Create a Virtual Network Peering
Learn how to establish a connection between two Azure virtual networks using peering. Virtual network peering enables resources in each virtual network to communicate with each other as if they were within the same network. This connectivity is achieved without the need for a VPN tunnel or the use of a network virtual appliance.
On this page
Prerequisites
- Two virtual networks that you want to peer.
- Both virtual networks must exist within the same subscription or different subscriptions within the same Azure Active Directory tenant.
- The address spaces of the virtual networks cannot overlap.
- Ensure that you have the necessary permissions to create peering connections in both virtual networks.
Create Peering using the Azure Portal
This section guides you through creating a virtual network peering using the Azure portal. You will create a peering connection from VNet1 to VNet2.
-
Navigate to the first virtual network:
- In the Azure portal, search for and select "Virtual networks".
- Select the first virtual network (e.g.,
VNet1) you want to peer.
-
Access Peering settings:
- In the virtual network menu, under "Settings", select "Peerings".
-
Add a peering connection:
- Click on "Add".
- Configure the peering settings:
- This virtual network peering:
- Peering link name: Enter a name for the peering from VNet1 to VNet2 (e.g.,
VNet1ToVNet2). - Virtual machine deployment: Ensure "Resource Manager" is selected.
- Remote virtual network: Select the second virtual network (e.g.,
VNet2) from the dropdown. - Allow virtual network access: Keep enabled to allow traffic between networks.
- Allow forwarded traffic: Enable if you need to route traffic from a gateway or NVAs in the remote network through this virtual network.
- Allow gateway transit: Enable if the remote virtual network has a gateway and you want to use it to route traffic from this virtual network.
- Use remote gateways: Enable if you want to use the gateway in the remote virtual network for this virtual network's traffic.
- Peering link name: Enter a name for the peering from VNet1 to VNet2 (e.g.,
- Add the corresponding peering from the remote virtual network:
- Peering link name: Enter a name for the peering from VNet2 to VNet1 (e.g.,
VNet2ToVNet1). - Virtual machine deployment: Ensure "Resource Manager" is selected.
- Remote virtual network: Select the first virtual network (e.g.,
VNet1) from the dropdown. - Allow virtual network access: Keep enabled.
- Allow forwarder traffic: Configure as needed.
- Allow gateway transit: Configure as needed.
- Use remote gateways: Configure as needed.
- Peering link name: Enter a name for the peering from VNet2 to VNet1 (e.g.,
- This virtual network peering:
- Click "Add".
Important: You must create peering connections in both directions. The configuration from VNet1 to VNet2 and the corresponding configuration from VNet2 to VNet1 must be explicitly defined.
Create Peering using Azure CLI
This section demonstrates how to create a virtual network peering using the Azure CLI. Replace the placeholder values with your actual resource names and resource group.
First, create the peering from VNet1 to VNet2:
az network vnet peering create \
--resource-group \
--name VNet1ToVNet2 \
--vnet-name VNet1 \
--remote-vnet \
--allow-vnet-access
Next, create the corresponding peering from VNet2 to VNet1:
az network vnet peering create \
--resource-group \
--name VNet2ToVNet1 \
--vnet-name VNet2 \
--remote-vnet \
--allow-vnet-access
Note: You can find the <VNetResourceID> using az network vnet show --resource-group .
Create Peering using Azure PowerShell
This section provides instructions for creating virtual network peering using Azure PowerShell. Replace the placeholder values with your actual resource names and resource group.
First, create the peering from VNet1 to VNet2:
$vnet1 = Get-AzVirtualNetwork -Name "VNet1" -ResourceGroupName ""
$vnet2 = Get-AzVirtualNetwork -Name "VNet2" -ResourceGroupName ""
Add-AzVirtualNetworkPeering -Name "VNet1ToVNet2" -VirtualNetwork $vnet1 -RemoteVirtualNetworkId $vnet2.Id -AllowVirtualNetworkAccess
Next, create the corresponding peering from VNet2 to VNet1:
Add-AzVirtualNetworkPeering -Name "VNet2ToVNet1" -VirtualNetwork $vnet2 -RemoteVirtualNetworkId $vnet1.Id -AllowVirtualNetworkAccess
Important Considerations
- Transitive Peering: Virtual network peering is not transitive. If VNet1 is peered with VNet2, and VNet2 is peered with VNet3, VNet1 cannot communicate with VNet3 through VNet2. You would need to create a direct peering between VNet1 and VNet3.
- Gateway Transit: You can only have one virtual network in a peering relationship that has gateway transit enabled. This means that if VNet1 has gateway transit enabled to connect to VNet2's VPN gateway, VNet2 cannot have gateway transit enabled to connect to VNet1's VPN gateway.
- Address Space Overlap: Ensure that the address spaces of the virtual networks being peered do not overlap. If they do, peering will fail.
- Network Security Groups (NSGs): NSGs are applied to subnets and network interfaces. They will function across peered virtual networks, allowing you to control traffic flow.
- Service Endpoints: Service endpoints can be enabled on subnets within peered virtual networks to provide secure and direct connectivity to Azure services.
- Global VNet Peering: VNet peering can be established between virtual networks in different Azure regions.
Conceptual diagram illustrating virtual network peering.
By following these steps, you can successfully establish a virtual network peering connection between your Azure virtual networks, enhancing your cloud network architecture.