Microsoft Azure: Configure Cross-Subscription VNET to VNET Connectivity in Azure…
Hi Everyone,
Recently, we announced lot of enhancements in Microsoft Azure. One of them being the cross-VNET connectivity between same subscription or different subscriptions. You can read more about it here https://msdn.microsoft.com/en-us/library/azure/dn690122.aspx
I am going to cover a sample test configuration that I have done in my subscription for your reference. Feel free to refer this along with the MSDN documentation.
So, let’s begin.
What you need?
Microsoft Azure Subscription x 2 (You can also refer the link above to perform the VNET to VNET configuration using a single subscription)
Windows Azure PowerShell Module
Let’s Begin – Here is my setup
I have 2 Azure Subscriptions…
Subscription Name |
Selected Region for Affinity Group |
Storage Account |
AVIRAJ-CORP |
East US 2 (NYC) |
nyc |
AVIDEMO-INTERNAL |
East Asia (JPN) |
jpn |
NETWORK TOPOLOGY
This is how it will look like
Virtual Network |
Virtual Network Site Definition |
Local Network Site Definition |
DNS |
VNet1 (NYC) |
VNet1 (10.10.0.0/16) |
VNet2 (192.168.0.0/16) |
10.10.1.4 |
VNet2 (JPN) |
VNet2 (192.168.0.0/16) |
VNet1 (10.10.0.0/16) |
10.10.1.4 |
Now, let’s start with steps.
Step 1: Create Affinity Groups in these 2 subscriptions.
AVIRAJ-CORP – Affinity Group: NYC
AVIDEMO-INTERNAL – Affinity Group: JPN
Step 2: Create Storage Accounts in these 2 subscriptions
AVIRAJ-CORP – Storage Account: nyc
AVIDEMO-INTERNAL – Storage Account: jpn
Step 3: Create DNS Server in both the subscriptions.
Creating DNS Server in subscription AVIRAJ-CORP in NYC as CROSS-VNET – 10.10.1.4 (This will be the first virtual machine created in VNET1 and it will be assigned 10.10.1.4 within IP Range 10.10.1.X, we will configure DC & DNS on that VM)
Creating DNS Server in subscription AVIDEMO-INTERNAL in JPN as CROSS-VNET – 10.10.1.4 (As we want our VNET2 VMs to talk to VNET1 VMs, we have to manually create DNS entry that will point to VNET1 VM with DNS)
NOTE: In the VNET to VNET Connectivity in the Same subscription, you do not need to create 2 DNS entries.
Step 4: Create VNET1 in AVIRAJ-CORP Subscription with Affinity Group NYC
Go to NEW –> NETWORK SERVICES –> VIRTUAL NETWORK –> CUSTOM CREATE
Enter Virtual Network Name: VNET1, select affinity group NYC. Click Next
Select DNS from drop down menu CROSS-VNET (10.10.1.4) and check mark on Configure a site-to-site VPN and click Next
On the next screen we are adding a LOCAL NETWORK VNET2 configuration for Virtual Network VNET1. VNET2 IP Configuration will act as a LOCAL NETWORK IP CONFIGURATION is this scenario. Refer the table in the beginning. Once configured click Next.
On this last screen, we will configure IP Address range for VIRTUAL NETWORK (VNET1) as per the table.
Add the Address Space as per table 10.10.0.0 and CIDR /16 (65536)
Create a new SUBNET called AD with IP Range 10.10.1.0 and CIDR /24 (256)
Click on add gateway subnet. Once done click on Check box to complete the wizard.
And it will look like this when it’s created
When you click on Configure tab, you will see the complete configuration that we just created
That’s done.
Step 5: Create VNET2 in AVIDEMO-INTERNAL Subscription with Affinity Group JPN
Repeat the steps like Step 4 and complete the VNET2 creation in the JPN affinity group in the AVIDEMO-INTERNAL subscription.
Enter Virtual Network Name: VNET2, select affinity group JPN. Click Next
Select DNS from drop down menu CROSS-VNET (10.10.1.4) and check mark on Configure a site-to-site VPN and click Next
On the next screen we are adding a LOCAL NETWORK VNET1 configuration for Virtual Network VNET2. VNET1 IP Configuration will act as a LOCAL NETWORK IP CONFIGURATION is this scenario. Refer the table in the beginning. Once configured click Next.
On this last screen, we will configure IP Address range for VIRTUAL NETWORK (VNET2) as per the table.
Add the Address Space as per table 192.168.0.0 and CIDR /16 (65536)
Create a new SUBNET called AD with IP Range 192.168.1.0 and CIDR /24 (256)
Click on add gateway subnet. Once done click on Check box to complete the wizard.
And it will look like this when it’s created.
When you click on Configure tab, you will see the complete configuration that we just created.
That’s done.
Step 6: Create Dynamic Routing VPN Gateways for VNET1 & VNET2. Note: Static Routing Gateways are not supported. Refer MSDN Link.
Go to Networks –> VNET1 –> Dashboard. Click on CREATE GATWAY –> Dynamic Routing. And click on Yes.
Once you click Yes, you will the dashboard status like this…
That’s done. We will wait for the gateway to be created.
Similarly, let’s create a gateway for VNET2. Go to Networks –> VNET2 –> Dashboard. Click on CREATE GATWAY –> Dynamic Routing. And click on Yes. Once you click Yes, you will the dashboard status like this…
NOTE: It will take somewhere between 15-20 mins. before you see the Gateway IP in the Dashboard.
