Connecting Virtual Networks in Azure

This document outlines the various methods for connecting virtual networks (VNets) in Azure, enabling seamless communication between resources in different VNets.

Why Connect VNets?

Connecting VNets is crucial for scenarios such as:

Sharing data and applications between different departments or environments.
Implementing multi-tier applications distributed across multiple VNets.
Establishing secure connections to on-premises networks or other cloud providers.
Enhancing disaster recovery and business continuity strategies.

Connection Methods

Azure offers several robust methods to connect VNets. The choice depends on your specific requirements for bandwidth, latency, security, and complexity.

1. VNet Peering

VNet peering connects two Azure VNets, allowing resources in either virtual network to communicate with each other as if they were within the same network. Traffic between peered VNets travels over the Microsoft backbone network, ensuring low latency and high bandwidth.

Key Features:

Low latency and high bandwidth.
No public IP addresses required for communication.
Transitive routing is not supported (i.e., VNet A peered with VNet B, and VNet B peered with VNet C, does not mean VNet A can communicate with VNet C directly through VNet B).
Can be established within the same region (local peering) or across different regions (global peering).

Tip: VNet peering is the most common and recommended method for connecting VNets within Azure when transitive routing is not a requirement.

2. VNet-to-VNet VPN Gateway

This method uses a VPN gateway to establish a secure IPsec/IKE VPN tunnel between two VNets. This is an excellent option when you need encryption for your traffic or when connecting VNets across different Azure regions, especially if VNet peering is not available or suitable.

Key Features:

Provides secure, encrypted communication.
Can connect VNets in different regions or even different Azure subscriptions.
Requires a VPN gateway in each VNet, incurring additional costs.
Can support transitive routing if configured appropriately with multiple gateways.

Example configuration snippet:

                
resource "azurerm_virtual_network_gateway" "vng1" {
  name                = "vng1"
  location            = "East US"
  type                = "Vpn"
  dns_servers         = [...]
  ip_configuration {
    name                      = "vng1-config"
    subnet_id                 = azurerm_subnet.gatewaySubnet.id
    private_ip_address_allocation = "Dynamic"
    public_ip_address_id      = azurerm_public_ip.vng_pip.id
  }
}

resource "azurerm_virtual_network_gateway" "vng2" {
  name                = "vng2"
  location            = "West US"
  type                = "Vpn"
  dns_servers         = [...]
  ip_configuration {
    name                      = "vng2-config"
    subnet_id                 = azurerm_subnet.gatewaySubnet.id
    private_ip_address_allocation = "Dynamic"
    public_ip_address_id      = azurerm_public_ip.vng_pip.id
  }
}

resource "azurerm_virtual_network_gateway_connection" "vnet_connection" {
  name                = "vnet-to-vnet-conn"
  location            = azurerm_virtual_network_gateway.vng1.location
  type                = "Vnet2Vnet"
  virtual_network_gateway_id     = azurerm_virtual_network_gateway.vng1.id
  peer_virtual_network_gateway_id = azurerm_virtual_network_gateway.vng2.id
  shared_key          = "YourSharedKey123"
}
                
            

3. Azure Virtual WAN

Virtual WAN is a networking service that brings together networking, security, and routing capabilities into a single operational interface. It provides a highly scalable and resilient hub-and-spoke architecture that simplifies the management of global network connectivity.

Key Features:

Centralized management and routing.
Connects VNets, branch offices, and remote users.
Integrates with Azure Firewall and Network Security Groups for advanced security.
Optimized routing for global transit.

Note: Virtual WAN is ideal for large-scale deployments requiring complex routing, central security policies, and simplified management across many VNets and regions.

Choosing the Right Method

Consider the following factors when selecting a connection method:

Complexity: VNet peering is generally the simplest.
Security: VPN Gateway and Virtual WAN offer encrypted tunnels.
Scale: Virtual WAN is designed for large-scale, global networks.
Cost: VPN Gateways incur costs for the gateway instances.
Performance: VNet peering offers the lowest latency within Azure.

For most intra-Azure VNet connectivity needs without external dependencies, VNet Peering is often the preferred and most cost-effective solution.

Learn how to create a VNet Peering Learn how to set up a VNet-to-VNet VPN