Score:0

Server

VNET Peering and Transit Hub

thebluephantom

1/11/23, 1:35 PM

VNET Peering:

Once virtual networks are peered, resources in both virtual networks can communicate with each other, with the same latency and bandwidth as if the resources were in the same virtual network.

So, with this diagram:

I see that VNETs Virtual Network, VNET1, VNET2, and On-premise can all access the SQL database.

Then:

Scenario

What say SQL 1 and SQL 2 databases exist.
- SQL 1 DB has a Private Link in VNET1.
- SQL 2 DB has a Private Link in VNET2.
Peering is the same as shown in this diagram.

Questions:

I assume the fact that the Private Links for SQL 1 in VNET 1 and SQL 2 for VNET are accessible from on-premises? Or do I need to have the Private Link in the Virtual Network VNET? How then?
Can VNET1 and VNET2 access eachother's SQL databases via Virtual Network VNET?

218

0 + 0

azure-networking

Score:1

Server

Massimo

1/11/23, 1:52 PM

When a private link is used, PaaS services are connected to a VNet using private endpoints: they get private IP addresses in that VNet, and those private IP addresses can be used to access them; thus yes, everything that can reach a VNet (via peering, ExpressRoute, VPN or whatever) can access services which have a private link to it.

However, some DNS tuning could be required, depending on your DNS configuration; private links rely on the public names of PaaS services being remapped to their private IP addresses, which is automatically done by Azure DNS only when it's queried from inside the linked VNet.

Update

VNet peerings are not transitive, thus traffic will not flow between the two spoke VNets unless you create an explicit peering between them.

Traffic will instead flow between on-premises computer and them, if you enable gateway transit and remote gateways in their peerings with the hub VNet.

0 + 0

thebluephantom

1/11/23, 1:58 PM

So, I understand this is a specific non-realistic example that I saw on the internet just to demonstrate the point. So, yes to both questions. Get the DNS point. So then the follow on is, this type of hub and spoke is not so great if I do the peering with Virtual Network even though all are wax lyrical about it. If I juts do this peering for the on-premise to write to those DB's, the side effect with that approach is the other VNETs can also access eachother, which is not what I want.

thebluephantom

1/11/23, 2:00 PM

Can you confirm my comment pls?

Massimo

1/11/23, 2:11 PM

You can restrict traffic between VNets using NSGs; also, peerings can be configured to be non-transitive.

Massimo

1/11/23, 2:12 PM

But yes, Microsoft design guidelines for Azure networking have a penchant for overengineering. Not everyone needs complex topologies with many different VNets.

thebluephantom

1/11/23, 2:22 PM

Just to be clear. This here: https://docs.microsoft.com/en-us/answers/questions/47071/is-vnet-peering-transitive-by-default.html This question's answer implies that vnet peering is non-transitive by default. But you are talking about configured to be non-transitive.

Massimo

1/11/23, 2:28 PM

You are correct, VNet peering is not transitive; those two VNets on the right would need a direct peering to talk to each other.

Massimo

1/11/23, 2:29 PM

I was thinking about ExpressRoute peering, which instead can be used by them if you enable gateway transit and remote gateways in their peering with the hub VNet.

thebluephantom

1/11/23, 2:39 PM

so, Can VNET1 and VNET2 access eachother's SQL databases via Virtual Network VNET? the answer is 'no' for s2sVPN. Your last comment implies that with ExpressRoute the situation differs? I think I get it from research just on the Gateway transit and remote gateways. I think u r saying then vnet1 and vnet2 can access eachothers resources.

Massimo

1/11/23, 3:02 PM

I have updated my answer for better clarity.

thebluephantom

1/11/23, 3:31 PM

OK, you have clarified this and it all fits into place. u beaut.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: VNET Peering and Transit Hub

TH: VNET Peering และ Transit Hub

RO: VNET Peering și hub de tranzit

RU: Пиринг и транзитный концентратор VNET

VI: VNET Peering and Transit Hub

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.