Azure VNet Peering Troubleshooting

Troubleshooting Azure VNet Peering Issues

Virtual network peering connects two Azure Virtual Networks (VNets) seamlessly. While it offers a simple way to share resources between networks, issues can arise. This guide helps you diagnose and resolve common VNet peering problems.

Common VNet Peering Issues

Connectivity Loss: Resources in peered VNets cannot communicate with each other.
Slow Performance: Network latency between peered VNets is higher than expected.
DNS Resolution Failures: Hostnames in one VNet cannot be resolved from the other.
Gateway Transit Issues: If one VNet has a VPN gateway or ExpressRoute circuit, traffic intended to use it from the other VNet isn't flowing.

Connectivity Checks

Start with basic checks to ensure your peering is configured correctly and the underlying infrastructure is sound.

Verify Peering Status:
In the Azure portal, navigate to your VNet, then to "Peerings." Ensure the status for both directions of the peering is "Connected."
```
Azure Portal -> Virtual Network -> [Your VNet] -> Peerings -> Status: Connected
```

Check VNet Address Spaces:

Ensure that the address spaces of the peered VNets do not overlap. Overlapping address spaces are a common cause of connectivity issues.

VNet A Address Space: 10.1.0.0/16
VNet B Address Space: 10.2.0.0/16  (No Overlap)
VNet A Address Space: 10.1.0.0/16
VNet B Address Space: 10.1.5.0/24  (Overlap - Problem!)

Confirm Peering Settings:
Double-check the settings for both VNets involved in the peering. Key settings include:
- Remote VNet ID
- Allow Virtual Network Access (should be enabled)
- Allow Gateway Transit (if applicable)
- Use Remote Gateways (if applicable)

DNS Resolution Issues

If you can ping IP addresses but not hostnames, DNS is likely the culprit.

Custom DNS Servers: If you are using custom DNS servers (e.g., Active Directory domain controllers), ensure these servers are reachable from the peered VNet and that they have forwarders or conditional forwarders configured to resolve names in the other VNet's domain.
Azure DNS: If using Azure-provided DNS, ensure "Enable virtual network access" is checked for the peering. If custom DNS is enabled on the VNet, ensure that the custom DNS servers are correctly configured and accessible.

DNS Troubleshooting Steps:

From a VM in VNet A, try to resolve a hostname in VNet B: nslookup vm-in-vnet-b.yourdomain.com
From a VM in VNet B, try to resolve a hostname in VNet A: nslookup vm-in-vnet-a.yourdomain.com
Verify that your DNS server IP addresses are correctly listed in the VNet settings for both VNets.

Network Security Groups (NSGs)

NSGs associated with subnets or network interfaces can block traffic. This is a very common cause of VNet peering issues.

Inbound Rules: Ensure that the NSG on the target subnet/NIC in the destination VNet has inbound rules allowing traffic from the IP address range of the source VNet.
Outbound Rules: Ensure that the NSG on the source subnet/NIC in the source VNet has outbound rules allowing traffic to the IP address range of the destination VNet.

Tip:

Use the IP Flow Verify tool in Azure Network Watcher to diagnose NSG issues. This tool checks if traffic is allowed or denied by NSGs to or from a VM.

Routing Issues

Azure automatically manages routing for VNet peering, but custom routes (User Defined Routes - UDRs) or virtual network gateways can interfere.

Check Route Tables: Examine the route tables associated with the subnets in both VNets. Ensure there are no routes that incorrectly direct traffic destined for the peered VNet to a non-existent next hop or a black hole.
Gateway Transit: If you are using gateway transit to allow VMs in peered VNets to access an on-premises network via a VPN Gateway or ExpressRoute, verify the following settings:
- In the peered VNet (where the gateway is NOT located), set "Allow gateway transit" to Yes.
- In the VNet with the gateway, set "Use remote gateways" to No (this is the default) and ensure "Allow gateway transit" is set to Yes.

Advanced Diagnostics with Network Watcher

Azure Network Watcher provides powerful tools for diagnosing network connectivity issues.

Connection Troubleshoot: Use the Connection Troubleshoot feature to test connectivity between two endpoints.
IP Flow Verify: As mentioned earlier, this is invaluable for NSG troubleshooting.
Next Hop: Determine the next hop for traffic leaving a VM, which helps identify routing problems.
Packet Capture: Capture network traffic to analyze protocols and troubleshoot specific communication flows.

Important:

Ensure Network Watcher is enabled in the regions where your VNets are located. Network Watcher resources are region-specific.

By systematically checking these areas, you can effectively troubleshoot and resolve most Azure VNet peering connectivity problems.