skip to Main Content

I have the following Vnets

enter image description here

vnet-hub-poc-hubspoke is the Hub Vnet

it has the following subnets

enter image description here

with a firewall

enter image description here

and peered with Prod & Dev Vnets

enter image description here

enter image description here

Prod Vnet is configured as shown below

enter image description here

enter image description here

Dev Vnet is configured as shown below

enter image description here

enter image description here

I have following VMs created – one in each Vnet

enter image description here

with the below rules

enter image description here

enter image description here

I have the following Route tables

enter image description here

with the below configuration

enter image description here

enter image description here

I am able ping to the Firewall from both the VMs, however I am not able to RDP

enter image description here

enter image description here

What am I missing?

Update:: I guess the request is to going Firewall (10.11.253.4) but getting timed out.

C:Userskavija>tracert 10.13.2.4

Tracing route to 10.13.2.4 over a maximum of 30 hops

enter image description here

Update#2: I have used the below script

# Define Variable
rgName=SpokeToSpoke
location=eastus
hubVNetName=vnet-hub
prodVnetName=vnet-prod
devVnetName=vnet-dev
myFirewallPublicIPName="firewallPublicIP"
azFirewallName="azFirewallName"
azureworkloadRG="AzureProdWorkLoad"
azureDevWorkloadRG="AzureDevWorkLoad"
VmUser="demouserXXX"
VmName1="ProdSever"
VmName2="DevSever"
fwRouteTableProdName=prod-route-table
fwRouteTableDevName=dev-route-table
bastionName="MyBastion"
bastionPIPName="bastionpip"
rdpRuleName=AllowRDP
priority=200
rgroup=prod-ukw-core-rg
access=Allow
description="Allow RDP from office IP address"
destPort=3389
direction=Inbound
protocol=TCP

# Create Resource Group
az group create --name $rgName --location $location

# Create Azure Hub VNET
az network vnet create -g $rgName --name $hubVNetName --address-prefixes 10.11.0.0/16 --location $location
az network vnet subnet create -g $rgName --vnet-name $hubVNetName --name Management --address-prefix 10.11.1.0/24
az network vnet subnet create -g $rgName --vnet-name $hubVNetName --name AppGatewaySubnet --address-prefix 10.11.252.0/26
az network vnet subnet create -g $rgName --vnet-name $hubVNetName --name AzureBastionSubnet --address-prefix 10.11.252.64/27
az network vnet subnet create -g $rgName --vnet-name $hubVNetName --name AzureFirewallSubnet --address-prefix 10.11.253.0/26
az network vnet subnet create -g $rgName --vnet-name $hubVNetName --name GatewaySubnet --address-prefix 10.11.254.0/27

# Create Azure Dev VNET
az network vnet create -g $rgName --name $devVnetName --address-prefixes 10.12.0.0/16  --location $location
az network vnet subnet create -g $rgName --vnet-name $devVnetName --name Management --address-prefix 10.12.1.0/24
az network vnet subnet create -g $rgName --vnet-name $devVnetName --name Workload1 --address-prefix 10.12.2.0/24

# Create Azure Prod VNET
az network vnet create -g $rgName --name $prodVnetName --address-prefixes 10.13.0.0/16  --location $location
az network vnet subnet create -g $rgName --vnet-name $prodVnetName --name Management --address-prefix 10.13.1.0/24
az network vnet subnet create -g $rgName --vnet-name $prodVnetName --name Workload1 --address-prefix 10.13.2.0/24

# Dev Subnet NSG 
az network nsg create -g $rgName -n Dev-Management-subnet -l $location -o table
az network nsg create -g $rgName -n Dev-Workload1-subnet -l $location -o table
az network vnet subnet update -g $rgName --vnet-name $devVnetName --name Management --network-security-group Dev-Management-subnet
az network vnet subnet update -g $rgName --vnet-name $devVnetName --name Workload1 --network-security-group Dev-Workload1-subnet

