GitHub self hosted runner have access to Azure resources behind a separate virtual network

Question

I created some GitHub self-hosted runners and would like them to have access to my resources behind a separate virtual network. I know that whitelisting the IP address of the machine will give it access, but I will end up having any number of virtual machines that could be a self-hosted runner, so adding/deleting those IP addresses whitelist for each of my resources seems like a lot of manual work or having automation to whitelist IP addresses to each of my resources when creating the self-hosted runners.

I tried to peer the virtual network that my self-hosted runners would be connected to, to the virtual network of the rest of my resources thinking it would grant access to the self-hosted runners to those resources but I get a 403 firewall error when I attempt any changes or reading of the resource... Am I missing something here? Reading through Microsoft documentation makes it seem like peering the virtual networks would work.

I have bidirectional peering on both Vnets and forward traffic to and from the Vnets in the peering settings. My NSG on both VNet subnets are just the basic one that allows inbound and outbound VNet traffic

https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview

Is there a recommended way of going at this?

Answer 1

If you just want to access the resources in one VNet from another VNet, the network peering is enough. But there is a limitation, there must be no NSG associated with resources or the VNet. If the NSGs exist, you need to add rules to allow the traffics. For example, if the resources are the VMs, then it should work as need. Of course, the firewall inside the VMs should also allow the traffics.