none
Hub and spoke design RRS feed

  • Question

  • I'm having trouble setting up a hub and spoke configuration in Azure.  Here's my setup.

    I have three VNets, prod and dev, and the third is the hub.  For prod to talk to dev and vice versa, they must go through the hub.  Prod and dev are both peered with the hub.  The IP configurations for the vnets are prod: 10.62.8.0/21, dev: 10.62.40.0/21, and hub: 10.62.0.0/21.  There is an Azure firewall in the hub with an internal IP of 10.62.6.196.  There is one vm in dev and prod, both have a gateway of the internal firewall, 10.62.6.196.  The firewall in the hub has a a single network rule collection, priority 100 (no other rule collections) with these two rules.  Dev to prod is any protocol, source 10.62.40.0/21, destination 10.62.0.0/21, destination ports *.  The prod to dev rule has everything the same except source is 10.62.0.0/21 and destination is 10.62.40.0/21.

    So if the firewall in the hub is the gateway, traffic destined for outside the subnet should hit the firewall, which would then use the firewall rules to route the traffic, at least that's what my understanding is.  But the traffic from dev to prod and prod to dev doesn't work.  Is this configuration wrong?

    Thanks in advance


    • Edited by farslayer9 Friday, December 20, 2019 6:13 PM
    Friday, December 20, 2019 6:11 PM

Answers

All replies

  • Make sure you have enabled "Allow Forwarded Traffic" on your peering connections to allow the traffic to flow across the peering from the other peered VNET. This will allow the traffic to flow from different peered connections when sent through an NVA or an Azure Firewall. 

    You could also peer the 2 spoke VNETs to allow communication, but this breaks the Hub and Spoke design. 

    If you are concerned about the Azure Firewall blocking the traffic, try removing the rules and see if that enables connectivity. 

    Friday, December 20, 2019 9:24 PM
    Moderator
  • I discovered the issue, our peering had gone down from "connected" to "initializing" and never came back up for some reason.  Once I redid the peering everything came up as expected.
    Tuesday, December 24, 2019 7:27 PM