Microsoft Docs

Introduction to Azure VNet Peering

Azure Virtual Network (VNet) peering enables you to connect two Azure Virtual Networks privately. The traffic between virtual networks is routed through the Microsoft backbone network. This allows resources in different virtual networks to communicate with each other as if they were on the same network. VNet peering does not require a gateway or encryption to function.

How VNet Peering Works

When you peer two VNets, Azure establishes a direct, low-latency connection between them. This connection leverages Azure's high-speed network infrastructure. Each VNet maintains its own identity, subscription, and administrative boundaries. Peering is a non-transitive relationship. This means if VNet A is peered with VNet B, and VNet B is peered with VNet C, VNet A cannot communicate with VNet C unless A is also directly peered with C.

Benefits of VNet Peering

• Low Latency: Traffic travels on the Microsoft backbone, offering high throughput and low latency.
• Enhanced Security: Private IP addressing is used, and traffic does not traverse the public internet.
• Simplified Management: No need for complex network configurations like VPN gateways or virtual network appliances for inter-VNet communication.
• Cost-Effective: Generally more cost-effective than using VPN gateways for high-bandwidth, low-latency inter-VNet communication.
• Resource Sharing: Enables seamless sharing of resources across VNets.

Key Concepts

• Peering Connection: A logical connection established between two VNets.
• Transitivity: Peering is non-transitive.
• Virtual Network Gateway Transit: Allows a VNet peered with a VNet containing a VPN gateway to use that gateway to connect to on-premises networks or other VNets.
• Remote Gateway: Allows a VNet to use the VPN gateway in a peered VNet.

Configuration Steps

Configuring VNet peering involves creating a peering connection from each VNet to the other.

1. Navigate to the Virtual Networks service in the Azure portal.
2. Select the first virtual network you want to peer.
3. Under "Settings," select "Peerings."
4. Click "+ Add" to create a new peering connection.
5. Configure the peering details:
   • Name of peering: A descriptive name for the connection from the current VNet to the remote VNet.
   • Virtual network deployment model: Select "Resource Manager" or "Classic."
   • Subscription: Select the subscription containing the remote VNet.
   • Virtual network: Select the remote virtual network.
   • Access to the virtual network: Define whether the remote VNet can access resources in this VNet.
   • Allow virtual network access: Whether resources in this VNet can access resources in the remote VNet.
   • Allow forwarded traffic: Whether traffic originating from the remote VNet that is forwarded through the remote VNet to other destinations is allowed.
   • Allow gateway transit: If this VNet has a VPN gateway, specify if peered VNets can use it.
   • Use remote gateways: If the remote VNet has a VPN gateway, specify if this VNet should use it.
6. Click "Add" to create the peering.
7. Repeat steps 3-6 for the second virtual network, configuring the peering from it back to the first VNet.

Common Scenarios

• Connecting VNets within the same region (Regional VNet Peering).
• Connecting VNets across different Azure regions (Global VNet Peering).
• Creating hub-and-spoke network topologies.
• Allowing different departments or applications to have isolated VNets that can communicate securely.
• Facilitating disaster recovery scenarios by connecting production VNets to DR VNets.

Considerations and Limitations

• IP Address Spaces: VNets that are peered must have non-overlapping IP address spaces.
• Transitivity: As mentioned, VNet peering is not transitive.
• Bandwidth and Latency: While generally high-performance, actual throughput and latency can be affected by network design and distance (for global peering).
• Cost: Data transfer costs apply to traffic flowing between VNets through peering.
• Network Security Groups (NSGs): NSGs can be applied to subnets and NICs within peered VNets to control traffic flow.
• Service Endpoints: Service endpoints can be used on peered VNets to secure access to Azure services.

Next Steps

Explore detailed guides on configuring Global VNet Peering and managing VNet Peering settings. Understand how to utilize Virtual Network Gateway Transit for advanced connectivity.