What are the steps and the procedure for VNET peering to avoid bringing down the entire network?

Question

Folks,

I require some help and guidance to perform the VNET peering of my Azure VM, Azure SQL DBs and Web Apps Private Endpoint with the existing ExpressRoute VNET.

My existing corporate network and the production data centre OnPremises are connected via the ExpressRoute circuit, so I wonder what the caveats to take before peering with this hub VNET?

Thank you.

Answer 1

Hello @EnterpriseArchitect ,

I understand that you need some help and guidance to perform the VNET peering of my Azure VM, Azure SQL DBs and Web Apps Private Endpoint with the existing ExpressRoute VNET.

You can setup the environment with Hub and Spoke architecture.

In this case, you can configure the Vnet peering as per the below recommendation:

https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/hub-spoke?tabs=cli#spoke-connections-to-remote-networks-through-a-hub-gateway

https://learn.microsoft.com/en-us/azure/expressroute/expressroute-faqs#how-are-virtual-networks-advertised-on-expressroute-private-peering

You must make sure that the address spaces don't overlap across cross-premises locations and Azure locations.

Refer: https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/hub-spoke?tabs=cli#private-ip-address-costs

Other things to note:

Requirements and constraints of Vnet peering:

https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-manage-peering?tabs=peering-portal#requirements-and-constraints

You can't specify a virtual network gateway created as type ExpressRoute in a user-defined route because with ExpressRoute, you must use BGP for custom routes. You can't specify Virtual Network Gateways if you have VPN and ExpressRoute coexisting connections either.

Refer: https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-manage-peering?tabs=peering-portal#create-a-peering

https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview#user-defined

And then use a Private Endpoint to restrict the Static Web app traffic to only from your On-premises network via the ExpressRoute circuit.

Refer: https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns#virtual-network-and-on-premises-workloads-using-a-dns-forwarder

Kindly let us know if the above helps or you need further assistance on this issue.

---

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Answer 2

Hi,

As you already have ER and I will suggest you setup the environment with Hub and Spoke architecture using the best and recommended approach suggested by Microsoft, usually I follow this approach and over here you can review the configuration process - https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/hub-spoke?tabs=cli

Hope this helps.

JS

==

Please Accept the answer if the information helped you. This will help us and others in the community as well.