0

I created some GitHub self-hosted runners and would like them to have access to my resources behind a separate virtual network. I know that whitelisting the IP address of the machine will give it access, but I will end up having any number of virtual machines that could be a self-hosted runner, so adding/deleting those IP addresses whitelist for each of my resources seems like a lot of manual work or having automation to whitelist IP addresses to each of my resources when creating the self-hosted runners.

I tried to peer the virtual network that my self-hosted runners would be connected to, to the virtual network of the rest of my resources thinking it would grant access to the self-hosted runners to those resources but I get a 403 firewall error when I attempt any changes or reading of the resource... Am I missing something here? Reading through Microsoft documentation makes it seem like peering the virtual networks would work.

I have bidirectional peering on both Vnets and forward traffic to and from the Vnets in the peering settings. My NSG on both VNet subnets are just the basic one that allows inbound and outbound VNet traffic

https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview

Is there a recommended way of going at this?

riQQ
  • 9,878
  • 7
  • 49
  • 66
user3369494
  • 123
  • 11

1 Answers1

0

If you just want to access the resources in one VNet from another VNet, the network peering is enough. But there is a limitation, there must be no NSG associated with resources or the VNet. If the NSGs exist, you need to add rules to allow the traffics. For example, if the resources are the VMs, then it should work as need. Of course, the firewall inside the VMs should also allow the traffics.

Charles Xu
  • 29,862
  • 2
  • 22
  • 39
  • I just have the basic NSG on both VNet's subnets, so it allows VNet inbound and outbound but my containers on my VM and my VM still can't access the resources, with az cli or terraform. `Client address is not authorized and caller is not a trusted service.... 'Forbidden by firewall'` is one such error I get.. I have bidirectional peering on both Vnets – user3369494 Jun 28 '21 at 19:11
  • @user3369494 This error means you don't have permission to access other resources. I suggest you can enable the managed identity of the VM and assign the Contributor role to the identity with the scope that the resources you want to access. [Here](https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-managed-identities-work-vm) is the documentation. – Charles Xu Jun 29 '21 at 01:12
  • I tried to utilize managed identity on the VM and give it access to the resources (a storage account for example) but I still get the same error. I even tried to manually whitelist the ip address of my self hosted runner and I can't seem to access it still (same error). But when I dynamically whitelist the IP address of a Microsoft hosted runner during a workflow, it works ~80% of the time. This is pretty frustrating – user3369494 Jul 07 '21 at 16:13