Virtual Networks

About Network-to-Network VPNs

Azure Virtual Network (VNet) network-to-network connectivity allows you to securely connect two or more Azure VNets together. This is often referred to as a VNet-to-VNet connection. You can also use this type of connection to establish connectivity between VNets in different Azure regions. VNet-to-VNet is a secure and managed way to transfer data between business units or development and production environments.

A VNet-to-VNet connection is essentially a VPN connection that you configure between two VNets. Azure VPN Gateway is used to establish this connection. The VPN Gateway is a logical network appliance that is deployed in a virtual network. It is deployed to a dedicated subnet named 'GatewaySubnet'. The GatewaySubnet must be named exactly that.

Benefits of VNet-to-VNet Connectivity

  • Secure Communication: Data is encrypted in transit between the VNets, ensuring confidentiality and integrity.
  • Resource Sharing: Allows resources in different VNets to communicate with each other as if they were on the same private network.
  • Regional and Global Connectivity: Connect VNets within the same Azure region or across different Azure regions for disaster recovery, geo-redundancy, or global applications.
  • Cost-Effective: Often more cost-effective than other solutions for inter-VNet communication.
  • Managed Service: Azure manages the VPN Gateway infrastructure, reducing operational overhead.

Use Cases

  • Connecting development, testing, and production VNets.
  • Creating a hybrid cloud solution by connecting Azure VNets to on-premises networks via Site-to-Site VPNs, and then connecting these Azure VNets to each other.
  • Implementing disaster recovery solutions by replicating workloads across VNets in different regions.
  • Deploying multi-tier applications that span across multiple VNets.

How it Works

A VNet-to-VNet connection utilizes Azure VPN Gateway to establish a secure IPsec/IKE tunnel between two VNets. Each VNet will have its own VPN Gateway. The configuration involves defining connection objects on each VPN Gateway that point to the other VNet's gateway. This creates a secure tunnel for traffic to flow between the two virtual networks.

Important: When connecting VNets, ensure that the address spaces of the VNets do not overlap. Overlapping address spaces will cause routing issues and prevent successful communication.

Key Components

  • Azure Virtual Network (VNet): The fundamental building block for your private network in Azure.
  • Subnet: A range of IP addresses within a VNet.
  • GatewaySubnet: A dedicated subnet within the VNet where the VPN Gateway is deployed. It must be named exactly 'GatewaySubnet'.
  • Virtual Network Gateway: The VPN device that is deployed in the GatewaySubnet and handles VPN connections.
  • Connection: A resource that defines the properties of the connection between two VPN gateways, including the shared key and the type of VPN.

Configuration Steps (High-Level)

  1. Create or select two VNets that you want to connect. Ensure their address spaces do not overlap.
  2. Create a GatewaySubnet in each VNet.
  3. Create a Virtual Network Gateway in each VNet, associating it with the GatewaySubnet.
  4. Create a connection resource in the first VNet, specifying the second VNet's gateway and a shared secret key.
  5. Create a corresponding connection resource in the second VNet, pointing to the first VNet's gateway and using the same shared secret key.
Tip: For VNet-to-VNet connections between different regions, ensure that your routing is configured correctly to direct traffic through the VPN Gateways.

You can manage VNet-to-VNet connections using the Azure portal, Azure CLI, PowerShell, or Azure Resource Manager templates. For detailed configuration steps and best practices, refer to the official Azure VPN Gateway documentation.