i had to look at further documentation because you lost me on what 'gateway' was used to transmit communication between the spokes via the hub. the magic answer is that VPN gateway can ALSO act as an inter-spoke gateway, not only for VPN off-prem. the magic connecting peered spokes to each other via the hub is a gateway AND this gateway can be a firewall, routing-tables, OR a VPN Gateway.
very well explained. I tried the hub and spoke for vnet to vnet connection through the hub. but did not work - microsoft advised that vnet are non transitive - we have to use Azure firewall or NVA.
Great tutorial, and now the question :) once you have this setup how you would publish web app running on a VM hosted in Spoke Vnet. If you possibly have some best practice link or doc, Much appreciated. :)
You can install apps on VM's much the same way that you would do it on an on premises VM, for instance scripting a remote install of an MSI using PowerShell or something like that. powershellexplained.com/2017-04-22-Powershell-installing-remote-software/
Depends on where you want to put the firewall, but I'm assuming you want a network virtual appliance on the edge? If that is the case you can still use peerings, but you would need to manually manage the routes from the peers to have a default route to your firewall. You can do that with route tables in Azure. docs.microsoft.com/en-us/azure/virtual-network/tutorial-create-route-table-portal
@@Atmosera- Would I need two route tables in this case? One to direct traffic from the hub subnet to a NVA firewall, and the other between the gateway and a NVA firewall.
@@chenliang5263 No, just a single one that could be used on all your subnets. Basically, set the default route (0.0.0.0/0) to the private IP of your NVA.
Query : Vnet peering considering Hub spoke Model 1. if subcription are different 2.If resource groups of Hub and spoke are different 3. if regions are also different can this be achieved
It can work, but in general, you'd want to establish a new hub VNet for each region to no incur cross-region charges and use external point of presence load balancing like Traffic Manager. Alternatively, you can use Azure Front Door.
13:02 - Is there a reason you enabled Allow forwarded traffic from spoke1 to hub-vnet? My understanding is that you can leave it disabled because spoke1 will not receive any traffic that needs to be forwarded to hub-vnet. Any usecase you can specify for this scenario? thanks.
Great video. I have a similar setup and my onperm VMs can ping and rdp to the VMs in the hub and spoke vnets, BUT I can't ping or rdp back from these vnets back to the onperm VMs. Am I missing a step?
Hello, Thank you for this tutorial, it's awesome ! However, I got a Policy-Based VPN (Virtual network Gateway) and the resources in my Spoke vnet cannot communicate with me on-premises resources is there any missing piece ?
@@Atmosera- Thank you, so I need to add somes routes from my on-prem environment to my Azure ressources. And add also make sure I have some routes from my Azure envrironment to my on-prem ressources Is there a ressource I have to deploy to add routes on my Azure environment ?
What i do not understand is how do you connect the VPN gateway ip pool (10.3.0.0/24 i think it was in the video) to the Vnet hub. I have done something similar to this but i cannot ping from my VPN connected PC onto the VM1 (created on subnet in hub vnet).
I have a HUB vnet created with Virtual Network gateway, and two spoke vnets with a VM in each of them. The HUB Vnet is peered to both the spoke vnets. Both spoke vnets are using the remote virtual network gateway of HUB. VM from spoke1 is not able to ping VM from spoke2 , even though the gateway transit is seen as enabled on the HUB peerings. What might be the cause?
@@Atmosera- found a blog that shows how to do it with UDR, sharing here for reference blog.kloud.com.au/2018/08/10/hub-spoke-communication-using-vnet-peering-and-user-defined-routes/#:~:text=As%20we%20know%2C%20vNet%20peering,were%20not%20allowed%20to%20do.
Awesome video! I could successfully create VNet peeing and they're showing connected. I'm facing a problem while accessing a resource from on-prem. One of my VNet is setup with site to site VPN with on-prem and I can access on-prem resources from that VM, however, when I create a resource in another Vnet(within the same region) and setup Vnet peering, the resource in the 2nd Vnet couldn't access on-prem resource. What could be the problem? Please help!
