-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Incomplete and possibly poor advice on private endpoints with Hub & Spoke topology #4410
Comments
@fabio-s-franco |
Hi @fabio-s-franco! the initial recommendation was based on the existing restrictions at that time on how was the best way to route the traffic for that specific scenario. I'm trying to remember the specific details but I can't right now after three years of the initial version. I moved out of the Networking team and @ivapplyr took ownership of this feature. Ivens, can you check if this recommendation is still valid nowadays or should we update the diagram? Regards! Edit: Thinking on it, I believe at that time, traffic from on-premises to a PE would not be able to pass across the HUB to a spoke successfully without an NVA doing the routing. If you were not using a NVA, the only option was to deploy it on the Hub. |
Hey @jangelfdez , Thanks for taking the time to reply. And I understand things change over time. For example, back then there was no storage.Global service, so it wouldn't be possible to create a private service connection from a different region than the one a storage account was created in. Nevertheless, the example of on-prem peering was just one scenario. It would mean the same thing if, for exmaple, you replace the on-prem by another spoke that is peered to the hub and plays a similar non-critical role. Moving the private endpoint to the hub would still make the "owner/mission-critical" spoke go through unnecessary risks. It would satisfy the need of having a NVA in the Hub and mitigate peering risks for the spoke that is tightly coupled with the resource. So in the case of a shared resources, I do believe that the proper advice should be:
I say this, because as the hub incorporates more complex routing rules and peers more vnets, so does the risk of disruption (accidental or incidental) increase. And this approach would be immune to that increase in complexity. |
Thank you for looping me in @jangelfdez. It is recommended to have the Private Endpoint within the Hub to allow the simplest configuration pattern for the majority of use cases mainly due to the automated DNS benefits and the commonality of customer configurations. However, Let's explore with the scenario mentioned above for examples Central Hub vs Central Spoke:
Which brings us with the second thought process. A private endpoint in the Hub and one in the Spoke
There are customers who find success with leveraging a decentralized topography like a Mesh network. This offers resiliency and efficiency benefits, but would come with the understanding that Compute VNets (VNet mainly containing client VMs) and PE VNets (vnets mainly containing Private endpoints) will have some form of distinction. This will help ensure that you have a dedicated Private Endpoint per resource so you would only need to connect Private DNS Zones to the relevant VNets. |
Hi @ivapplyr, thanks for the detailed explanation. I understand the advantages of having a centralized location, it's just that through my own experience setting this up, on this one particular scenario where I need several spokes to have access to the same resource (but only one critically dependent on it), it is far simpler and less risky to disruption due to the reasons I mentioned. If you add to that, the fact that the Spoke might be in a different region than the Hub, it can have not only the risks on connectivity, but also the added latency. I appreciate that you can't cover all possible scenarios, but I do think it is relevant to mention that it is a possibility to have more than one private endpoint per resource (as I didn't see it documented anywhere, had to do it on a trial-and-error basis).
I know that, that is why I have two private DNS zones with the same name: It has already happened that a change in the topology disrupted the connectivity between the spokes and the resource. It was this experience that led me to think about a better way to make the spoke critically dependent on it to have a dedicated private A mesh network is an interesting concept, but I do appreciate the benefits of having isolation, which, security-wise is desirable. Specially if you would like to have relaxed constraints on a spoke (like one with a development environment), that would otherwise be riskier if it was meshed with production spokes. I may have sounded a bit harsh on my initial post (I realized it only after I read it again) and that was not my intention at all. I am taking the time to report this here and try to validate my thought process as a way to also help others that may encounter a similar situation. Thanks for all the feedback, nonetheless. |
I was looking for some validation which I believe is correct for my scenario and eventually found this:
Azure Private Link in a hub-and-spoke network
The scenario
The spoke is the main consumer and is highly dependent of a service without public endpoint accessibility. For example, a storage account.
So naturally, since the storage account is tightly coupled to the spoke, it is only logical that the private link is exposed through a private endpoint in the spoke. It avoids all the problems that could happen if it had to hop to the Hub.
Now, when we evolve from the simple scenario above and there is a need to provide accessibility also to a VPN peered on-prem network (not mission critical), the decision chart of the article suggests only one possible outcome:
The private endpoint should be in the Hub.
The problem
This advice fails to account for an important factor:
It introduces a single point of failure that is much more likely to occur when accessing a critical resource cross-vnet than what an intra-vnet would.
The hop to the Hub introduces many more variables, that increase the odds of disruptions dramatically in my opinion.
The extra factors that are introduced with that approach, top of mind:
I could go on, but I think the idea is clear.
The solution (in my opinion)
The advice should include the idea of shared resources, but that are conceptually owned by a spoke.
In this case, what I would and what I am trying to validate, is that we should have
2 private endpoints
.Obviously this is an over simplification. It does require separate private DNS zones too and the corresponding associations, but I believe this introduces a lot less variables that can influence network disruptions towards the private resource.
Beyond suggesting that the documentation should be updated, I am also looking for feedback on how I am reasoning on this.
So, any of it is appreciated.
Best,
Document Details
⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.
The text was updated successfully, but these errors were encountered: