Virtual Network Peering

Last updated: October 26, 2023

Virtual network (VNet) peering enables you to seamlessly connect Azure virtual networks. Connecting networks through VNet peering allows you to share resources across them. Traffic between peered virtual networks is private and stays within the Microsoft Azure backbone network. No internet, premium or disaster recovery path is needed for VNet peering.

Benefits of VNet Peering

• Low latency and high bandwidth: Traffic between peered VNets travels on the Microsoft Azure backbone network, offering excellent performance.
• No downtime: VNet peering is established without service interruption.
• Secure and private: Communication between peered VNets remains within the Azure network, not traversing the public internet.
• Resource sharing: Easily share services and resources (like Azure SQL Database, Azure Storage, or VMs) between connected VNets.
• Global reach: Peering can be established between VNets in different Azure regions (global VNet peering).

How VNet Peering Works

When you peer two virtual networks, you create a relationship between them. This relationship enables:

• Virtual machines (VMs) in either virtual network can communicate with each other. The communication occurs as if the VMs were on the same virtual network.
• IP addresses are used: Resources in one VNet can communicate with resources in the other VNet using private IP addresses.
• No gateway required: Traffic between peered VNets travels on the Microsoft Azure backbone network. It does not traverse through a VPN gateway or use public IP addresses.

Peering Options

You can configure VNet peering in two ways:

1. VNet peering within the same region: Connects VNets in the same Azure region.
2. Global VNet peering: Connects VNets in different Azure regions.

Key Concepts

Address Spaces

For VNet peering to succeed, the address spaces of the peered VNets must not overlap. If they do overlap, the peering connection will fail.

Routing

When VNets are peered, VNet peering automatically propagates routes between them. You can also manually configure routes to control traffic flow.

Gateways

By default, a VNet that is peered with another VNet does not use its remote gateway. However, you can choose to use the remote gateway for transit routing.

Creating a VNet Peering Connection

You can create VNet peering connections using the Azure portal, Azure CLI, Azure PowerShell, or ARM templates.

Using the Azure Portal

1. Navigate to your virtual network in the Azure portal.
2. In the left-hand menu, select Peerings under Settings.
3. Click + Add.
4. Fill in the required fields, including the name of the peering, the subscription, the target virtual network, and peering settings.
5. Click Add to create the peering.

# Example Azure CLI command to create peering
az network vnet peering create \
  --name MyVNetPeering \
  --resource-group MyResourceGroup \
  --vnet-name MyVNet1 \
  --remote-vnet MyVNet2 \
  --allow-vnet-access
            

Limitations and Considerations

• Address space overlap: Overlapping address spaces will prevent peering.
• Transitivity: VNet peering is not transitive. If VNet A is peered with VNet B, and VNet B is peered with VNet C, VNet A cannot communicate with VNet C directly through peering. You'll need to peer VNet A with VNet C or use a hub-and-spoke model.
• Number of peerings: There are limits to the number of peerings per virtual network. Refer to Azure subscription and service limits for details.
• Gateway transit: While powerful, using remote gateways introduces dependencies and can affect performance.