Microsoft Azure: Configure Cross-Subscription VNET to VNET Connectivity in Azure…

Microsoft Azure: Configure Cross-Subscription VNET to VNET Connectivity in Azure…

  • Comments 3
  • Likes

Hi Everyone,

Recently, we announced lot of enhancements in Microsoft Azure. One of them being the cross-VNET connectivity between same subscription or different subscriptions. You can read more about it here http://msdn.microsoft.com/en-us/library/azure/dn690122.aspx

I am going to cover a sample test configuration that I have done in my subscription for your reference. Feel free to refer this along with the MSDN documentation.

So, let’s begin.

What you need?

Microsoft Azure Subscription x 2 (You can also refer the link above to perform the VNET to VNET configuration using a single subscription)
Windows Azure PowerShell Module

Let’s Begin – Here is my setup

I have 2 Azure Subscriptions…

Subscription Name

Selected Region for Affinity Group

Storage Account

AVIRAJ-CORP

East US 2 (NYC)

nyc

AVIDEMO-INTERNAL

East Asia (JPN)

jpn

NETWORK TOPOLOGY

This is how it will look like

Virtual Network

Virtual Network Site Definition

Local Network Site Definition

DNS

VNet1 (NYC)

VNet1 (10.10.0.0/16)

VNet2 (192.168.0.0/16)

10.10.1.4

VNet2 (JPN)

VNet2 (192.168.0.0/16)

VNet1 (10.10.0.0/16)

10.10.1.4

Now, let’s start with steps.

Step 1: Create Affinity Groups in these 2 subscriptions.

AVIRAJ-CORP – Affinity Group: NYC
AVIDEMO-INTERNAL – Affinity Group: JPN

image

Step 2: Create Storage Accounts in these 2 subscriptions

AVIRAJ-CORP – Storage Account: nyc
AVIDEMO-INTERNAL – Storage Account: jpn

image

Step 3: Create DNS Server in both the subscriptions.

Creating DNS Server in subscription AVIRAJ-CORP in NYC as CROSS-VNET – 10.10.1.4   (This will be the first virtual machine created in VNET1 and it will be assigned 10.10.1.4 within IP Range 10.10.1.X, we will configure DC & DNS on that VM)
Creating DNS Server in subscription AVIDEMO-INTERNAL in JPN as CROSS-VNET – 10.10.1.4   (As we want our VNET2 VMs to talk to VNET1 VMs, we have to manually create DNS entry that will point to VNET1 VM with DNS)

NOTE: In the VNET to VNET Connectivity in the Same subscription, you do not need to create 2 DNS entries.

image

Step 4: Create VNET1 in AVIRAJ-CORP Subscription with Affinity Group NYC

Go to NEW –> NETWORK SERVICES –> VIRTUAL NETWORK –> CUSTOM CREATE

Enter Virtual Network Name: VNET1, select affinity group NYC. Click Next

image

 

Select DNS from drop down menu CROSS-VNET (10.10.1.4) and check mark on Configure a site-to-site VPN and click Next

image

 

On the next screen we are adding a LOCAL NETWORK VNET2 configuration for Virtual Network VNET1. VNET2 IP Configuration will act as a LOCAL NETWORK IP CONFIGURATION is this scenario. Refer the table in the beginning. Once configured click Next.

image

 

On this last screen, we will configure IP Address range for VIRTUAL NETWORK (VNET1) as per the table.

Add the Address Space as per table 10.10.0.0 and CIDR /16 (65536)

Create a new SUBNET called AD with IP Range 10.10.1.0 and CIDR /24 (256)

Click on add gateway subnet. Once done click on Check box to complete the wizard.

image

 

And it will look like this when it’s created

image

 

When you click on Configure tab, you will see the complete configuration that we just created

image

That’s done.

Step 5: Create VNET2 in AVIDEMO-INTERNAL Subscription with Affinity Group JPN

Repeat the steps like Step 4 and complete the VNET2 creation in the JPN affinity group in the AVIDEMO-INTERNAL subscription.

Enter Virtual Network Name: VNET2, select affinity group JPN. Click Next

image

 

Select DNS from drop down menu CROSS-VNET (10.10.1.4) and check mark on Configure a site-to-site VPN and click Next

image

 

On the next screen we are adding a LOCAL NETWORK VNET1 configuration for Virtual Network VNET2. VNET1 IP Configuration will act as a LOCAL NETWORK IP CONFIGURATION is this scenario. Refer the table in the beginning. Once configured click Next.

image

 

On this last screen, we will configure IP Address range for VIRTUAL NETWORK (VNET2) as per the table.

Add the Address Space as per table 192.168.0.0 and CIDR /16 (65536)

Create a new SUBNET called AD with IP Range 192.168.1.0 and CIDR /24 (256)

Click on add gateway subnet. Once done click on Check box to complete the wizard.

image

 

And it will look like this when it’s created.

image

 

When you click on Configure tab, you will see the complete configuration that we just created.

image

That’s done.

Step 6: Create Dynamic Routing VPN Gateways for VNET1 & VNET2. Note: Static Routing Gateways are not supported. Refer MSDN Link.

Go to Networks –> VNET1 –> Dashboard. Click on CREATE GATWAY –> Dynamic Routing. And click on Yes.

image

 

Once you click Yes, you will the dashboard status like this…

image

That’s done. We will wait for the gateway to be created.

