31_Steps to Connect to Internet via hub vnet using Custom routes - SanjeevOCI/Azure GitHub Wiki

Steps to Allow AppVM in Spoke to Access Internet via Hub NAT Gateway

1. Create Hub VNet

  • Address space: 10.0.0.0/24
  • Subnets:
    • NatSubnet10.0.0.0/27
    • BastionSubnet10.0.0.32/27

31_Connect_Internet_via_hub_ vnet_using_Custom_routes_1

31_Connect_Internet_via_hub_ vnet_using_Custom_routes_2

2. Create Spoke VNet

  • Address space: 10.1.0.0/24
  • Subnet: AppSubnet10.1.0.0/27

31_Connect_Internet_via_hub_ vnet_using_Custom_routes_3

3. Create NSG for AppSubnet in Spoke

  • Inbound Rules:
    • Allow from VirtualNetwork → Ports: 22, 443, 80
  • Outbound Rules:
    • Allow to 0.0.0.0/0 → Ports: 443, 80 (Priority: 100)

4. Create NSG for NatSubnet in Hub

  • Inbound Rules:
    • Allow from VirtualNetwork → Port: * (Priority: 100)
  • Outbound Rules:
    • Allow to 0.0.0.0/0 → Ports: 443, 80 (Priority: 100)

31_Connect_Internet_via_hub_ vnet_using_Custom_routes_19

31_Connect_Internet_via_hub_ vnet_using_Custom_routes_21

5. Create NAT Gateway

  • Associate a new Public IP address.
  • Link NAT Gateway to NatSubnet in Hub VNet.

31_Connect_Internet_via_hub_ vnet_using_Custom_routes_5

31_Connect_Internet_via_hub_ vnet_using_Custom_routes_6

31_Connect_Internet_via_hub_ vnet_using_Custom_routes_7

31_Connect_Internet_via_hub_ vnet_using_Custom_routes_8

6. Deploy NVA - nat-forwarder (Linux VM) in Hub's NatSubnet

  • Choose Ubuntu or similar.
  • NIC: Enable IP forwarding.
  • No public IP.
  • Assign private IP (e.g., 10.0.0.4).

31_Connect_Internet_via_hub_ vnet_using_Custom_routes_17

31_Connect_Internet_via_hub_ vnet_using_Custom_routes_18

7. Enable IP Forwarding Inside NVA

SSH into NVA and run:

sudo sysctl -w net.ipv4.ip_forward=1
sudo sed -i 's/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/' /etc/sysctl.conf
sudo sysctl -p

31_Connect_Internet_via_hub_ vnet_using_Custom_routes_28

8. Configure iptables on NVA

sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
sudo apt install iptables-persistent -y
sudo netfilter-persistent save

9. Deploy BastionVM (Linux VM – Public IP) in Hub's BastionSubnet to act as the Jump server. Also Deploy AppVM (Linux VM – No Public IP) in Spoke's AppSubnet

31_Connect_Internet_via_hub_ vnet_using_Custom_routes_10

10. Create VNet Peering: Hub ↔ Spoke

  • Hub to Spoke:
    • Allow virtual network access: Yes
    • Allow forwarded traffic: Yes
  • Spoke to Hub:
    • Allow virtual network access: Yes
    • Allow forwarded traffic: Yes

31_Connect_Internet_via_hub_ vnet_using_Custom_routes_4

11. Create Route Table and Associate with AppSubnet (Spoke)

  • Route Name: Custom_Route_To_NATGateway_in_Hub
  • Address prefix: 0.0.0.0/0
  • Next hop type: Virtual Appliance
  • Next hop address: 10.1.0.4 (private IP of NVA)

31_Connect_Internet_via_hub_ vnet_using_Custom_routes_9

31_Connect_Internet_via_hub_ vnet_using_Custom_routes_9_3

31_Connect_Internet_via_hub_ vnet_using_Custom_routes_15

13. Validate End-to-End

  • Connect to BastionVM, then SSH into AppVM in Spoke.
  • Run: 
    curl -4 -v https://www.microsoft.com
traceroute www.microsoft.com
  • Expected: First hop is NVA IP, connection succeeds via NAT Gateway.

31_Connect_Internet_via_hub_ vnet_using_Custom_routes_23

31_Connect_Internet_via_hub_ vnet_using_Custom_routes_24

31_Connect_Internet_via_hub_ vnet_using_Custom_routes_26

31_Connect_Internet_via_hub_ vnet_using_Custom_routes_27