Subnet to subnet peering in azure
Question
We have our application and database in different VNETs in different subscription. Also we have different environments (Pre-Production and Production). Currently the database for PROD and PRE-PROD is in different subnet but same VNET.
I see we can have peering at VNET level. We want the peering between the application and database at subnet level so that PRE-PROD application should not be able to connect to PROD database and vice-versa.
2 answers
solution1
0 2022-09-07 07:39:01
From Microsoft documentation:
Azure routes traffic between all subnets within a virtual network, by default. You can create your own routes to override Azure's default routing.
https://docs.microsoft.com/en-us/azure/virtual-network/tutorial-create-route-table-portal
solution2
0 2022-09-07 09:52:58
You would want to look at network segmentation patterns. You can achieve basic microsegmentation by using Network Security Groups in Azure. Based on your question, I assume you want to allow traffic only from one subnet into another subnet (over a peered network though, but that does not matter much) - and maybe even only allow one database port to be accessed from your application subnet - and lock everything else down.
This approach is described here: https://docs.microsoft.com/en-us/azure/architecture/framework/security/design-network-segmentation
You would want to create one NSG per subnet, make a rule to block all inbound traffic and then allow only traffic that is required. Note that NSG's are stateful, so you do not need to specify outbound rules for your traffic. Also make sure you apply the rules in the right order from top to bottom. The rule with the lowest id is applied first.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.