# Prod Subnet NSG 
az network nsg create -g $rgName -n Prod-Management-subnet -l $location -o table
az network nsg create -g $rgName -n Prod-Workload1-subnet -l $location -o table
az network vnet subnet update -g $rgName --vnet-name $prodVnetName --name Management --network-security-group Prod-Management-subnet
az network vnet subnet update -g $rgName --vnet-name $prodVnetName --name Workload1 --network-security-group Prod-Workload1-subnet

# Enable RDP at NSG Level for Dev Workload
az network nsg rule create --name $rdpRuleName --nsg-name Dev-Workload1-subnet --priority $priority --resource-group $rgName --access $access --description "$description" --destination-port-ranges $destPort --direction $direction --protocol $protocol --source-address-prefixes "*"

# Enable RDP at NSG Level for Prod Workload
az network nsg rule create --name $rdpRuleName --nsg-name Prod-Workload1-subnet --priority $priority --resource-group $rgName --access $access --description "$description" --destination-port-ranges $destPort --direction $direction --protocol $protocol --source-address-prefixes "*"

# Create Firewall
az network public-ip create --name $myFirewallPublicIPName --resource-group $rgName --sku Standard --allocation-method Static
az network firewall create -g $rgName -n $azFirewallName --vnet-name $hubVNetName --sku AZFW_VNet --tier Standard
az network firewall ip-config create   --firewall-name $azFirewallName   --name FW-config1 --public-ip-address $myFirewallPublicIPName  --resource-group $rgName   --vnet-name $hubVNetName
az network firewall update --name $azFirewallName --resource-group $rgName
fwprivaddr="$(az network firewall ip-config list -g $rgName -f $azFirewallName --query "[?name=='FW-config1'].privateIpAddress" --output tsv)"

# Hub-Spoke-Hub Peering
az network vnet peering create -g $rgName --name HUBtoProd --vnet-name $hubVNetName --remote-vnet $prodVnetName --allow-vnet-access --allow-forwarded-traffic --allow-gateway-transit

az network vnet peering create -g $rgName --name HUBtoDEV --vnet-name $hubVNetName --remote-vnet $devVnetName --allow-vnet-access --allow-forwarded-traffic  --allow-gateway-transit

az network vnet peering create -g $rgName --name ProdtoHUB --vnet-name $prodVnetName --remote-vnet $hubVNetName --allow-vnet-access --allow-forwarded-traffic --allow-gateway-transit 

az network vnet peering create -g $rgName --name DEVtoHUB --vnet-name $devVnetName --remote-vnet $hubVNetName --allow-vnet-access --allow-forwarded-traffic --allow-gateway-transit 

# Create Route table from Dev to Hub
az network route-table create --name $fwRouteTableDevName -g $rgName -l $location --disable-bgp-route-propagation true
az network route-table route create -g $rgName --name DevToProdSubnet-Route --route-table-name $fwRouteTableDevName --address-prefix 10.13.0.0/16  --next-hop-type VirtualAppliance --next-hop-ip-address $fwprivaddr
az network vnet subnet update -g $rgName --vnet-name $devVnetName -n Workload1 --address-prefixes 10.12.2.0/24 --route-table $fwRouteTableDevName

# Create Route table from Prod to Hub
az network route-table create --name $fwRouteTableProdName -g $rgName -l $location --disable-bgp-route-propagation true
az network route-table route create -g $rgName --name ProdToHubSubnet-Route --route-table-name $fwRouteTableProdName --address-prefix 10.12.0.0/16  --next-hop-type VirtualAppliance --next-hop-ip-address $fwprivaddr
az network vnet subnet update -g $rgName --vnet-name $prodVnetName -n Workload1 --address-prefixes 10.13.2.0/24 --route-table $fwRouteTableProdName

