azure Network Vnet Peering create-g vnet-hub -n toSpoke1 --vnet-name vnet-hub--remote-vnet-i D Spoke1-vnet-id --allow-gateway-transit true--allow-vnet-access true

Note: Turn on gateway-transit so that the spoke end can enjoy the hub's vnet gateway

Azure Network Vnet Peering create-g vnet-hub -n toSpoke2--vnet-name vnet-hub -- Remote-vnet-id Spoke2-vnet-id --allow-gateway-transit true--allow-vnet-access true

1. Create a peering to the hub in a spoke vnet

Azure Network Vnet Peering create-g vnet-spoke1 -n tohub --vnet-name vnet-spoke1--remote-vne T-id Hub-vnet-id --use-remote-gateways true--allow-vnet-access true

Note:spoke-side open use-remote-gateways, thus spoke can enjoy Hub's vnet gateway

Azure Network Vnet Peering create-g vnet-spoke2 -n tohub --vnet-name vnet-spoke2--remo Te-vnet-id Hub-vnet-id --use-remote-gateways true--allow-vnet-access true

1. Create a UDR custom forwarding policy to route the spoke vnet segment address next hop to the hub VNet gateway address

Create a UDR routing table

Azure Network route-table create-g vnet-spoke1 -n spoke1udr -l Southeastasia

Create a route entry

Azure Network route-table Route create--route-table-name spoke1udr --address-prefix 172.18.0.0/16 -- Next-hop-ip-address 172.16.1.4 --next-hop-type virtualappliance--name spoke2prefix -- Resource-group vnet-spoke1

Note: The next-hop address type is specified as Virtualappliance

Azure Network route-table create-g vnet-spoke2 -n spoke2udr -l Southeastasia

Azure Network route-table Route create--route-table-name spoke2udr --address-prefix 172.17.0.0/16 -- Next-hop-ip-address 172.16.1.4 --next-hop-type virtualappliance--name spoke1prefix -- Resource-group Vnet-spoke2

Associating routing tables to subnets

Azure Network vnet subnet set-g vnet-spoke1 --vnet-name vnet-spoke1 --name default --route-ta Ble-name SPOKE1UDR

Azure Network vnet subnet set-g vnet-spoke2 --vnet-name vnet-spoke2 --name default --rout E-table-name SPOKE2UDR

The attentive little partner may ask how the next hop set in the UDR routing entry is obtained. When creating a vnet gateway in azure, you need to create a gatewaysubnet,vnet gateway that is logically connected to the vnet via this gatewaysubnet, so the Vnet gateway consumes an address within that subnet. In azure, where address assignment is assigned to the smallest available address, in the case of the x.x.x.x/24 subnet, Azure assigns the 4th available address, x.x.x.4 to the Vnet Gateway. You can also verify the address of the Vnet gateway by pinging the available instances.

Test connectivity:

NTTTCP test with host in Vnet-spoke1 and Vnet-spoke2 inside host

Summary:

The hub can act as a transit vnet by implementing the vnet peering full mesh interoperability in the Hub-spoke environment with the Vnet gateway. VNet Gateway is a native gateway instance that simplifies deployment and management without needing to focus on high-availability issues.

Azure Transport Vnet implements Hub-spoke model S2S connection