Once completed, you will see gateway ip address for VNET.
Here is VNET1
Here is VNET2
That’s done.
Step 7: Replace the temporary placement IP Address in the Local Networks VNET1 & VNET2 VPN Device IP Address with the actual Gateway IP address that we just obtained.
Go to Networks –> VNET1 –> Dashboard. Copy the Gateway IP Address 137.116.XX.XX.
Go to Network –> LOCAL NETWORKS. Click on VNET1 with IP Address 1.0.0.0. Click on Edit
Replace the VPN Device IP Address 1.0.0.0 with the VNET1 Gateway IP Address 137.116.XX.XX. On the next page do not change anything click Next and Finish.
Done.
Now, similarly we will do this for other network
Go to Networks –> VNET2 –> Dashboard. Copy the Gateway IP Address 207.46.XX.XX.
Go to Network –> LOCAL NETWORKS. Click on VNET2 with IP Address 2.0.0.0. Click on Edit
Replace the VPN Device IP Address 2.0.0.0 with the VNET2 Gateway IP Address 207.46.XX.XX. On the next page do not change anything click Next and Finish.
Done.
Once both the LOCAL NETWORKS VPN DEVICE IP ADDRESSES updated, it will look like this.
Step 8: Set the IPsec/IKE pre-shared keys for both the subscriptions.
For this configuration, we will use PowerShell. I am assuming that you understand how to configuration Microsoft Azure Subscriptions using PowerShell. Refer this blog for basics.
In order to configured shared keys I will run the following PowerShell cmdlets
Set-AzureVNetGatewayKey -VNetName VNet1 -LocalNetworkSiteName VNet2 -SharedKey A1B2C3D4
Set-AzureVNetGatewayKey -VNetName VNet2 -LocalNetworkSiteName VNet1 -SharedKey A1B2C3D4
As soon as you set the shared keys for both the subscriptions’ VNETs, you will see in few moments that the VNET to VNET Connection gets established.,
Step 9: Verifying connectivity between Cross-Subscription VNET to VNET.
Go to Networks –> VNET1 –> Dashboard. Observe the connection established.
Similarly, go to Networks –> VNET2 –> Dashboard. Observe the connectivity.
Enjoy
Step 10: Create 2 Virtual Machines in each Subscription connected to respective VNETs and see how they communicate.
First create a Windows Server 2012 R2 VM in Subscription (AVIRAJ-CORP) using VNET1.
Next, select the appropriate subscription AVIRAJ-CORP and choose VNET1. And select storage account nyc.
Continue and create VM.
Similarly, create a Windows Server 2012 R2 VM in Subscription (AVIDEMO-INTERNAL) using VNET2.
Next, select the appropriate subscription AVIDEMO-INTERNAL and choose VNET2. And select storage account jpn.
Continue and create VM.
NOTE: It will take about 10 mins. to create 2 VMs.
Once VMs are ready you will see their status like this.
Let’s check the configuration from the dashboard for WS2012R2-NYC in AVIRAJ-CORP Subscription
Similarly, check the configuration from the dashboard for WS2012R2-JPN in AVIDEMO-INTERNAL Subscription
That’s ready.
Once the VMs are fully provisioned, you can check the VMs within the Virtual Network dashboard page.
VNET1
Go to Networks –> VNET1 –> Dashboard.
VNET2
Go to Networks –> VNET1 –> Dashboard.
Finally, let’s RDP into the VMs and see their IP Configuration and connectivity between VMs between different VNETs within Cross-Subscription
As soon as you RDP into the VMs. Make sure to open wf.msc and enable Inbound Rules. File and Printer Sharing (Echo Request – ICMPv4-In & ICMPv6-In) This will enable Ping command.
Now, let’s see the IP Configuration of WS2012R2-NYC in AVIRAJ-CORP Subscription. As you can see, IP Address is picked up from the 10.10.1.X IP Range and DNS is picked up as defined i.e. 10.10.1.4
Now, let’s see the IP Configuration of WS2012R2-JPN in AVIDEMO-INTERNAL Subscription
FINAL TEST. Ping each other.
At this stage, I will configure Domain Controller on WS2012R2-NYC machine and it will serve as a DNS for my VMs connected to VNET1 & VNET2.
And friends, that’s Cross-Subscription VNET to VNET connectivity within Microsoft Azure. This is one of many coolest features that we announced during Microsoft TechEd North America 2014. For more details visit https://channel9.msdn.com to explore more around Microsoft Azure Networking.
Hope you enjoy this post and have a great day.
Thanks You & Happy Networking 
Comments
- Anonymous
May 20, 2014
Thank you for your post!! Very useful but i have a question... Is possible to configure between existing Virtual Networks or it has to be new? - Anonymous
May 28, 2014
The comment has been removed - Anonymous
June 03, 2014
Thanks. It will work with existing VNETs as well. - Anonymous
November 09, 2014
Thanks Aviraj! Just done.
I love Azure:). - Anonymous
July 01, 2015
I build a script to automate the process. :)
checkout https://tombwu.wordpress.com/2015/07/02/build-complex-cross-azure-subscription-windows-lab-by-using-azure-site-to-site-vpn/ - Anonymous
July 27, 2015
I tired this out to try to connect multiple virtual networks together, though what I cannot figure out is how once you create a 3rd network to connect it to your VNet1. Thoughts?