Referring to 4:35 of the video, https://learn.microsoft.com/en-us/shows/exam-readiness-zone/preparing-for-az-104-implement-and-manage-virtual-networking-4-of-5 which says if I have multiple peered networks I just need one bastion to support all the peered networks. But since peered network is nontransitive, I wonder if the bastion only works for the directly peered network? For example, if VNET1 is peered with VNET2, and VENT2 is peered with VNET3. But VNET1 is not peered with VNET3. If I have deployed a Bastion in VNET1, it will not be able to connect to VMs in VNET3 using the bastion? Thanks.

You do need to provide end to end connectivity by implementing routing across indirectly connected VNets. But once you do, you can use a single Bastion deployment to provide connectivity to VMs on all VNets (obviously that's subject to scalability - as described in https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/azure-subscription-service-limits#azure-bastion-limits ) If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated. hth Marcin

Can Bastion work for peer's peer by default?

Accepted answer

Marcin Policht 11,385 Reputation points MVP

2024-04-26T03:39:56.2566667+00:00

You do need to provide end to end connectivity by implementing routing across indirectly connected VNets. But once you do, you can use a single Bastion deployment to provide connectivity to VMs on all VNets (obviously that's subject to scalability - as described in https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/azure-subscription-service-limits#azure-bastion-limits )

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin
Please sign in to rate this answer.
Xu Chen 85 Reputation points

2024-04-26T03:57:13.8766667+00:00

Hi @Marcin Policht ,

Thanks for the answer!

Understand the scalability limit. So can I take that, by default, the bastion can only work for the VMs in the same VNET or directly peered VNET only, and doesn't work for the indirectly peered VNETs? And in order to support VMs in indirectly VNETs, I must implement routing across indirectly connected VNets? By the way do you mean UDR?

I also remember a doc mentioned that in a hub and spoke network, a bastion in the hub VNET is enough to support all the VM connection in the network. But if the bastion is deployed in only one of the spoke VNET, it will not work for the VMs in other spoke VNETs right? Thanks.

KapilAnanth-MSFT 35,251 Reputation points Microsoft Employee

2024-04-26T09:04:23.4866667+00:00

@Sun Chen ,

The answer is partially correct.

Wrt, "the bastion can only work for the VMs in the same VNET or directly peered VNET only, and doesn't work for the indirectly peered VNETs?"

This is correct.

The Bastion Resource can be used to connect to VMs in the same VNET and Peered VNET only.

Wrt,"And in order to support VMs in indirectly VNETs, I must implement routing across indirectly connected VNets?"

I am afraid this is incorrect

You should not be able to use Bastion to connect to VMs in a VNET that is not peered to the VNET in which Bastion is deployed.

This is because BastionSubnet does not support UDR and because of this, you will not be able to any kind of routing.

See : Is user-defined routing (UDR) supported on an Azure Bastion subnet?

Wrt, "a bastion in the hub VNET is enough to support all the VM connection in the network. But if the bastion is deployed in only one of the spoke VNET, it will not work for the VMs in other spoke VNETs right?"

This is correct

With proper Hub - Spoke set up, the Bastion in HubVNET is enough to connect to VMs in both the HubVNET and all the Spoke VNETs.

Kindly let us know if this helps or you need further assistance on this issue.

Thanks,

Kapil

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.
Sign in to comment

Can Bastion work for peer's peer by default?

0 additional answers