AdministrationNetworkingConnect to data servicesAzureAzure Private Networking Options

Azure Networking: VNet Peering

This connection option is only available for dedicated Astro clusters.

To set up a private connection between an Astro Virtual Network (VNet) and an Azure VNet, you can create a VNet peering connection. VNet peering ensures private and secure connectivity, reduces network transit costs, and simplifies network layouts.

  1. Retrieve the following information from the target Azure environment that you want to connect with:

    • Azure Tenant ID and Subscription ID.
    • VNet name.
    • Resource Group name.

  2. Prepare the astro-vnet-peering-creator-role.json JSON file with the following permissions. Replace {customer-subscription-id} with your value:

    1{
    2    "Name": "Astro VNET Peering Contributor",
    3    "IsCustom": true,
    4    "Description": "Can create VNET peering with Astro.",
    5    "Actions": [
    6        "Microsoft.Resources/subscriptions/resourceGroups/read",
    7        "Microsoft.Resources/subscriptions/read",
    8        "Microsoft.Network/virtualNetworks/read",
    9        "Microsoft.Network/virtualNetworks/write",
    10        "Microsoft.Network/virtualNetworks/peer/action",
    11        "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/write",
    12        "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read"
    13    ],
    14    "NotActions": [
    15
    16    ],
    17    "AssignableScopes": [
    18      "/subscriptions/{customer-subscription-id}"
    19    ]
    20}

  3. Run the following Azure CLI commands to give Astronomer support temporary permissions to establish a VNet peering connection:

    1# Add Astronomer Service Principal
    2az ad sp create --id a67e6057-7138-4f78-bbaf-fd9db7b8aab0
    3
    4# Create a Custom role with permissions prepared in previous step
    5az role definition create --role-definition ~/astro-vnet-peering-creator-role.json
    6
    7# Assign Custom role to the Astronomer Service Principal ({customer-subscription-id} has to be replaced with your value)
    8az role assignment create \
    9--assignee a67e6057-7138-4f78-bbaf-fd9db7b8aab0 \
    10--role "Astro VNET Peering Contributor" \
    11--scope "/subscriptions/{customer-subscription-id}"
    12
    13# Verify an assignment
    14az role assignment list --assignee a67e6057-7138-4f78-bbaf-fd9db7b8aab0 --all -o table

  4. Contact Astronomer support to tell them that you granted permissions to the Astronomer Service Principal. In addition, provide the following details in your request:

    • Astro Cluster ID
    • Azure Tenant ID and Subscription ID of the target VNet
    • Resource group name
    • VNet Name and preferred name for peering

After receiving your request, Astronomer support creates a VNet peering connection between the two VNets. No other actions are required from you. Astronomer support will notify you when the connection is ready to use.

When the network connection is confirmed, you can delete the temporary roles you created using the following command. Replace {customer-subscription-id} with your value:

1az role assignment delete --assignee a67e6057-7138-4f78-bbaf-fd9db7b8aab0 --role "Astro VNET Peering Contributor" --scope "/subscriptions/{customer-subscription-id}"