Azure Documentation

Home > Documentation > Azure > Networking > VNet Peering Explained

Understanding Azure Virtual Network Peering

Azure Virtual Network (VNet) peering enables you to seamlessly connect two or more Azure virtual networks. This connection allows resources in each virtual network to communicate with each other as if they were within the same network. VNet peering offers a straightforward and cost-effective way to expand your Azure network infrastructure.

What is VNet Peering?

VNet peering is a relationship that you establish between two virtual networks. This relationship allows traffic to flow between them directly through the Azure backbone network, without requiring a gateway or encryption. Key benefits include:

  • Low latency and high bandwidth communication.
  • Simplified network topology.
  • No downtime during peering.
  • Ability to peer VNets within the same region (local peering) or across different regions (global peering).

How VNet Peering Works

When two VNets are peered, a virtual network gateway is not required. Traffic between the peered VNets is routed directly over the Microsoft backbone network. This means that IP addresses in one VNet are routable to the other VNet. When you peer VNet A to VNet B, you must also peer VNet B to VNet A to establish a bidirectional connection.

Key Concepts

  • Address Space Overlap: The address spaces of peered VNets must not overlap. If they do, VNet peering will fail.
  • Subnets: While you cannot have overlapping address spaces, you can have subnets with the same name in peered VNets.
  • Routing: When you create a VNet peering connection, Azure automatically creates routes between the two VNets. You can also inject your own custom routes or use User Defined Routes (UDRs).
  • Service Endpoints: You can enable service endpoints for Azure services like Storage and SQL Database in each peered VNet. This allows resources in one VNet to securely access these services in another VNet.
  • Gateways: VNet peering does not support gateway transit. This means that if one VNet has a virtual network gateway, you cannot use it to route traffic to a peered VNet. You would need to set up a gateway in each VNet if you need to connect to on-premises networks.

Important Considerations

Ensure that the address spaces of the VNets you intend to peer do not overlap. This is a common cause of peering failures. Always plan your IP addressing scheme carefully.

Use Cases for VNet Peering

VNet peering is highly versatile and can be used in various scenarios:

  • Connecting VNets within a Subscription: For modular application architectures.
  • Connecting VNets across Subscriptions: For different departments or applications sharing infrastructure.
  • Connecting VNets across Regions (Global Peering): For disaster recovery or geographically distributed applications.
  • Hybrid Cloud Connectivity: While not a replacement for VPN Gateways, peering can be part of a broader hybrid solution.

Example Scenario

Imagine you have two VNets:

  • VNet-App: 10.1.0.0/16, containing your application servers.
  • VNet-DB: 10.2.0.0/16, containing your database servers.

By peering VNet-App and VNet-DB, application servers in 10.1.0.0/16 can communicate directly with database servers in 10.2.0.0/16, and vice versa, using private IP addresses.

Azure CLI Example (Conceptual)


# Create the first VNet
az network vnet create --name VNet-App --resource-group myResourceGroup --location eastus --address-prefix 10.1.0.0/16

# Create the second VNet
az network vnet create --name VNet-DB --resource-group myResourceGroup --location eastus --address-prefix 10.2.0.0/16

# Peer VNet-App to VNet-DB
az network vnet peering create --name VNetAppToVNetDB --resource-group myResourceGroup --vnet-name VNet-App \
    --remote-vnet VNet-DB --allow-vnet-access

# Peer VNet-DB to VNet-App
az network vnet peering create --name VNetDBToVNetApp --resource-group myResourceGroup --vnet-name VNet-DB \
    --remote-vnet VNet-App --allow-vnet-access

Managing VNet Peering

You can manage VNet peering connections through the Azure portal, Azure CLI, Azure PowerShell, or ARM templates. For each peering, you can configure:

  • Allow Virtual Network Access: Enables or disables communication between the peered VNets.
  • Allow Gateway Transit: (Not applicable for standard peering) Allows the peered VNet to use the gateway of the current VNet.
  • Use Remote Gateways: Allows the current VNet to use the gateway of the peered VNet.

Gateway Limitations

Remember that standard VNet peering connections do not support transit routing through gateways. If you need to connect peered VNets to on-premises networks, you must ensure that a virtual network gateway is present in each VNet that requires this connectivity.

Troubleshooting

Common issues with VNet peering include:

  • Address Space Overlap: The most frequent problem. Verify that the CIDR blocks of your VNets are unique.
  • Incorrect Peering Configuration: Ensure that peering is set up in both directions and that all necessary permissions are granted.
  • Network Security Groups (NSGs): NSGs applied to subnets can block traffic. Ensure your NSG rules allow traffic from the peered VNet's address space.
  • Firewall Rules: If you have network virtual appliances (NVAs) or firewalls, verify their configurations.

Conclusion

Azure Virtual Network peering is a fundamental service for building scalable and interconnected cloud networks. By understanding its mechanisms and best practices, you can effectively extend your network reach, improve communication between workloads, and design robust cloud architectures.