1

I have situation where I want to open my Vnet(lets say Vnet1) for other Vnets (which has private IP range defined ) , I am thinking to use NSG rules and allow private IP ranges of other Vnets (lets say Vnet2 , Vnet3) to this entry point Subnet(in Vnet1) which host my API gateway . I have two questions :

  1. I assume it should be feasible using private IP addresses and allowing them using NSG (of Vnet 1/Subnet 1) ? I am not looking for peering/s2s vpn of Vnet as both belongs to separate teams and Vnet2/Vnet3 just wanted to access APis of Vnet1 using Api gateway.

  2. Is there any security issues which we foresee , I assume it safe to expose since these are private IPs and can not be accesses from internet .

Please let me know opinion on feasibility and security .

Thanks Xslguy

xslguy
  • 91
  • 1
  • 11
  • 1
    If the VNETs aren't peered, vnet1 will see the public IP of the resources in vnet2. You could whitelist those public IPs with NSGs as long as they are static and not shared AND the API in vnet1 is publicly accessible. Why don't you want to peer the VNETs? If they belong to the same company, that's pretty standard practice. – Jason P Mar 27 '21 at 18:44
  • Thanks , I didn't get " If the VNETs aren't peered, vnet1 will see the public IP of the resources in vnet2." , All Vnet IPs are private IP and not public IP range , will it possible to use private IP range and whitelist it ? Peering may need convincing multiple teams and that may take time , looking for simpler/quicker solution to configure NSG and allow other Vnets (if feasible using Private IPs) – xslguy Mar 27 '21 at 19:01
  • 2
    No, it doesn't work that way. If the VNETs aren't peered or connected by VPN, the only way to get from one to another is to leave private IP space and use public IPs. Let's say those resources have a private IP of 10.1.1.20. There's nothing to stop anyone else from creating a VM with that IP address in their own VNET.. how would you know which is which? Check this link for a standard network architecture to do what you're wanting to accomplish - https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/hub-spoke-network-topology – Jason P Mar 27 '21 at 19:14
  • So if I understand it correctly private IPs in NSG will only work if Vnet peering is enabled ? Otherwise NSG will have source IPs as public IPs . Are you saying that if we enable peering then there may be conflict of private IPs as well assuming both are created by different teams and at different time and chance are there that there can be conflict ? Please correct me if I am wrong. – xslguy Mar 27 '21 at 19:26
  • 1
    That is all correct, yes. – Jason P Mar 27 '21 at 19:28
  • Got it , Thanks for educating me on peering and NSG/private ip inter relationship. – xslguy Mar 27 '21 at 19:44
  • Another question , whether Vnet can be represented by single Public IP which will be sent while calling APIs of Vnet1 (Vnet1 has Internet Gateway in front of APIM ) , when traffic moves out of any Vnet which IP goes , my assumption is that it should be public IP ? – xslguy Mar 27 '21 at 19:48
  • 1
    It depends on how the VNET and resource are set up. If the resources have public IPs, that's what you would see. If not, then you could use a VNAT to control the outbound IP. – Jason P Mar 27 '21 at 19:52
  • Does that mean it can be static public ip or dynamic ip(which keeps changing ) while traffic is outbound ? How do we control at Vnet level which IP we are sending ? – xslguy Mar 27 '21 at 19:56
  • It depends on the type of resource and how it's configured – Jason P Mar 27 '21 at 22:20

1 Answers1

2

To help others who might find the same scenario, just extract the useful information in the comment and write my answer.

An Azure VNet is a logical isolation of Azure cloud dedication to your subscription. VNet peering allows traffic between two VNets is routed through Microsoft's private network only. If the VNETs haven't peered, vnet1 will not connect to resources in vnet2 by using private IP but using the public IP of the resources in vnet2. In this case, we need to restrict the source public IP for the inbound rules in the NSG attached to the subnet. With VNet peering, you also could restrict the access from one subnet to another subnet by using source private IP for the inbound rules in the NSG attached to the subnet.

From Security rules:

If you specify an address for an Azure resource, specify the private IP address assigned to the resource. Network security groups are processed after Azure translates a public IP address to a private IP address for inbound traffic, and before Azure translates a private IP address to a public IP address for outbound traffic.

Nancy
  • 26,865
  • 3
  • 18
  • 34