Virtual network peering

This article explains how to configure virtual network peering in Azure. Virtual network peering connects two Azure virtual networks privately and securely, allowing them to communicate as if they were one network.

Introduction

Azure Virtual Network (VNet) peering enables you to connect two Azure virtual networks. Once peered, virtual networks can communicate with each other directly, using private IP addresses, without the need for gateways, VPNs, or other traffic-forwarding infrastructure. Traffic between peered VNets is private and stays within the Microsoft backbone network.

Benefits of VNet Peering

Low Latency and High Bandwidth: Traffic between peered VNets travels on the Microsoft backbone, offering excellent performance.
Secure Communication: Communication between VNets is private and secure, utilizing private IP addresses.
Simplified Network Management: Eliminates the need for complex network configurations like VPN tunnels for inter-VNet communication.
Resource Sharing: Allows resources in different VNets to access each other.
Global Reach: Supports peering across different Azure regions.

Configuration Steps

You can configure VNet peering using the Azure portal, Azure CLI, or Azure PowerShell.

Using Azure Portal

Navigate to your virtual network in the Azure portal.
Under Settings, select Peerings.
Click + Add to create a new peering connection.
Enter a Name for the peering connection.
Select the subscription and virtual network you want to peer with.
Configure Address space if the remote VNet does not have a peered gateway.
Specify peering settings:
- Allow virtual network access: Enable to allow traffic from the remote VNet to this VNet.
- Allow forwarded traffic: Enable to allow traffic originating from on-premises or other VNets to transit this VNet to reach the remote VNet.
- Allow gateway transit: Enable if the remote VNet has a VPN gateway and you want to route traffic through it.
- Use remote gateways: Enable if the local VNet should use the VPN gateway in the remote VNet.
Click Add to create the peering connection.

Azure CLI Example

                
az network vnet peering create \
  --resource-group  \
  --name  \
  --vnet-name  \
  --remote-vnet  \
  --allow-vnet-access
                
            

Important Considerations

Transitive Routing: VNet peering is not transitive. If VNet A is peered with VNet B, and VNet B is peered with VNet C, VNet A cannot communicate with VNet C through VNet B unless explicit peering is configured between A and C.

IP Address Space Overlap: Ensure that the address spaces of peered virtual networks do not overlap. Overlapping address spaces will cause routing issues.

Gateway Transit: When enabling gateway transit, be mindful of the number of VNets that can use a single gateway. Ensure your gateway SKU supports the required connections.

DNS Resolution

By default, VNet peering uses Azure's default DNS resolution. For custom DNS, you need to ensure that your DNS servers are accessible from both VNets and that the DNS resolution is configured correctly. You can also enable 'Allow virtual network access' for DNS if needed.

Security

While peering provides a secure connection, always implement network security groups (NSGs) and Azure Firewall to control traffic flow between VNets and enforce security policies.

Troubleshooting

If you encounter issues with VNet peering:

Verify that peering connections are established in both directions.
Check for overlapping IP address spaces.
Review Network Security Group (NSG) rules in both VNets.
Ensure DNS resolution is working correctly.
Confirm gateway transit settings if applicable.

For detailed troubleshooting steps, refer to the official Azure documentation.