Home / server / Questions / 939155
In Process
Cocowalla
Asked: 2018-11-09 05:56:53 +0800 CST

Enable communication between Azure virtual networks

  • 772

I have an Azure subscription with 2 different resource groups, Test and Prod. Each resource group has a VNET with a bunch of VMs in it.

There is a VM in Prod that acts as a license server, and services in both Test and Prod need to be able to access it. Let's call it LICENSE-VM.

+------------------------------+            +-------------------------------------+
|     Test Resource Group      |            |          Prod Resource Group        |
|                              |            |                                     |
|   +----------------------+   |            |   +-----------------------------+   |
|   |       Test VNET      |   |            |   |          Prod VNET          |   |
|   |                      |   |            |   |                             |   |
|   |   +----+    +----+   |   |            |   |   +----------+    +----+    |   |
|   |   |VM-1|    |VM-2|   +----------------------> |LICENSE-VM| <--+VM-3|    |   |
|   |   +----+    +----+   |   |            |   |   +----------+    +----+    |   |
|   |                      |   |            |   |                             |   |
|   +----------------------+   |            |   +-----------------------------+   |
|                              |            |                                     |
+------------------------------+            +-------------------------------------+

Of course, this isn't an issue within the Prod VNET, but I'm struggling to find a secure way of allowing communication with LICENSE-VM from Test.

  1. I thought of adding a public IP to LICENSE-VM, and using an NSG (Network Security Group) attached to the NIC to lock it down - but if I use a source IP rule that specifies the CIDR range of the TEST VNET, it doesn't work (can't connect)
  2. I then thought of adding a public load balancer, but this seems to have the same problem as (1), in that I can't lock it down to a VNET in a diferent resource group
  3. We could setup VNET peering, but it seems overkill when we only want access to a single port on a single VM. I'm also unsure if we could lock that down using Network Security Groups?

Any idea how I can lock down a public IP such that a VNET in a different resource group can access it? Alternatively, is there some other way I can approach this?

I feel like this must be a relatively common scenario, and I'm missing something obvious!

firewall

2 Answers

  1. I have read the issue a couple of time still not 100% sure of what you are trying to do. My understanding is you are trying to connect 2 Vnet but Secure Licences-VM.

    For security, when ever you talk about communication between 2 VNet peering or VPN are the only options. And i think that should solve you problem.

    If you want more security you can override the default rules on the NIC NSG that allows all VNet communication and create rule to open open up ports you need for the license communication.

    Hope this helps.

    • 0

  2. You can lock down the traffic using NSGs, but the source address of the traffic won't be the private IP addresses of your VMS in "Test VNET", it would be the public IP addresses of the VMs in "Test VNET" instead.

    Make sure you convert your VM's public IP addresses to static so you don't have any surprises down the line.

    Alternatively you can do VNet peering and then yes, lock down the traffic using the private IP addresses.

    • 0