Recently, I was working on a solution for a customer where they wanted to implement a Hub-Spoke virtual network topology that enabled the HUB to communicate with its Spoke networks via vNet Peering. They also required the SPOKE networks to be able to communicate with each other but peering between them was NOT allowed.
As we know, vNet peering is Non-Transitive – which means, even though SPOKE 1 is peered with the HUB network and the HUB is peered with SPOKE 2, this does not enable automatic communication between SPOKE 1 and SPOKE 2 unless they are exclusively peered which in our requirement we were not allowed to do.
So, let’s explore a couple of options on how we can enable communication between the Spoke networks without peering.
There are several ways to implement Spoke to Spoke communication, but in this blog I’d like to provide details of the 2 feasible options that worked for us.
Option 1– is to place a Network Virtual Appliance (NVA) basically a Virtual Machine with a configured firewall/router within the HUB and configure it to forward traffic to and from the SPOKE networks.
If you search the Azure Market Place with the keywords “Network Virtual Appliance“, you will be presented with several licensed products that you could install and configure in the HUB network to establish this communication. Configuration of these virtual appliances varies and installation instructions can easily be found on their product websites.
The above information was sourced from this very helpful blog post.
The rest of this blog is a detailed step by step guide and the testing performed for implementing the approach mentioned in Option 2.
1.) Create 3 Virtual Networks with non-overlapping IP addresses
- Log on to the Azure Portal and create the Hub Virtual Network as follows
- Create the 2 additional virtual networks as the SPOKES with the following settings:
2.) Now that we have the 3 Virtual Networks provisioned, let’s start Peering them as follows:
a.) HubNetwork <> Spoke1Network
b.) HubNetwork <> Spoke2Network
- Navigate to the Hub Virtual Network and create a new peering with the following settings:
Select the “Allow gateway transit” option.
- Repeat the above step to create a peering with Spoke2Network as well.
3.) To establish a successful connection, we will have to create a peering to the HUB Virtual Network from each of the SPOKE Networks too
- Navigate to Spoke1Network and create a new Peering
Notice, that when we select the “Use remote gateways” option, we get an error as we haven’t yet attached a Virtual Network Gateway to the HUB network. Once a Gateway has been attached, we will come back to re-configure this.
For now, Do Not select this option and click Create.
- Repeat the above step for Spoke2 Virtual Network
4.) Let’s now provision a Virtual Network Gateway
- Before provisioning a gateway, a Gateway Subnet is required within the Hub Virtual Network. To create this, click on the “Subnets” option in the blade of the Hub Virtual Network and then Click on “Gateway subnet”
For the purpose of this demo, we will create a Gateway Subnet with the smallest possible network address space with CIDR /29 which provides us with 8 addresses of which the first and last IP are reserved for protocol conformance and x.x.x.1 – x.x.x.3 for azure services. For production environments, a Gateway Subnet with at least /27 address space is advised.
Let’s assume for now that when we provision the Virtual Network Gateway, the internal IP address it gets assigned to will be from the 4th address on wards which in our case would be 10.4.1.4
- Provision the Virtual Network Gateway
Create a new Virtual Network Gateway with the following settings:
Ensure that you select the Hub Virtual Network in the Virtual network field which is where we want the Gateway to be attached. Click Create.
- The Gateway provisioning process may take a while to complete and you will need to wait for the Updating status to disappear. It can take anywhere between 30-45 mins.
5.) Once the Gateway has been provisioned, lets now go back to the Peering section of each of the SPOKE Networks and configure “Use Remote gateways” option
- Repeat the above step for Spoke2ToHub peering
6.) We will now create the Route Tables and define user routes needed for the SPOKE to SPOKE communication
- Create 2 new Route tables in the portal with the following settings:
- Define the User Routes as follows:
In the Address Prefix field, insert the CIDR Subnet address of the Spoke2 Virtual Network which in our case is 10.6.0.0/16
Select Next hop type as Virtual appliance and the Next hop address as the internal address of the Virtual Network Gateway. In our case, we are going to have this set as 10.4.1.4 as mentioned earlier.
- Repeat this step to create a new Route in the Spoke2RouteTable as well by inserting the Subnet CIDR address of Spoke1 Virtual Network
7.) Let’s now associate these Route tables with our Virtual Networks
- Navigate to the Spoke1Network and in the “Subnets” section of the blade, select the default subnet
In the Route table field select, Spoke1RouteTable and click Save
- Repeat the above step to associate Spoke2RouteTable with the Spoke2 Virtual Network
We have now completed the required steps to ensure that both SPOKE Virtual Networks are able to communicate with each other via the HUB
- In order to test our configurations, let’s provision a virtual machine in each of the Spoke networks and conduct a simple ping test
1.) Provision a basic Virtual Machine in each of the Spoke networks
2.) Run the following Powershell command in each VM to allow ICMP ping in the windows firewall as this port is blocked by default:
New-NetFirewallRule –DisplayName "Allow ICMPv4-In" –Protocol ICMPv4
3.) In my testing the VM’s had the following internal IP
The VM running in Spoke 1 network: 10.5.0.4
The VM running in Spoke 2 network: 10.6.0.4
Pinging 10.6.0.4 from 10.5.0.4 returns a successful response!