# Create Azure Bastion for Azure
az network public-ip create --resource-group $rgName --name $bastionPIPName --sku Standard --location $location
az network bastion create --name $bastionName --public-ip-address $bastionPIPName --resource-group $rgName --vnet-name $hubVNetName --location $location

# Create VM in Dev Vnet - Workload1 Subnet to test Spoke-to-Spoke communication
az group create --name $azureDevWorkloadRG --location $location
devWorkLoadSubNetID=$(az network vnet subnet show --resource-group $rgName --name "Workload1" --vnet-name $devVnetName --query id -o tsv)
az vm create --resource-group $azureDevWorkloadRG --name $VmName --image win2016datacenter --admin-username $VmUser --admin-password $AdminPassword --size Standard_B1s --use-unmanaged-disk --storage-sku Standard_LRS --subnet $devWorkLoadSubNetID --nsg "" --public-ip-address ""

# Create VM in Prod VNet - Workload1 Subnet
az group create --name $azureworkloadRG --location $location
prodWorkLoadSubNetID=$(az network vnet subnet show --resource-group $rgName --name "Workload1" --vnet-name $prodVnetName --query id -o tsv)
az vm create --resource-group $azureworkloadRG --name $VmName1 --image win2016datacenter --admin-username $VmUser --admin-password $AdminPassword --size Standard_B1s --use-unmanaged-disk --storage-sku Standard_LRS --subnet $prodWorkLoadSubNetID --nsg "" --public-ip-address ""

Update#3: I tried creating the Gateway as well

# Azure VNET Gateway
az network public-ip create -g $rgName --name pip-hub-gateway --allocation-method dynamic --dns-name $hubVNetName 
az network vnet-gateway create -g $rgName --name vgw --vnet $hubVNetName --public-ip-address pip-hub-gateway --gateway-type vpn --client-protocol SSTP --sku Basic

az network vnet peering create -g $rgName --name ProdtoHUB --vnet-name $prodVnetName --remote-vnet $hubVNetName --allow-vnet-access --allow-forwarded-traffic --allow-gateway-transit  --use-remote-gateways

az network vnet peering create -g $rgName --name DEVtoHUB --vnet-name $devVnetName --remote-vnet $hubVNetName --allow-vnet-access --allow-forwarded-traffic --allow-gateway-transit  --use-remote-gateways

az network route-table route create -g $rgName --name DevToProdSubnet-Route --route-table-name $fwRouteTableDevName --address-prefix 10.13.0.0/16   --next-hop-type VirtualNetworkGateway

az network route-table route create -g $rgName --name ProdToHubSubnet-Route --route-table-name $fwRouteTableProdName --address-prefix 10.12.0.0/16   --next-hop-type VirtualNetworkGateway

3

Answers


  1. Chosen as BEST ANSWER

    Using the script below, I was able to establish communication between the spoke networks

    Reference: https://github.com/jillesca/azure/tree/main/hub%20%26%20spoke

    az group create --name techTalk --location eastus
    
    az network vnet create 
      --name hub-vnet 
      --resource-group techTalk 
      --subnet-name hub-subnet 
      --address-prefixes 10.0.0.0/16 
      --subnet-prefixes 10.0.1.0/24
    
    az network vnet create 
      --name spoke1-vnet 
      --resource-group techTalk 
      --subnet-name spoke1-subnet 
      --address-prefixes 10.1.0.0/16 
      --subnet-prefixes 10.1.1.0/24 
    
    az network vnet create 
      --name spoke2-vnet 
      --resource-group techTalk 
      --subnet-name spoke2-subnet 
      --address-prefixes 10.2.0.0/16 
      --subnet-prefixes 10.2.1.0/24 
    
    az network vnet subnet create 
      --vnet-name hub-vnet 
      --name GatewaySubnet 
      --resource-group techTalk 
      --address-prefix 10.0.255.0/27
    
    az network public-ip create 
      --name gateway-ip-address 
      --resource-group techTalk 
      --allocation-method Dynamic 
      --sku Basic
    
    az network vnet-gateway create 
      --name vnet-Gateway 
      --location eastus 
      --public-ip-address gateway-ip-address 
      --resource-group techTalk 
      --vnet hub-vnet 
      --gateway-type Vpn 
      --sku Standard 
      --vpn-type RouteBased 
      --no-wait
    
    az network route-table create 
      --resource-group techTalk 
      --name spoke1RouteTable
    
    az network route-table route create 
     --name spoke1ToSpoke2 
     --resource-group techTalk 
     --route-table-name spoke1RouteTable 
     --address-prefix 10.2.1.0/24  
     --next-hop-type VirtualNetworkGateway
    
    az network vnet subnet update 
      --vnet-name spoke1-vnet 
      --name spoke1-subnet 
      --resource-group techTalk 
      --route-table spoke1RouteTable
    
    az network route-table create 
      --resource-group techTalk 
      --name spoke2RouteTable
    
    az network route-table route create 
     --name spoke2ToSpoke1 
     --resource-group techTalk 
     --route-table-name spoke2RouteTable 
     --address-prefix 10.1.1.0/24  
     --next-hop-type VirtualNetworkGateway 
    
    az network vnet subnet update 
      --vnet-name spoke2-vnet 
      --name spoke2-subnet 
      --resource-group techTalk 
      --route-table spoke2RouteTable
    
    az network vnet peering create 
        --resource-group techTalk 
        --name spoke1-Peering 
        --vnet-name hub-vnet 
        --remote-vnet spoke1-vnet 
        --allow-vnet-access 
        --allow-gateway-transit 
        --allow-forwarded-traffic
    
    az network vnet peering create 
        --resource-group techTalk 
        --name spoke1-hub-Peering 
        --vnet-name spoke1-vnet 
        --remote-vnet hub-vnet 
        --allow-vnet-access 
        --use-remote-gateways
    
    az network vnet peering create 
        --resource-group techTalk 
        --name spoke2-Peering 
        --vnet-name hub-vnet 
        --remote-vnet spoke2-vnet 
        --allow-vnet-access 
        --allow-gateway-transit 
        --allow-forwarded-traffic
    
    az network vnet peering create 
        --resource-group techTalk 
        --name spoke2-hub-Peering 
        --vnet-name spoke2-vnet 
        --remote-vnet hub-vnet 
        --allow-vnet-access 
        --use-remote-gateways
        
    az network nsg create -g techTalk -n spoke1-subnet-ng -l eastus
    az network nsg create -g techTalk -n spoke2-subnet-ng -l eastus
    
    az network vnet subnet update 
      --vnet-name spoke1-vnet 
      --name spoke1-subnet 
      --resource-group techTalk 
      --route-table spoke1RouteTable 
      --network-security-group spoke1-subnet-ng
    
    az network vnet subnet update 
      --vnet-name spoke2-vnet 
      --name spoke2-subnet 
      --resource-group techTalk 
      --route-table spoke2RouteTable 
      --network-security-group spoke2-subnet-ng
    
    az network nsg rule create --name rdpRule --nsg-name spoke1-subnet-ng --priority 200 --resource-group techTalk --access Allow --description "Allow RDP" --destination-port-ranges 3389 --direction Inbound --protocol TCP --source-address-prefixes "*"
    
    az network nsg rule create --name rdpRule --nsg-name spoke2-subnet-ng --priority 200 --resource-group techTalk --access Allow --description "Allow RDP" --destination-port-ranges 3389 --direction Inbound --protocol TCP --source-address-prefixes "*" 
    
    az network vnet subnet create -g techTalk --vnet-name hub-vnet --name AzureBastionSubnet --address-prefix 10.0.252.64/27
    
    az network public-ip create --resource-group techTalk  --name bastionpip  --sku Standard --location eastus
    az network bastion create --name MyBastion --public-ip-address bastionpip --resource-group techTalk  --vnet-name hub-vnet --location eastus --no-wait
    
    # Create VM in Dev Vnet - Workload1 Subnet to test Spoke-to-Spoke communication
    devWorkLoadSubNetID=$(az network vnet subnet show --resource-group techTalk  --name spoke1-subnet  --vnet-name spoke1-vnet  --query id -o tsv)
    az vm create --resource-group techTalk  --name VM1 --image win2016datacenter --admin-username $VmUser --admin-password $AdminPassword --size Standard_B1s --use-unmanaged-disk --storage-sku Standard_LRS --subnet $devWorkLoadSubNetID --nsg "" --public-ip-address ""   --no-wait
    
    # Create VM in Prod VNet - Workload1 Subnet
    prodWorkLoadSubNetID=$(az network vnet subnet show --resource-group techTalk  --name spoke2-subnet  --vnet-name spoke2-vnet  --query id -o tsv)
    az vm create --resource-group techTalk  --name VM2 --image win2016datacenter --admin-username $VmUser --admin-password $AdminPassword --size Standard_B1s --use-unmanaged-disk --storage-sku Standard_LRS --subnet $prodWorkLoadSubNetID --nsg "" --public-ip-address ""   --no-wait
    

  2. Remote Desktop can’t connect to the remote computer for one of these reasons:

    1. Remote access to the service is not enabled
    2. The remote computer is turned off Verified through the Azure Portal it is turned on because Start is faded, while Restart and Stop are not
    3. The remote computer is not available on the network.

    To resolve this issue please check your vm resource health are available in healthy state this may impact connectivity to the Vm in azure platform. if it’s not in healthy you can diagnose and solve problem.

    enter image description here

    1. Try to Reset password configuration only this will help to prevent the RDP configuration when Remote Connections is deactivated, or RDP is being blocked by Windows Firewall rules. And try to access the RDP

    enter image description here

    1. Make sure you have configured Boot diagnostics try to enable diagnostics, you can see the screenshot of the boot diagnostics and download the screenshot of serial log and investigate the issue of console log and verify the console log of additional information to determine why RDP is not functioning in your situation.
      enter image description here

    2. Try to reset your user credentials and provide username and password and update. it reset a local administrator password and try to access the RDP

    enter image description here

    1. Orelse, in virtual machine -> networking under setting -> click on your network interface as (web server) -> in network intterface -> ip configuration click on private ip address

    enter image description here

    Try to change Assignment as static and provide different static ip address and save and try to access VM through RDP once RDP is connected changed to Dynamic

    enter image description here

    Suppose you are not able to access RDP try to Redeploy as below. it will redeploy the virtual machine in another host within the azure if any underlying issue or networking issue by redeploying we can resolve this issue and ephemeral disk data will lost and dynamic IP addresses that are associated with the VM are updated.

    Login or Signup to reply.
  3. What kind of firewall rules do you have?

    I have three more suggestion:

    1) check if you have NSG attached to VM NICs

    • Using both subnet-attached and NIC-attached NSG rules is not recommended. Not sure from the screenshot if subnet-attached NSG is the only NSG
    • Default rule 65000 should allow access from peered VNet anyway
    • Unless you have a specific reason to, we recommend that you associate a network security group to a subnet, or a network interface, but not both. Since rules in a network security group associated to a subnet can conflict with rules in a network security group associated to a network interface, you can have unexpected communication problems that require troubleshooting.
      ref: https://learn.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works

    2) Check RDP setting

    • I personally had to run reg add "HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal Server" /v MaxOutstandingConnectionsx /t REG_DWORD /d 10000 on serial console for few installations to get RDP working

    3) Capture network traffic

    • Capture network traffic on destination subnet to see
      • if traffic goes through firewall
      • and to see if destination VM sends back ACK packets for initial SYN segments
    • Then compare captured traffic with firewall rules, statistics and log to find out if firewall is blocking access.
    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search