VNet Peering

VNet peering connects two Azure Virtual Networks (VNets) together. This allows resources in each virtual network to communicate with each other. The traffic between virtual networks is routed through the Azure backbone network; it doesn't traverse the public internet. VNet peering provides lower latency and higher bandwidth than VPN gateways, making it an ideal solution for many inter-VNet connectivity scenarios.

Key Concepts of VNet Peering

Global vs. Local VNet Peering: Peering can be established within the same Azure region (local) or across different Azure regions (global).
No Downtime: VNet peering is a non-transitive relationship. You must configure peering on both VNets to enable communication.
Resource Communication: Resources in one VNet can communicate with resources in another VNet as if they were in the same network.
IP Addressing: Ensure that the IP address spaces of the peered VNets do not overlap.
Bandwidth and Latency: VNet peering leverages the Azure backbone, providing high throughput and low latency.

When to Use VNet Peering

VNet peering is suitable for various scenarios:

Connecting VNets within the same subscription for resource sharing.
Connecting VNets across different subscriptions for departmental or organizational connectivity.
Connecting VNets in different Azure regions for disaster recovery or geographical distribution.
Enabling workloads that span multiple VNets to communicate seamlessly.

VNet Peering Configuration Steps

To configure VNet peering, you'll need to perform the steps on both VNets involved.

Step 1: Navigate to the Virtual Network

In the Azure portal, go to the virtual network you want to configure peering for.

Step 2: Access the Peering Settings

In the virtual network's blade, select Peerings under the Settings section.

Step 3: Add a Peering Connection

Click on + Add to create a new peering connection.

Step 4: Configure Peering Details

You will be presented with a form to configure the peering settings:

This virtual network peering:
- Peering link name: A descriptive name for the peering connection (e.g., VNetA-to-VNetB).
- Virtual machine deployment model: Select the appropriate model (Resource Manager or Classic).
- Virtual network: Select the virtual network you are peering *to*.
- Subscription: Choose the subscription containing the target VNet.
- Resource group: Select the resource group of the target VNet.
- Virtual network name: Select the specific virtual network you want to peer with.
Remote virtual network peering:
- Allow virtual network access: Enable this to allow traffic from the remote VNet to access resources in this VNet.
- Allow forwarded traffic: Enable this if the remote VNet might forward traffic to other networks through this VNet (typically used with UDRs).
- Allow gateway transit: Enable this if the remote VNet uses a VPN gateway or ExpressRoute circuit and you want to route traffic through it.
- Use remote virtual network's gateway or Route Server: If 'Allow gateway transit' is enabled, select this option if you want to use the remote VNet's gateway.

Azure VNet Peering Configuration Screenshot

Azure Portal VNet Peering Configuration

Step 5: Repeat for the Remote VNet

You must repeat these steps on the other virtual network, configuring the peering connection back to the original VNet.

Considerations and Best Practices

Note: VNet peering is non-transitive. If VNet A is peered with VNet B, and VNet B is peered with VNet C, VNet A cannot communicate directly with VNet C through VNet B. You would need to explicitly peer VNet A with VNet C.

IP Address Spaces: Always ensure that your virtual networks have non-overlapping IP address spaces to avoid routing conflicts.
Gateway Transit: Carefully consider when to enable 'Allow gateway transit'. Enabling it allows VNets to share a common VPN gateway or ExpressRoute circuit but can introduce complexity.
Security: Implement Network Security Groups (NSGs) on subnets in both VNets to control traffic flow and enhance security.
DNS Resolution: By default, VNet peering does not support custom DNS server resolution across peered networks. You may need to configure a custom DNS solution or use Azure DNS Private Resolver.
Performance: While VNet peering offers great performance, be mindful of the maximum number of peering connections allowed per VNet and per subscription.

Example Scenario

Imagine you have two VNets:

VNet-App (10.1.0.0/16) hosting your web servers.
VNet-DB (10.2.0.0/16) hosting your database servers.

To allow the web servers in VNet-App to connect to the database servers in VNet-DB, you would:

Create a peering from VNet-App to VNet-DB.
Create a peering from VNet-DB to VNet-App.

Ensure that Allow virtual network access is enabled on both peering connections. Resources in VNet-App can then communicate with resources in VNet-DB using their private IP addresses.

                
# Example CLI command to create a peering (simplified)

# On VNet-App:
az network vnet peering create \
  --name VNetAppToVNetDB \
  --resource-group myResourceGroup \
  --vnet-name VNet-App \
  --remote-vnet VNet-DB \
  --allow-vnet-access

# On VNet-DB:
az network vnet peering create \
  --name VNetDBToVNetApp \
  --resource-group myResourceGroup \
  --vnet-name VNet-DB \
  --remote-vnet VNet-App \
  --allow-vnet-access
                
            

Refer to the official Azure VNet Peering documentation for the most up-to-date information and advanced configurations.