Share via

How to Connect 2 VMs located in separate Spoke VNets in Hub Spoke Model

Indranil Ranu 20 Reputation points
2023-04-15T16:10:55.6333333+00:00

We have Spoke 1 and Spoke 2 Vnet which are peered with HUBVnet. Traffics on each Spoke are routed to Azure Firewall in HUB Vnet. Meaning the communication between VMs on each Spokes are controlled through the Network Rule on Azure Firewall ( located in HUB Vnet). I am unable to access the Ping or RDP towards the VM on spoke 2 from source VM located in Spoke 1 through Azure Firewall , even though the Network rule in Azure Firewall are created to allow "ANY" service.

Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
7,585 questions
Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
614 questions
Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,311 questions
Accepted answer
  1. Yannic Graber 591 Reputation points MVP
    2023-04-17T07:57:50.6366667+00:00

    Hello @Indranil Ranu @Micheal Falowo wrote already a great summary, how it should be configured. In addition, please check if there are any NSGs, blocking your traffic. You didn't mention anything about Network Security Groups (NSGs) in your question, so I am wondering if there are any in place. You might also want to check the firewall logs, if you see the network communication from spoke1 to spoke2, so you have a better understanding, where the issue might be located.

    • There is no corresponding traffic on the firewall logs
      • Check if NSG is blocking on spoke1
      • Check if NSG is blocking on HubVNET
      • Check if Network Peering Hub/Spoke1 is up and running and "Traffic forwarded from remote virtual network" is "Allow (default)".
      • Check if your rout table is configured correctly
    • Traffic is blocked on the firewall (logs)
      • The issue is obviously in the firewall configuration
    • Traffic is allowed on the firewall (logs)
      • Check if NSG is blocking on spoke2
      • Check if NSG is blocking on HubVNET (outgoing)
      • Check if Network Peering Hub/Spoke2 is up and running and "Traffic forwarded from remote virtual network" is "Allow (default)".
      • Check if your rout table is configured correctly Hope this is helpful to locate the issue. If this is the case, please mark it as the answer and/or click "Was this answer helpful? Yes", as a token of appreciation. Looking forward to your feedback.
    0 comments

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Micheal Falowo 6 Reputation points
    2023-04-15T17:37:21.86+00:00

    Hi Indranil,

    After testing your senario, here is my implementation.

    Hubvnet has firewall and peered with two spoke vnets named (spoke1 and spoke2)

    Both spokes has a VM and both VM subnets has a route table with route as shown below

    spoke1routetable --- Traffic to spoke2 vnet IP space -> virtual appliance -> azurefirewall private IP

    spoke2routetable --- Traffic to spoke1 vnet IP space -> virtual appliance -> azurefirewall private IP

    Azure firewall has a network rule with any--->any.

    The only thing here that would cause an issue is the peering. Check your peerings if the setting for Traffic forwarded from remote virtual network is "Allow (default)" if this is set to block, then you wouldn't be able to traverse traffic hoping through firewall to and fro spoke vnets.

    Please let me know if this help.

    0 comments
  2. Diego Martos 5 Reputation points Microsoft Employee
    2023-08-21T03:28:11.58+00:00

    Just to rule out the basics. It would be good to clarify if you have windows or Linux VM’s on each hub network. You should check the VM security settings, in case of Windows Server, the machine security settings to make sure that local firewall settings are not preventing ping. There are several articles describe these local VM settings preventing ping to go through.

    0 comments