Azure - System Routes, User Defined Routes

on



 Topology



VM hostname

Private IP

Subnet

SubnetA-VM1

10.0.1.4

SubnetA

SubnetB-Vm1

10.0.2.4

SubnetB

SubnetC-VM1

10.1.1.4

SubnetC

SubnetD-VM1

 10.1.2.4

SubnetD

SubnetY-VM1

10.0.3.4

SubnetY

FirstVnet and SecondVnet are in same Azure region.


1.      How are VMs in same Vnet able to talk to each other ?

On SubnetA-VM1,




 




On SubnetB-Vm1



 

 




For demonstration, I have enabled IIS on the VMs.

 

As seen below, from SubnetA-VM1, we can access 






And, from SubnetB-Vm1,  we can access,




To know, how the routing worked here, we need the next hop.


In this case, since there no user defined routes yet, to view the system routes , navigate to

Home-->Virtual Machines-->Networking-->Network Interface

Under Network Interface,  navigate to Effective routes




Azure automatically creates system routes and assigns the routes to each subnet in a virtual network

 

Source here implies, who created this  route, which is 'Default’ indicating that this is system generated route.

 

  1. Let's assume that the org is expanding and they created a new virtual network SecondVnet. The FirstVnet and SecondVnet are connected to each other via Virtual Network Peering. How is a vm in SubnetC able to talk to a vm in SubnetA ?

 

Before Vnet Peering






After VnetPeering,



 




Effective routes for SubnetC-Vm1















As we can see, the second entry in table above, makes the communication work




  1. With the above communications working, there is an additional requirement that any traffic that is destined for FirstVnet itself, needs to flow via the SubnetY
    1. All traffic within FirstVnet must pass through virtual appliance. The VMs within the same subnet can communicate directly though.
    2. Traffic between FirstVnet and SecondVnet must pass through the virtual appliance.
    3. No traffic should be allowed between SubnetB and SubnetC. (this can be done via NSG ru les)

 

In this post, I will just cover 3a, if there are questions for the remaining, will update the scenario 

 

For 3a.

Currently(i.e w/o introduction of virtual appliance), the communication, is working as seen below.



















Next, created a route table , and applied it to FirstVnet (10.0.0.0/16)

i.e. For any traffic in FirstVnet, I want all traffic to flow through the Virtual appliance, which is Private Address of SubnetY-VM1

 



After the above steps, completes, we see,


Next, we associate the route table with a subnet










On SubnetA-VM1, we can see the User defined route 










But since the IP Forwarding is not enabled for the SubnetY-VM1, http request fails







After , enabling Ip Forwarding on  SubnetY-VM1 and adding the Routing Role , we see 






Comments

Post a Comment