I have 1 vnet with my vm's. I have 1 vpn gateway basic connected to 10 sites. Can I create another vpn gateway basic (more cheap) to connect more sites. I upgraded the basic to performance but is to expensive, from 25$/month to 300$/month :(. Thank you for your video.
A VPN gateway of any SKU can only connect to one VNet. You can peer that same VNet however with multiple other VNets. I can't remember what the upper threshold is, but it's pretty generous.
The best video tutorial I have seen so far regarding Vnet Peering.
Thank you so much
No doubt , that he explained the Vnet peering very well..
Awesome, information about Hub-Spoke topology, great work!
Thank you so much, I got some issues fixed by understanding this fundamental tutorial. I like the way you explained.
You are champ, keep making video on advance level for each azure network componenet
Thank you for this video Sir ! it was very helpful to understand how Hub and Spoke topology works for me
Excellent tutorial!
On premises; be that as it may, thank you for this informative presentation.
Very good. Thank you.
Good one
Explained so well!!
Amazing tutorial
Great, another sub !
Glad you liked it! :)
i had to look at further documentation because you lost me on what 'gateway' was used to transmit communication between the spokes via the hub. the magic answer is that VPN gateway can ALSO act as an inter-spoke gateway, not only for VPN off-prem. the magic connecting peered spokes to each other via the hub is a gateway AND this gateway can be a firewall, routing-tables, OR a VPN Gateway.
very well explained. I tried the hub and spoke for vnet to vnet connection through the hub. but did not work - microsoft advised that vnet are non transitive - we have to use Azure firewall or NVA.
You can also use UDR's to do the same thing. They are not designed to be transitive for VNET to VNET, but VPN/ER to VNET they are.
@@Atmosera- thanks - brilliant ..using UDR pointing to Hub Gateway worked
Great tutorial, and now the question :) once you have this setup how you would publish web app running on a VM hosted in Spoke Vnet. If you possibly have some best practice link or doc, Much appreciated. :)
You can install apps on VM's much the same way that you would do it on an on premises VM, for instance scripting a remote install of an MSI using PowerShell or something like that.
powershellexplained.com/2017-04-22-Powershell-installing-remote-software/
@@Atmosera- this is fantastic 😁, and I have found few tutorials, but wanted second opinion from Super professional 🚀❤️🇬🇧,🍺🍻
Thanks Boss
Great video! How that would change if I threw firewall into the mix?
Depends on where you want to put the firewall, but I'm assuming you want a network virtual appliance on the edge? If that is the case you can still use peerings, but you would need to manually manage the routes from the peers to have a default route to your firewall. You can do that with route tables in Azure.
docs.microsoft.com/en-us/azure/virtual-network/tutorial-create-route-table-portal
@@Atmosera- Would I need two route tables in this case? One to direct traffic from the hub subnet to a NVA firewall, and the other between the gateway and a NVA firewall.
@@chenliang5263 No, just a single one that could be used on all your subnets. Basically, set the default route (0.0.0.0/0) to the private IP of your NVA.
@@Atmosera- Cool. I will try it out. Thanks.
Query : Vnet peering considering Hub spoke Model 1. if subcription are different 2.If resource groups of Hub and spoke are different 3. if regions are also different can this be achieved
It can work, but in general, you'd want to establish a new hub VNet for each region to no incur cross-region charges and use external point of presence load balancing like Traffic Manager.
Alternatively, you can use Azure Front Door.
13:02 - Is there a reason you enabled Allow forwarded traffic from spoke1 to hub-vnet? My understanding is that you can leave it disabled because spoke1 will not receive any traffic that needs to be forwarded to hub-vnet. Any usecase you can specify for this scenario? thanks.
If you were doing a transient network where spoke 1 was a sub hub network with spokes off it it. This topology is common in more complex setups.
