Virtual Network Peering

Virtual network peering allows you to connect two Azure virtual networks seamlessly. Once peered, virtual networks are treated as one for connectivity purposes. Traffic between virtual machines in peered virtual networks is routed through the Azure backbone infrastructure, not through a gateway or encrypted over the public internet.

Benefits of VNet Peering

  • Low Latency: Communication between virtual networks happens on the Azure backbone.
  • High Bandwidth: Leverages the high-throughput network infrastructure of Azure.
  • Simplified Management: No need for complex VPN gateways or NAT devices for inter-network communication within Azure.
  • Seamless Connectivity: Resources in one virtual network can communicate with resources in another as if they were in the same network.

Key Concepts

  • Global Peering: Allows you to peer virtual networks across different Azure regions.
  • Local Peering: Connects virtual networks within the same Azure region.
  • Transitive Routing: VNet peering is a non-transitive relationship. If VNet A is peered with VNet B, and VNet B is peered with VNet C, VNet A cannot communicate with VNet C through VNet B.
  • Gateway Transit: You can configure a virtual network to use the VPN gateway or ExpressRoute gateway of a peered virtual network for accessing on-premises networks or other VNets.

Prerequisites for VNet Peering

  • Both virtual networks must exist.
  • The virtual networks must have non-overlapping IP address spaces.
  • The virtual networks can be in the same or different Azure regions.
  • You must have the necessary permissions to create peering configurations.

Creating a VNet Peering (Azure Portal)

  1. Navigate to your first virtual network in the Azure portal.
  2. In the left-hand menu, under Settings, select Peerings.
  3. Click + Add to create a new peering.
  4. Enter a Name for the peering (e.g., `VNetA-to-VNetB`).
  5. Select the target virtual network you want to peer with.
  6. Configure the peering settings, including whether to allow Virtual network access, Gateway transit, and Forwarded traffic.
  7. Repeat the process on the second virtual network to establish the reciprocal peering connection.

Example Azure CLI Command


az network vnet peering create \
    --resource-group MyResourceGroup \
    --name VNetA-to-VNetB \
    --vnet-name VNetA \
    --remote-vnet VNetB \
    --allow-vnet-access

Important Note:

Ensure that the IP address spaces of the peered virtual networks do not overlap. Overlapping address spaces will prevent the peering from being established.

Tip:

To enable gateway transit, ensure that the gateway VNet has a Virtual Network Gateway configured and that the peering settings are correctly adjusted on both VNets.

Security Considerations:

While peering simplifies connectivity, always implement Network Security Groups (NSGs) on your subnets to control traffic flow and enhance security.

Troubleshooting

If you encounter issues with VNet peering, check the following:

  • IP address space overlap.
  • Correct peering configurations on both virtual networks.
  • Network Security Group (NSG) rules that might be blocking traffic.
  • Route tables that might be interfering with traffic flow.
  • Ensure the peering status shows as 'Connected'.
Previous: Network Security Groups Next: Service Endpoints