Microsoft Azure

Azure Documentation / Tutorials / Azure Virtual Networks / Virtual Network Peering

Azure Virtual Network Peering: Connect Your VNets Securely

Introduction to VNet Peering

Azure Virtual Network (VNet) peering enables you to connect two or more Azure virtual networks privately. This connection is achieved through the Azure backbone network. VNets that are peered can communicate with each other as if they were on the same network. Traffic between peered VNets is private and stays on the Microsoft Azure backbone network; it does not go over the public internet.

Key benefits include:

  • Low latency and high bandwidth connectivity between VNets.
  • No need for complex VPN or NAT configurations.
  • Resources in one VNet can communicate with resources in another VNet.
  • Supports transitive peering (with certain considerations).

Prerequisites

  • Two or more Azure Virtual Networks in the same or different regions.
  • Appropriate permissions to create and manage VNets and VNet peerings.
  • Understanding of IP addressing for your VNets.

Step-by-Step Guide: Setting up VNet Peering

Step 1: Navigate to your first Virtual Network

In the Azure portal, search for "Virtual networks" and select the virtual network you want to peer from.

Step 2: Configure Peering

In the left-hand menu of your VNet, under "Settings", select "Peerings". Click "+ Add".

Step 3: Configure the Peering Connection

Fill in the details for the peering connection:

  • This virtual network:
    • Peering link name: A descriptive name for the peering (e.g., vnet1-to-vnet2).
    • Virtual network deployment model: Resource Manager (most common).
    • Subscription: Select the subscription containing the VNet you want to peer with.
    • Resource group: Select the resource group containing the VNet you want to peer with.
    • Virtual network: Select the second virtual network you want to peer with.
  • Remote virtual network:
    • Peering link name: A descriptive name for the peering from the other side (e.g., vnet2-to-vnet1).
    • Virtual network deployment model: Resource Manager.
    • Subscription: Select the subscription of the first VNet.
    • Resource group: Select the resource group of the first VNet.
    • Virtual network: Select the first virtual network.
  • Allow virtual network access: Enable this to allow traffic from the peered VNet.
  • Allow forwarded traffic: Enable if you want to allow traffic originating from the peered VNet to be forwarded to other destinations through this VNet.
  • Allow gateway transit: Enable if the first VNet has a Virtual Network Gateway and you want to allow the peered VNet to use it.
  • Use remote gateways: Enable if the remote VNet has a Virtual Network Gateway and you want to use it for transit.

Click "Add" to create the peering connection. The status will show as "Updating" and then "Connected" once established.

Step 4: Repeat for the Second VNet

Repeat steps 1-3, but this time start from the second virtual network and configure the peering to connect back to the first virtual network. Ensure "Allow virtual network access" is enabled on both sides.

Example Scenario: Connecting Two VNets

Let's assume we have two VNets:

  • VNet-A: Address space 10.1.0.0/16
  • VNet-B: Address space 10.2.0.0/16

To peer VNet-A with VNet-B:

  1. In VNet-A's peering settings, add a peering to VNet-B.
  2. In VNet-B's peering settings, add a peering to VNet-A.

Once peered, a virtual machine in VNet-A (e.g., with IP 10.1.0.4) can communicate directly with a virtual machine in VNet-B (e.g., with IP 10.2.0.5) using their private IP addresses.

Considerations and Best Practices

  • Non-overlapping IP address spaces: Ensure that the address spaces of peered VNets do not overlap.
  • Resource Manager vs. Classic: VNet peering is supported for Resource Manager VNets.
  • Global VNet Peering: You can peer VNets in different Azure regions.
  • Transitive Peering: VNet peering is not transitive by default. If VNet A is peered with VNet B, and VNet B is peered with VNet C, VNet A cannot communicate with VNet C directly through VNet B unless explicitly configured using gateway transit.
  • Service Endpoints and Private Endpoints: These can be used to secure access to Azure services from peered VNets.

Troubleshooting VNet Peering

If you encounter issues:

  • Verify that peering is configured on both VNets and the status is "Connected".
  • Check that "Allow virtual network access" is enabled on both sides.
  • Ensure there are no overlapping IP address spaces.
  • Review Network Security Group (NSG) rules on subnets to ensure they permit traffic between the peered VNets.
  • Check Azure network diagnostic tools for connectivity issues.