1

If two vnets are connected to each other via multiple set of peering vnets, how does azure route the traffic? Fo example, lets consider the below: A, B, C, D are 5 VNets and the they are peered (bi-directionally with traffic forwarding allowed).

enter image description here

Now if A wants to send a packet to D, how it is determined whether it will take the A-B-C-D path or the A-E-D path?

Any docs will be helpful.

Sayantan Ghosh
  • 998
  • 2
  • 9
  • 29

3 Answers3

3

As far as I know, VNet Peering connections are non-transitive. It seems that it's still on the roadmap. See the feedback here.

From your picture, If only VNet Peering connections between them, then A could not reach D, also A could not reach C. A only could reach direct-connected B and E.

If you want to allow much VNets communication. You could implement a hub-spoke network topology in Azure. As the hub network, you could deploy a VPN gateway then enable allow gateway transit to other spoke VNets and enable use remote gateways in each spoke VNets. If you require connectivity between spokes, consider implementing an NVA for routing in the hub, and using UDR(custom routes) in the spoke to forward traffic to the hub. In this scenario, you must configure the peering connections to allow forwarded traffic.

VNet Peering enables you to connect VNets through the Azure backbone network. Azure automatically creates a route table for each subnet within an Azure VNet and adds system default routes to the table. You can also override some of Azure's system routes with custom routes.

If multiple routes contain the same address prefix, Azure selects the route type, based on the following priority:

  • User-defined

  • route BGP route

  • System route

You could get more details about Virtual network traffic routing

Nancy
  • 26,865
  • 3
  • 18
  • 34
  • Thanks Nancy, that helps. Can the gateway connections be transitive? (If we assume in the above picture, all the connections are gateway connections). – Sayantan Ghosh Apr 10 '19 at 06:21
  • I think no, since one peering only could have one gateway, if one of two peering VNets use "allow gateway transit", another will use "use remote gateways". In this case, A allow gateway transit, B use remote gateways, but C could not use remote gateways since B has no gateway set. – Nancy Apr 10 '19 at 06:35
  • Hi Nancy, I mean if A is connected to B via VPN gateway and similarly B and C and C and D (All the connections are bidirectionally established)... in this can a traffic can reach to C/D from A? – Sayantan Ghosh Apr 10 '19 at 06:37
  • Do you mean A has a gateway set, B also has a gateway set? If just A has a gateway set, A also could not reach C. In a hub-spoke network, You could have A gateway set, then B,C,D,E are connected to A like [this](https://azure.microsoft.com/en-us/blog/networking-to-and-within-the-azure-cloud-part-3/). Or without gateway, You could set NVA in this scenario. Use B as NVA, you could reach C from A via B. – Nancy Apr 10 '19 at 06:46
  • Yes, like A<->B<->C<->D (<-> being vpn gateway connections between gateways set in the respective VNets). – Sayantan Ghosh Apr 10 '19 at 06:46
  • If A has a gateway, then B can not have a gateway. Suppose C has a gateway, D has no gateway. A still could not reach C since A and C have a different gateway. It's not very necessary to use gateway when you connect multiple VNet Peerings in this case. You could set NVA in some VNet as the middle "router" device to transit your traffic. – Nancy Apr 10 '19 at 07:10
  • I think I confused you. My above statements are assuming that the earlier mentioned peering connections do not exist and only the gateway connections exist. In that case A and B both can hold a gateway and connect each other (Not refering to a remote gateway scenario) – Sayantan Ghosh Apr 10 '19 at 07:24
  • As my above mentioned, one peering only has one gateway. If A and B both can hold a gateway and connect each other with peering. It works like a pure VNet Peering. You could `not` select the option use remote gateways in A or B. – Nancy Apr 10 '19 at 07:30
  • Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/191580/discussion-between-sayantan-ghosh-and-nancy-xiong). – Sayantan Ghosh Apr 10 '19 at 07:32
1

According to this article you'd need an NVA somewhere, vnet peering is non transitive.

At the beggining of the same article they talk a bit more about this.

To sum it up. packet wont reach D from A unless you fix your networking setup

4c74356b41
  • 69,186
  • 6
  • 100
  • 141
0

Some years ago but i think service chaining allows that as far as i understand the documentation

To enable service chaining, configure user-defined routes that point to virtual machines in peered virtual networks as the next hop IP address. User-defined routes could also point to virtual network gateways to enable service chaining.

Kaspatoo
  • 1,223
  • 2
  • 11
  • 28