 

Similarly, let’s create a gateway for VNET2. Go to Networks –> VNET2 –> Dashboard. Click on CREATE GATWAY –> Dynamic Routing. And click on Yes. Once you click Yes, you will the dashboard status like this…

image

NOTE: It will take somewhere between 15-20 mins. before you see the Gateway IP in the Dashboard.

 

Once completed, you will see gateway ip address for VNET.

Here is VNET1

image

 

Here is VNET2

image

That’s done.

Step 7: Replace the temporary placement IP Address in the Local Networks VNET1 & VNET2 VPN Device IP Address with the actual Gateway IP address that we just obtained.

Go to Networks –> VNET1 –> Dashboard. Copy the Gateway IP Address 137.116.XX.XX.

Go to Network –> LOCAL NETWORKS. Click on VNET1 with IP Address 1.0.0.0. Click on Edit

image

 

Replace the VPN Device IP Address 1.0.0.0 with the VNET1 Gateway IP Address 137.116.XX.XX.  On the next page do not change anything click Next and Finish.

image

Done.

 

Now, similarly we will do this for other network

Go to Networks –> VNET2 –> Dashboard. Copy the Gateway IP Address 207.46.XX.XX.

Go to Network –> LOCAL NETWORKS. Click on VNET2 with IP Address 2.0.0.0. Click on Edit

image

 

Replace the VPN Device IP Address 2.0.0.0 with the VNET2 Gateway IP Address 207.46.XX.XX.  On the next page do not change anything click Next and Finish.

image

Done.

 

Once both the LOCAL NETWORKS VPN DEVICE IP ADDRESSES updated, it will look like this.

image

Step 8: Set the IPsec/IKE pre-shared keys for both the subscriptions.

For this configuration, we will use PowerShell. I am assuming that you understand how to configuration Microsoft Azure Subscriptions using PowerShell. Refer this blog for basics.

In order to configured shared keys I will run the following PowerShell cmdlets

Set-AzureVNetGatewayKey -VNetName VNet1 -LocalNetworkSiteName VNet2 -SharedKey A1B2C3D4
Set-AzureVNetGatewayKey -VNetName VNet2 -LocalNetworkSiteName VNet1 -SharedKey A1B2C3D4

image

As soon as you set the shared keys for both the subscriptions’ VNETs, you will see in few moments that the VNET to VNET Connection gets established.,

Step 9: Verifying connectivity between Cross-Subscription VNET to VNET.

Go to Networks –> VNET1 –> Dashboard. Observe the connection established.

image

 

Similarly, go to Networks –> VNET2 –> Dashboard. Observe the connectivity.

image

Enjoy

Step 10: Create 2 Virtual Machines in each Subscription connected to respective VNETs and see how they communicate.

First create a Windows Server 2012 R2 VM in Subscription (AVIRAJ-CORP) using VNET1.

image

 

Next, select the appropriate subscription AVIRAJ-CORP and choose VNET1. And select storage account nyc.

image

Continue and create VM.

 

Similarly, create a Windows Server 2012 R2 VM in Subscription (AVIDEMO-INTERNAL) using VNET2.

image


Next, select the appropriate subscription AVIDEMO-INTERNAL and choose VNET2. And select storage account jpn.

image

Continue and create VM.

NOTE: It will take about 10 mins. to create 2 VMs.

Once VMs are ready you will see their status like this.

image

Let’s check the configuration from the dashboard for WS2012R2-NYC in AVIRAJ-CORP Subscription

image

Similarly, check the configuration from the dashboard for WS2012R2-JPN in AVIDEMO-INTERNAL Subscription

image

That’s ready.

Once the VMs are fully provisioned, you can check the VMs within the Virtual Network dashboard page.

VNET1

Go to Networks –> VNET1 –> Dashboard.

image

VNET2

Go to Networks –> VNET1 –> Dashboard.

image

 

Finally, let’s RDP into the VMs and see their IP Configuration and connectivity between VMs between different VNETs within Cross-Subscription

As soon as you RDP into the VMs. Make sure to open wf.msc and enable Inbound Rules. File and Printer Sharing (Echo Request – ICMPv4-In & ICMPv6-In) This will enable Ping command.

image

Now, let’s see the IP Configuration of WS2012R2-NYC in AVIRAJ-CORP Subscription. As you can see, IP Address is picked up from the 10.10.1.X IP Range and DNS is picked up as defined i.e. 10.10.1.4

image

 

Now, let’s see the IP Configuration of WS2012R2-JPN in AVIDEMO-INTERNAL Subscription

image

 

FINAL TEST. Ping each other.

image

At this stage, I will configure Domain Controller on WS2012R2-NYC machine and it will serve as a DNS for my VMs connected to VNET1 & VNET2.

And friends, that’s Cross-Subscription VNET to VNET connectivity within Microsoft Azure. This is one of many coolest features that we announced during Microsoft TechEd North America 2014. For more details visit http://channel9.msdn.com to explore more around Microsoft Azure Networking.

Hope you enjoy this post and have a great day.

Thanks You & Happy Networking Smile

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • Thank you for your post!! Very useful but i have a question... Is possible to configure between existing Virtual Networks or it has to be new?

  • Thanks for the great walkthrough! This is such a new topic that there isn't a lot of information about how to get this up and running just yet. I'm wondering about firewalling the connectivity between the vnets. Is all traffic routed between the two virtual networks or is it possible to establish firewall rules such that only certain ports/protocols are open? We'd like to use a second vnet as a DMZ for a vnet we already have in Azure but would need some means of restricting traffic to only certain ports coming into the existing vnet from the DMZ vnet.

  • Thanks. It will work with existing VNETs as well.