Azure NSG Private IP Congfiguration (WhiteList)Vnet to Vnet communication

Question

I have situation where I want to open my Vnet(lets say Vnet1) for other Vnets (which has private IP range defined ) , I am thinking to use NSG rules and allow private IP ranges of other Vnets (lets say Vnet2 , Vnet3) to this entry point Subnet(in Vnet1) which host my API gateway . I have two questions :

1. I assume it should be feasible using private IP addresses and allowing them using NSG (of Vnet 1/Subnet 1) ? I am not looking for peering/s2s vpn of Vnet as both belongs to separate teams and Vnet2/Vnet3 just wanted to access APis of Vnet1 using Api gateway.

2. Is there any security issues which we foresee , I assume it safe to expose since these are private IPs and can not be accesses from internet .

Please let me know opinion on feasibility and security .

Thanks Xslguy

Answer 1

To help others who might find the same scenario, just extract the useful information in the comment and write my answer.

An Azure VNet is a logical isolation of Azure cloud dedication to your subscription. VNet peering allows traffic between two VNets is routed through Microsoft's private network only. If the VNETs haven't peered, vnet1 will not connect to resources in vnet2 by using private IP but using the public IP of the resources in vnet2. In this case, we need to restrict the source public IP for the inbound rules in the NSG attached to the subnet. With VNet peering, you also could restrict the access from one subnet to another subnet by using source private IP for the inbound rules in the NSG attached to the subnet.

From Security rules:

If you specify an address for an Azure resource, specify the private IP address assigned to the resource. Network security groups are processed after Azure translates a public IP address to a private IP address for inbound traffic, and before Azure translates a private IP address to a public IP address for outbound traffic.