AdministrationNetworkingConnect to data servicesAzureAzure Private Networking Options

Azure Networking: VHub Peering

This connection option is only available for dedicated Astro clusters.

To set up a private connection between an Astro Virtual Network (VNet) and an Azure VHub, you can create a VHub peering connection. VHub peering ensures private and secure connectivity, reduces network transit costs, and attaches the Astro environment to a centralized managed network.

  1. Retrieve the following information from the target Azure environment that you want to connect with:

    • Azure Tenant ID and Subscription ID.
    • VHub name.
    • Resource Group name.
    • Optional. Firewall IP address if you use any on the VHub side.

  2. Prepare a astro-vhub-peering-creator-role.json JSON file with the following permissions. Replace {customer-subscription-id} with your value:

    1{
    2    "Name": "Astro VHub Peering Contributor",
    3    "IsCustom": true,
    4    "Description": "Can create VNET peering with Astro.",
    5    "Actions": [
    6        "Microsoft.Resources/subscriptions/resourceGroups/read",
    7        "Microsoft.Resources/subscriptions/read",
    8        "Microsoft.Network/virtualHubs/hubVirtualNetworkConnections/write",
    9        "Microsoft.Network/virtualHubs/read",
    10        "Microsoft.Network/virtualWans/virtualHubs/read",
    11        "Microsoft.Network/virtualHubs/hubVirtualNetworkConnections/read"
    12    ],
    13    "NotActions": [
    14
    15    ],
    16    "AssignableScopes": [
    17      "/subscriptions/{customer-subscription-id}"
    18    ]
    19}

  3. Run the following Azure CLI commands to give Astronomer Support temporary permissions to establish a VHub peering connection:

    1# Add Astronomer Service Principal
    2az ad sp create --id a67e6057-7138-4f78-bbaf-fd9db7b8aab0
    3
    4# Create a Custom role with permissions prepared in previous step
    5az role definition create --role-definition ~/astro-vhub-peering-creator-role.json
    6
    7# Assign Custom role to the Astronomer Service Principal ({customer-subscription-id} has to be replaced with your value)
    8az role assignment create \
    9--assignee a67e6057-7138-4f78-bbaf-fd9db7b8aab0 \
    10--role "Astro VHub Peering Contributor" \
    11--scope "/subscriptions/{customer-subscription-id}"
    12
    13# Verify an assignment
    14az role assignment list --assignee a67e6057-7138-4f78-bbaf-fd9db7b8aab0 --all -o table

  4. Contact Astronomer support to tell them that you granted them permissions to the Astronomer Service Principal. In addition, provide the following details in your request:

    • Astro Cluster ID
    • Azure Tenant ID and Subscription ID with a VHub
    • Resource group name
    • VHub name and preferable name for the peering
    • (Optional) Firewall IP address if you use any on the VHub side.

After receiving your request, Astronomer support creates a VHub peering connection to Astro VNet. No other actions are required from you. Astronomer support will notify you when the connection is ready to use.

When the network connection is confirmed, you can delete the temporary roles you created using the following command. Replace {customer-subscription-id} with your value:

1az role assignment delete --assignee a67e6057-7138-4f78-bbaf-fd9db7b8aab0 --role "Astro VHub Peering Contributor" --scope "/subscriptions/{customer-subscription-id}"