Can I Set Up a Virtual Network Manager Mesh Without Default Traffic Between VNets?

By
Elli Mongillo
-
0
10
Asked By TechieTurtle42 On

I'm trying to figure out how to configure a Virtual Network Manager (AVNM) mesh. My goal is to default to allowing VNETs to be peered without automatically allowing traffic between them. Normally, when you peer VNETs, you can uncheck the option 'Allow VNET XXX to access VNET YYY', which prevents traffic unless specific NSG rules are created. We want to have this setup for various groups of VNETs, ensuring that traffic is allowed only as requested by service teams. This way, we can manage Azure's internal traffic more efficiently without routing everything through a central firewall, as we would on on-premise networks using L3 ACLs. However, I'm unsure if AVNM can accommodate this requirement. Any thoughts on whether this is feasible or if I should stick to a traditional hub-and-spoke model?

3 Answers

Answered By CloudGuru99 On

Using a mesh setup can be tricky when managing communication over the long term. The hub-and-spoke model is generally better for scaling and keeping things straightforward. If you're only moving small amounts of data, peering in the same region shouldn't really incur extra costs, but if you're handling larger transfers like 10TB, it might be worth considering a virtual WAN instead.

Answered By NetworkNerd87 On

From what I understand, when you uncheck 'Allow VNET A to access VNET B', it basically blocks traffic unless you set NSGs specifically for that. If those connections are enabled, your VMs in the mesh can communicate freely, which is the default behavior in AVNM setups. If you prefer a more controlled access, a hub-and-spoke model might be easier by directing traffic through a virtual appliance which can handle the allow/deny rules without the hassle of managing NSGs across multiple networks.

Answered By InfraExpert22 On

Have you considered setting AVNM routing rules to allow traffic only from certain VNETs to go to a central firewall, and then manage communication there? That might give you more control while still utilizing the hub-and-spoke setup. But it would essentially follow the traditional model.

Related Questions

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.