@@Atmosera- Makes sense. Thanks for your reply. Very simplified and easy to understand tutorial. Job well done :)
do you have any video about hub to hub peering so that vnets on each hub can connect each other through hubs?
It follows the same procedure. You'll probably need UDR's thought to make the routes work and the networks transient.
Incredible video, i liked more one sub, great.
Why not you don't use "use remote gateway" option on spokes peerings?
You wouldn't use that if you don't want the traffic on your spoke Vnet's to traverse your hub Vnet and go over your VPN.
Great video. I have a similar setup and my onperm VMs can ping and rdp to the VMs in the hub and spoke vnets, BUT I can't ping or rdp back from these vnets back to the onperm VMs. Am I missing a step?
Make sure "use remote gateway" is checked on on the peering and also make sure that the on prem VPN can handle the routed packets from Azure.
Hello, Thank you for this tutorial, it's awesome !
However, I got a Policy-Based VPN (Virtual network Gateway) and the resources in my Spoke vnet cannot communicate with me on-premises resources is there any missing piece ?
Check your routes to makes sure they are locally set up and vice versa. That's a common culprit
@@Atmosera- Thank you, so I need to add somes routes from my on-prem environment to my Azure ressources.
And add also make sure I have some routes from my Azure envrironment to my on-prem ressources
Is there a ressource I have to deploy to add routes on my Azure environment ?
awesome video
What i do not understand is how do you connect the VPN gateway ip pool (10.3.0.0/24 i think it was in the video) to the Vnet hub. I have done something similar to this but i cannot ping from my VPN connected PC onto the VM1 (created on subnet in hub vnet).
It might be a routing issue. Check the routes on your local machine (route print in windows) and see if there is a route for the 10.3.0.0/24 subnet.
I have a HUB vnet created with Virtual Network gateway, and two spoke vnets with a VM in each of them. The HUB Vnet is peered to both the spoke vnets. Both spoke vnets are using the remote virtual network gateway of HUB. VM from spoke1 is not able to ping VM from spoke2 , even though the gateway transit is seen as enabled on the HUB peerings. What might be the cause?
That is by design. You need a network appliance or Azure Firewall in the hub to ensure that those routes can happen.
@@Atmosera- found a blog that shows how to do it with UDR, sharing here for reference
blog.kloud.com.au/2018/08/10/hub-spoke-communication-using-vnet-peering-and-user-defined-routes/#:~:text=As%20we%20know%2C%20vNet%20peering,were%20not%20allowed%20to%20do.
@@Atmosera- Many thanks for your prompt response and the informative video.
After this setup, can 2 spoke network talk to each other? Guess no?
Yes. Best practices is to use the hub as a transient network. You'll have to set up UDR's to make it happen though.
Can we configure express route and site to site connect connection on same vpn gateway ?
no. I think you need a separate one.
Super!
Awesome video! I could successfully create VNet peeing and they're showing connected.
I'm facing a problem while accessing a resource from on-prem.
One of my VNet is setup with site to site VPN with on-prem and I can access on-prem resources from that VM, however, when I create a resource in another Vnet(within the same region) and setup Vnet peering, the resource in the 2nd Vnet couldn't access on-prem resource.
What could be the problem?
Please help!
Make sure you have gateway transit checked and use remote gateway checked.
@@Atmosera- thanks for responding. Gateway transit and remote gateway are enabled.
@@TravelIndiaSolo Make sure your on prem routers recognize the routes coming in from Azure.
I have 1 vnet with my vm's. I have 1 vpn gateway basic connected to 10 sites. Can I create another vpn gateway basic (more cheap) to connect more sites. I upgraded the basic to performance but is to expensive, from 25$/month to 300$/month :(. Thank you for your video.
A VPN gateway of any SKU can only connect to one VNet. You can peer that same VNet however with multiple other VNets. I can't remember what the upper threshold is, but it's pretty generous.
undoubtedly the best.You deserve a click on subscribe and bell.