Azure IaaS Lab – VNET Peering

This post is part of a series, for the series contents see:

For the code listed in this post please see:

So I’ve got 3 VNETs setup:

  1. Hub VNET
  2. Internal VNET

The problem is that I only have VPN connectivity to one of those, the hub, so I have no way of accessing and configuring VMs in the other VNETs.  This post will setup VNET peering between the VNETs to give me that access:


What this should let me do is access VMs in the internal and DMZ VNETs via my management VM in the hub VNET.  What it won’t let me do is make use of VNET transit to access the DMZ and Internal networks directly from my machine over the VPN.  I think this is because I’m using a point-to-site, rather than site-to-site, VPN so I’m unable to specify the peered VNETs as local networks allowed over the connection.  Although that’s just a theory at the moment, I need to play a bit more to confirm that.

Right, here’s the code to setup the basic peering:

#Setup vnet peering
#Login to Azure and resource manager

#First get my VNETs
$vnet1 = Get-AzureRmVirtualNetwork -ResourceGroupName dmz-rg -Name dmz-vnet
$vnet2 = Get-AzureRmVirtualNetwork -ResourceGroupName hub-rg -Name hub-vnet
$vnet3 = Get-AzureRmVirtualNetwork -ResourceGroupName internal-rg -Name internal-vnet

#Setup links between the vnets
#First between the hub and DMZ
Add-AzureRmVirtualNetworkPeering -name DMZToHub-Peer `
-VirtualNetwork $vnet1 -RemoteVirtualNetworkId $
Add-AzureRmVirtualNetworkPeering -name HubToDMZ-Peer `
-VirtualNetwork $vnet2 -RemoteVirtualNetworkId $

#Then between the hub and internal vnets
Add-AzureRmVirtualNetworkPeering -name InternalToHub-Peer `
-VirtualNetwork $vnet3 -RemoteVirtualNetworkId $
Add-AzureRmVirtualNetworkPeering -name HubToInternal-Peer `
-VirtualNetwork $vnet2 -RemoteVirtualNetworkId $

All pretty simple.  With this in place I’m able to login to my management VM and access the VMs in the DMZ and internal networks.  In the case of my DMZ web server I can ping to verify connectivity but for my internal AD box I connected to it over RDP (because the Windows firewall on there drops ping by default).

Pretending that I’ve got a site-to-site VPN, this will configure the peering links to allow some transiting (all theory, I need to test this).  This Microsoft guide outlines the necessary options, but the key details from that page are:


So on my hub VNET I’ll setup “AllowGatewayTransit” to allow the DMZ and Internal VNETs to use its VPN gateway.  Then I’ll use “UseRemoteGateways” on the DMZ and Internal VNETs to allow them to use that VPN gateway in the hub.

Later on, when I setup my firewall & UDR, I assume I’ll need to tweak things with the “AllowForwardedTraffic” option, but that’s for another day.

$DMZToHubLink = Get-AzureRmVirtualNetworkPeering -VirtualNetworkName dmz-vnet -ResourceGroupName dmz-rg -Name DMZToHub-Peer
$DMZToHubLink.UseRemoteGateways = $true

$InternalToHubLink = Get-AzureRmVirtualNetworkPeering -VirtualNetworkName internal-vnet -ResourceGroupName internal-rg -Name InternalToHub-Peer
$InternalToHubLink.UseRemoteGateways = $true

$HubToDMZLink = Get-AzureRmVirtualNetworkPeering -VirtualNetworkName hub-vnet -ResourceGroupName hub-rg -Name HubToDMZ-Peer
$HubToDMZLink.AllowGatewayTransit = $true

$HubToInternalLink = Get-AzureRmVirtualNetworkPeering -VirtualNetworkName hub-vnet -ResourceGroupName hub-rg -Name HubToInternal-Peer
$HubToInternalLink.AllowGatewayTransit = $true

That should do the trick.  Although, in all honesty, I’m still debating with myself if I got the order right there but, without any way to test, I’ll go for this for now.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: