I have the following Vnets
vnet-hub-poc-hubspoke
is the Hub Vnet
it has the following subnets
with a firewall
and peered with Prod & Dev Vnets
Prod Vnet
is configured as shown below
Dev Vnet
is configured as shown below
I have following VMs
created – one in each Vnet
with the below rules
I have the following Route tables
with the below configuration
I am able ping to the Firewall from both the VMs, however I am not able to RDP
What am I missing?
Update:: I guess the request is to going Firewall (10.11.253.4) but getting timed out.
C:Userskavija>tracert 10.13.2.4
Tracing route to 10.13.2.4 over a maximum of 30 hops
Update#2: I have used the below script
# Define Variable
rgName=SpokeToSpoke
location=eastus
hubVNetName=vnet-hub
prodVnetName=vnet-prod
devVnetName=vnet-dev
myFirewallPublicIPName="firewallPublicIP"
azFirewallName="azFirewallName"
azureworkloadRG="AzureProdWorkLoad"
azureDevWorkloadRG="AzureDevWorkLoad"
VmUser="demouserXXX"
VmName1="ProdSever"
VmName2="DevSever"
fwRouteTableProdName=prod-route-table
fwRouteTableDevName=dev-route-table
bastionName="MyBastion"
bastionPIPName="bastionpip"
rdpRuleName=AllowRDP
priority=200
rgroup=prod-ukw-core-rg
access=Allow
description="Allow RDP from office IP address"
destPort=3389
direction=Inbound
protocol=TCP
# Create Resource Group
az group create --name $rgName --location $location
# Create Azure Hub VNET
az network vnet create -g $rgName --name $hubVNetName --address-prefixes 10.11.0.0/16 --location $location
az network vnet subnet create -g $rgName --vnet-name $hubVNetName --name Management --address-prefix 10.11.1.0/24
az network vnet subnet create -g $rgName --vnet-name $hubVNetName --name AppGatewaySubnet --address-prefix 10.11.252.0/26
az network vnet subnet create -g $rgName --vnet-name $hubVNetName --name AzureBastionSubnet --address-prefix 10.11.252.64/27
az network vnet subnet create -g $rgName --vnet-name $hubVNetName --name AzureFirewallSubnet --address-prefix 10.11.253.0/26
az network vnet subnet create -g $rgName --vnet-name $hubVNetName --name GatewaySubnet --address-prefix 10.11.254.0/27
# Create Azure Dev VNET
az network vnet create -g $rgName --name $devVnetName --address-prefixes 10.12.0.0/16 --location $location
az network vnet subnet create -g $rgName --vnet-name $devVnetName --name Management --address-prefix 10.12.1.0/24
az network vnet subnet create -g $rgName --vnet-name $devVnetName --name Workload1 --address-prefix 10.12.2.0/24
# Create Azure Prod VNET
az network vnet create -g $rgName --name $prodVnetName --address-prefixes 10.13.0.0/16 --location $location
az network vnet subnet create -g $rgName --vnet-name $prodVnetName --name Management --address-prefix 10.13.1.0/24
az network vnet subnet create -g $rgName --vnet-name $prodVnetName --name Workload1 --address-prefix 10.13.2.0/24
# Dev Subnet NSG
az network nsg create -g $rgName -n Dev-Management-subnet -l $location -o table
az network nsg create -g $rgName -n Dev-Workload1-subnet -l $location -o table
az network vnet subnet update -g $rgName --vnet-name $devVnetName --name Management --network-security-group Dev-Management-subnet
az network vnet subnet update -g $rgName --vnet-name $devVnetName --name Workload1 --network-security-group Dev-Workload1-subnet
# Prod Subnet NSG
az network nsg create -g $rgName -n Prod-Management-subnet -l $location -o table
az network nsg create -g $rgName -n Prod-Workload1-subnet -l $location -o table
az network vnet subnet update -g $rgName --vnet-name $prodVnetName --name Management --network-security-group Prod-Management-subnet
az network vnet subnet update -g $rgName --vnet-name $prodVnetName --name Workload1 --network-security-group Prod-Workload1-subnet
# Enable RDP at NSG Level for Dev Workload
az network nsg rule create --name $rdpRuleName --nsg-name Dev-Workload1-subnet --priority $priority --resource-group $rgName --access $access --description "$description" --destination-port-ranges $destPort --direction $direction --protocol $protocol --source-address-prefixes "*"
# Enable RDP at NSG Level for Prod Workload
az network nsg rule create --name $rdpRuleName --nsg-name Prod-Workload1-subnet --priority $priority --resource-group $rgName --access $access --description "$description" --destination-port-ranges $destPort --direction $direction --protocol $protocol --source-address-prefixes "*"
# Create Firewall
az network public-ip create --name $myFirewallPublicIPName --resource-group $rgName --sku Standard --allocation-method Static
az network firewall create -g $rgName -n $azFirewallName --vnet-name $hubVNetName --sku AZFW_VNet --tier Standard
az network firewall ip-config create --firewall-name $azFirewallName --name FW-config1 --public-ip-address $myFirewallPublicIPName --resource-group $rgName --vnet-name $hubVNetName
az network firewall update --name $azFirewallName --resource-group $rgName
fwprivaddr="$(az network firewall ip-config list -g $rgName -f $azFirewallName --query "[?name=='FW-config1'].privateIpAddress" --output tsv)"
# Hub-Spoke-Hub Peering
az network vnet peering create -g $rgName --name HUBtoProd --vnet-name $hubVNetName --remote-vnet $prodVnetName --allow-vnet-access --allow-forwarded-traffic --allow-gateway-transit
az network vnet peering create -g $rgName --name HUBtoDEV --vnet-name $hubVNetName --remote-vnet $devVnetName --allow-vnet-access --allow-forwarded-traffic --allow-gateway-transit
az network vnet peering create -g $rgName --name ProdtoHUB --vnet-name $prodVnetName --remote-vnet $hubVNetName --allow-vnet-access --allow-forwarded-traffic --allow-gateway-transit
az network vnet peering create -g $rgName --name DEVtoHUB --vnet-name $devVnetName --remote-vnet $hubVNetName --allow-vnet-access --allow-forwarded-traffic --allow-gateway-transit
# Create Route table from Dev to Hub
az network route-table create --name $fwRouteTableDevName -g $rgName -l $location --disable-bgp-route-propagation true
az network route-table route create -g $rgName --name DevToProdSubnet-Route --route-table-name $fwRouteTableDevName --address-prefix 10.13.0.0/16 --next-hop-type VirtualAppliance --next-hop-ip-address $fwprivaddr
az network vnet subnet update -g $rgName --vnet-name $devVnetName -n Workload1 --address-prefixes 10.12.2.0/24 --route-table $fwRouteTableDevName
# Create Route table from Prod to Hub
az network route-table create --name $fwRouteTableProdName -g $rgName -l $location --disable-bgp-route-propagation true
az network route-table route create -g $rgName --name ProdToHubSubnet-Route --route-table-name $fwRouteTableProdName --address-prefix 10.12.0.0/16 --next-hop-type VirtualAppliance --next-hop-ip-address $fwprivaddr
az network vnet subnet update -g $rgName --vnet-name $prodVnetName -n Workload1 --address-prefixes 10.13.2.0/24 --route-table $fwRouteTableProdName
# Create Azure Bastion for Azure
az network public-ip create --resource-group $rgName --name $bastionPIPName --sku Standard --location $location
az network bastion create --name $bastionName --public-ip-address $bastionPIPName --resource-group $rgName --vnet-name $hubVNetName --location $location
# Create VM in Dev Vnet - Workload1 Subnet to test Spoke-to-Spoke communication
az group create --name $azureDevWorkloadRG --location $location
devWorkLoadSubNetID=$(az network vnet subnet show --resource-group $rgName --name "Workload1" --vnet-name $devVnetName --query id -o tsv)
az vm create --resource-group $azureDevWorkloadRG --name $VmName --image win2016datacenter --admin-username $VmUser --admin-password $AdminPassword --size Standard_B1s --use-unmanaged-disk --storage-sku Standard_LRS --subnet $devWorkLoadSubNetID --nsg "" --public-ip-address ""
# Create VM in Prod VNet - Workload1 Subnet
az group create --name $azureworkloadRG --location $location
prodWorkLoadSubNetID=$(az network vnet subnet show --resource-group $rgName --name "Workload1" --vnet-name $prodVnetName --query id -o tsv)
az vm create --resource-group $azureworkloadRG --name $VmName1 --image win2016datacenter --admin-username $VmUser --admin-password $AdminPassword --size Standard_B1s --use-unmanaged-disk --storage-sku Standard_LRS --subnet $prodWorkLoadSubNetID --nsg "" --public-ip-address ""
Update#3: I tried creating the Gateway as well
# Azure VNET Gateway
az network public-ip create -g $rgName --name pip-hub-gateway --allocation-method dynamic --dns-name $hubVNetName
az network vnet-gateway create -g $rgName --name vgw --vnet $hubVNetName --public-ip-address pip-hub-gateway --gateway-type vpn --client-protocol SSTP --sku Basic
az network vnet peering create -g $rgName --name ProdtoHUB --vnet-name $prodVnetName --remote-vnet $hubVNetName --allow-vnet-access --allow-forwarded-traffic --allow-gateway-transit --use-remote-gateways
az network vnet peering create -g $rgName --name DEVtoHUB --vnet-name $devVnetName --remote-vnet $hubVNetName --allow-vnet-access --allow-forwarded-traffic --allow-gateway-transit --use-remote-gateways
az network route-table route create -g $rgName --name DevToProdSubnet-Route --route-table-name $fwRouteTableDevName --address-prefix 10.13.0.0/16 --next-hop-type VirtualNetworkGateway
az network route-table route create -g $rgName --name ProdToHubSubnet-Route --route-table-name $fwRouteTableProdName --address-prefix 10.12.0.0/16 --next-hop-type VirtualNetworkGateway
3
Answers
Using the script below, I was able to establish communication between the spoke networks
Reference: https://github.com/jillesca/azure/tree/main/hub%20%26%20spoke
To resolve this issue please check your vm resource health are available in healthy state this may impact connectivity to the Vm in azure platform. if it’s not in healthy you can diagnose and solve problem.
Make sure you have configured Boot diagnostics try to enable diagnostics, you can see the screenshot of the boot diagnostics and download the screenshot of serial log and investigate the issue of console log and verify the console log of additional information to determine why RDP is not functioning in your situation.
Try to reset your user credentials and provide username and password and update. it reset a local administrator password and try to access the RDP
Try to change Assignment as static and provide different static ip address and save and try to access VM through RDP once RDP is connected changed to Dynamic
Suppose you are not able to access RDP try to Redeploy as below. it will redeploy the virtual machine in another host within the azure if any underlying issue or networking issue by redeploying we can resolve this issue and ephemeral disk data will lost and dynamic IP addresses that are associated with the VM are updated.
What kind of firewall rules do you have?
I have three more suggestion:
1) check if you have NSG attached to VM NICs
Unless you have a specific reason to, we recommend that you associate a network security group to a subnet, or a network interface, but not both. Since rules in a network security group associated to a subnet can conflict with rules in a network security group associated to a network interface, you can have unexpected communication problems that require troubleshooting.
ref: https://learn.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works
2) Check RDP setting
reg add "HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal Server" /v MaxOutstandingConnectionsx /t REG_DWORD /d 10000
on serial console for few installations to get RDP working3) Capture network traffic