Azure Virtual Network Peering

Published: November 15, 2023

Azure Virtual Network (VNet) peering connects two or more Azure virtual networks. VNet peering allows resources in each virtual network to communicate with each other. The virtual networks can be in the same Azure region or different Azure regions. This provides a low-latency, high-bandwidth connection between the virtual networks.

Why use VNet Peering?

VNet peering is essential for building scalable and distributed applications on Azure. It enables:

Seamless communication between application tiers hosted in different VNets.
Secure connectivity without requiring gateways or encryption for traffic within Azure.
Sharing of services and resources across VNets.
Hybrid cloud scenarios by connecting on-premises networks to Azure VNets.

Understanding VNet Peering

When you peer two virtual networks, you establish a one-to-one relationship between them. This means that VNet A can be peered with VNet B, and VNet B can be peered with VNet A. This peering connection is non-transitive. If VNet A is peered with VNet B, and VNet B is peered with VNet C, VNet A cannot communicate with VNet C through VNet B.

Conceptual diagram of Azure Virtual Network Peering.

Key Features and Benefits

Low Latency and High Bandwidth: Traffic between peered VNets travels over the Azure backbone network, offering excellent performance.
Secure Connectivity: Communication between peered VNets is private and secure, with no public internet involvement.
Resource Sharing: Allows you to share resources like Azure Firewall, Azure Load Balancer, or virtual machines seamlessly.
Simplified Network Management: Reduces the complexity of managing separate network segments.
Global Reach: Supports peering across different Azure regions (global VNet peering).

Types of VNet Peering

VNet to VNet Peering: Connects two VNets within the same Azure subscription or across different subscriptions.
Global VNet Peering: Connects two VNets in different Azure regions. This is crucial for disaster recovery and geographically distributed applications.

Prerequisites for VNet Peering

Both VNets must have unique address spaces. Overlapping address spaces will result in peering failure.
Neither VNet can have any existing VPN gateways or ExpressRoute circuits configured for them to participate in VNet peering. However, you can configure remote virtual network gateways.
The peering must be enabled in both directions (from VNet A to VNet B, and from VNet B to VNet A).

Configuration Steps (Azure Portal)

To establish VNet peering using the Azure portal, follow these general steps:

Navigate to the virtual network you want to peer.
In the network's settings, select "Peerings".
Click "+ Add" to create a new peering connection.
Configure the peering details, including:
- Name of the peering connection.
- The virtual network to peer with (selecting from your subscriptions).
- Specify address space settings (e.g., Allow virtual network access, Allow gateway transit, Allow forwarded traffic).
Repeat the process on the other virtual network to establish the reciprocal peering.

Example PowerShell Configuration

Here's a snippet demonstrating how to create a VNet peering using Azure PowerShell:

                
# Variables for VNet A
$resourceGroupNameA = "MyResourceGroupA"
$vnetNameA = "VNetA"
$peeringNameAtoB = "VNetA-to-VNetB"

# Variables for VNet B
$resourceGroupNameB = "MyResourceGroupB"
$vnetNameB = "VNetB"
$peeringNameBtoA = "VNetB-to-VNetA"

# Get VNets
$vnetA = Get-AzVirtualNetwork -ResourceGroupName $resourceGroupNameA -Name $vnetNameA
$vnetB = Get-AzVirtualNetwork -ResourceGroupName $resourceGroupNameB -Name $vnetNameB

# Create peering from VNet A to VNet B
Add-AzVirtualNetworkPeering -Name $peeringNameAtoB `
    -VirtualNetwork $vnetA `
    -RemoteVirtualNetworkId $vnetB.Id `
    -AllowVirtualNetworkAccess

# Create peering from VNet B to VNet A
Add-AzVirtualNetworkPeering -Name $peeringNameBtoA `
    -VirtualNetwork $vnetB `
    -RemoteVirtualNetworkId $vnetA.Id `
    -AllowVirtualNetworkAccess

Write-Host "VNet peering created successfully between $vnetNameA and $vnetNameB."
                
            

Important Considerations

When using VNet peering, especially with gateway transit enabled, ensure that your routing configurations are correct to avoid network loops or connectivity issues. Also, be mindful of the peering limits imposed by Azure.

Troubleshooting VNet Peering

Common issues include:

Overlapping IP Address Spaces: The most frequent cause of peering failure.
Incorrectly Configured Remote Virtual Network Gateway Settings: Especially if using gateway transit.
Network Security Group (NSG) Rules: Ensure NSGs on subnets do not block traffic between peered VNets.
Firewall Rules: Virtual appliances or OS-level firewalls blocking traffic.

Use Azure Network Watcher's connection troubleshoot features to diagnose connectivity problems.

Conclusion

Azure Virtual Network peering is a powerful and flexible service that simplifies and enhances connectivity between your virtual networks. By understanding its features and proper configuration, you can build robust, scalable, and secure cloud architectures.

For advanced scenarios and detailed configuration options, refer to the official Azure documentation and best practices.