Transit Virtual Network Scenarios in Azure

This document explores common patterns and best practices for achieving transit connectivity between Azure virtual networks (VNets). Transit connectivity allows resources in one VNet to reach resources in another VNet, often through a central network or gateway.

Introduction to Transit Connectivity

In Azure, virtual networks provide network isolation. However, many applications require communication across different VNets. This is known as transit connectivity. Achieving this securely and efficiently is crucial for distributed architectures.

Common scenarios requiring transit connectivity include:

On this page:

Methods for Achieving Transit

Several approaches can be used to enable transit connectivity in Azure:

VNet Peering for Transit

VNet peering enables direct network connectivity between Azure VNets. When you peer two VNets, resources in each VNet can communicate with each other as if they were within the same network. This applies to VNets within the same region or across different Azure regions (global peering).

How it works:

To enable transit using VNet peering, you typically need a hub VNet. Spokes connect to the hub, and you can enable gateway transit on the spoke VNets to allow them to use the hub's gateway for connectivity to other spokes or on-premises networks.

Important Note: VNet peering is non-transitive by default. This means if VNet A is peered with VNet B, and VNet B is peered with VNet C, VNet A cannot communicate with VNet C directly through VNet B. To achieve transitive routing, you need to explicitly configure it using a hub VNet with gateway transit or a Virtual WAN.

Note: Ensure that the address spaces of peered VNets do not overlap.

Configuration steps:

  1. Create a hub VNet.
  2. Create spoke VNets.
  3. Peer each spoke VNet to the hub VNet.
  4. Enable Gateway Transit on the spoke VNets and set the Allow Gateway Transit option to True.
  5. On the hub VNet, enable Allow Gateway Transit to True.
  6. If connecting to on-premises, deploy a VPN gateway or ExpressRoute gateway in the hub VNet.

VPN Gateway for Transit

Azure VPN Gateway can be used to connect VNets together (VNet-to-VNet connection) or to connect your on-premises network to your Azure VNets. This service can act as a transit point.

VNet-to-VNet connectivity:

You can establish a VNet-to-VNet connection by creating a VPN gateway in each VNet and configuring them to connect to each other. This approach can be complex to manage for many VNets.

Hub-and-Spoke with VPN Gateway:

A more scalable approach is to deploy a VPN gateway in a central hub VNet. Spoke VNets can then connect to the hub's VPN gateway, either through VNet peering with gateway transit or by establishing VNet-to-VNet connections directly to the hub.

Tip: Using a hub VNet with a VPN gateway is a common pattern for hybrid connectivity, allowing secure transit between multiple VNets and your on-premises environment.

Azure Virtual WAN

Azure Virtual WAN is a networking service that brings together networking, security, and routing functionalities into a single operational interface. It's designed for large-scale, distributed environments.

Benefits:

Virtual WAN provides a managed transit hub that simplifies the complexity of connecting multiple VNets and on-premises sites.

Hub-Spoke Architecture

The hub-spoke topology is a popular design pattern for transit connectivity. In this model:

This architecture allows for centralized management of security and routing, making it easier to enforce policies and control traffic flow.

Warning: When using hub-spoke with VNet peering, ensure that you configure gateway transit correctly. Misconfiguration can lead to connectivity issues or security vulnerabilities.

Key Considerations