VNet Peering: Connecting Networks Directly
Connect two Azure Virtual Networks as if they were one โ fast, private, and without a gateway
๐ก Intermediate
โฑ 15 Minutes
๐ AZ-104 ยท Module 04
Why This Matters
So far you've created isolated VNets with internal routing. But what if you need to connect two separate VNets โ maybe one for dev, one for prod? You could route through the internet (slow, insecure), or you could peer them directly (fast, private). VNet peering lets two VNets communicate as if they were one network, without going through a gateway.
Before You Start
| Prerequisites | VNets & Subnets, Routing Fundamentals |
|---|
| Time to understand | 15 minutes |
|---|
| Difficulty | ๐ก Intermediate (builds on routing) |
|---|
| What you'll learn | How peering works, regional vs. global, routing considerations, gateway transit |
|---|
The Simple Idea
What Is VNet Peering?
VNet Peering = A direct, private connection between two Azure Virtual Networks that lets them communicate as if they're part of the same network.
Real-World Analogy: Two Office Buildings Connected by a Bridge
Two separate buildings, each with their own internal phone systems, get a direct bridge connecting them. Employees in Building A can call Building B directly โ no need for a gateway or external connection.
Building A (VNet-A: 10.0.0.0/16)
โ
โโโ Employees: 10.0.1.0/24
โ โโโ Internal phone system
โ
โโโ Connection: Direct bridge to Building B
(VNet Peering)
Building B (VNet-B: 172.16.0.0/16)
โ
โโโ Employees: 172.16.1.0/24
โ โโโ Internal phone system
โ
โโโ Connection: Direct bridge to Building A
Result: Employees in Building A can call Building B directly โ
No need for a gateway or external connection โ
Two Types of Peering
| Type | Distance | Bandwidth | Latency | Cost |
|---|
| Regional Peering | Same region (e.g., East US to East US) | Unlimited | Low | Charged but minimal |
| Global Peering | Different regions (e.g., East US to West Europe) | Unlimited | Medium | Charged, slightly more |
How VNet Peering Works
Step 1: Create Two VNets
VNet-A: 10.0.0.0/16
โโโ Subnet A1: 10.0.1.0/24
โโโ Subnet A2: 10.0.2.0/24
VNet-B: 172.16.0.0/16
โโโ Subnet B1: 172.16.1.0/24
โโโ Subnet B2: 172.16.2.0/24
Requirement: Address spaces must NOT overlap โ
Step 2: Create Peering Connection (Bidirectional)
In Azure Portal:
โโ Go to VNet-A
โโ Select "Peerings"
โโ Add Peering to VNet-B
โโ Wait for status: "Connected" โ
Behind the scenes:
โโ Azure creates routes in both VNets
โโ Route to 172.16.0.0/16 โ Peered Network (in VNet-A)
โโ Route to 10.0.0.0/16 โ Peered Network (in VNet-B)
โโ Connection is bidirectional (both directions work automatically) โ
Step 3: Subnet Routing After Peering
VNet-A Subnet A1 (10.0.1.0/24) Routing Table:
Destination Next Hop Source
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
10.0.0.0/16 Local VNet-A System Route
172.16.0.0/16 Peered VNet-B System Route (AUTO!)
0.0.0.0/0 Internet System Route
VM in Subnet A1 wants to reach 172.16.1.5:
โโ Checks routing table
โโ Matches: 172.16.0.0/16 โ Peered Network
โโ Sends traffic directly to peered VNet โ
Step 4: NSG Rules Apply
Traffic flows: 10.0.1.5 (VM-A) โ 172.16.1.10 (VM-B)
Checks:
โโ Routing: Does 172.16.0.0/16 have a route? YES (peering) โ
โโ NSG on Subnet A1: Allow outbound? YES (default) โ
โโ NSG on Subnet B1: Allow inbound from 10.0.1.0/24? Must be YES
โ โโ If NO, connection fails even though peering exists โ
โโ Result: Traffic delivered โ
Lesson: Peering allows the route, NSGs still control traffic โ
Mental Model: Peering as a Tunnel
Before Peering:
VNet-A โโโโโโโ Internet โโโโโโโ VNet-B
(slow, public, insecure)
After Peering:
VNet-A โโโโโโโโโโโโโโโโโโโโโโโโโโโโ VNet-B
(direct, private, fast)
Inside: Automatic routes direct traffic through the tunnel โ
Outside: No internet routing needed โ
Regional vs. Global Peering
Regional Peering (Same Region)
Scenario: East US 1 VNet โ East US 2 VNet
Configuration:
โโ Peering Name: vnet-a-to-vnet-b
โโ Peering Type: Regional (same Azure region)
โโ Network access: Enabled
โโ Traffic forwarding: Can be enabled
โโ Virtual network gateway: Optional
Performance:
โโ Latency: <2ms (very fast) โ
โโ Bandwidth: Unlimited โ
โโ Cost: Charged per GB (ingress only) โ
Use case: Dev/Staging/Prod in same region, need to share services
Global Peering (Different Regions)
Scenario: East US VNet โ West Europe VNet
Configuration:
โโ Peering Name: vnet-a-to-vnet-b-global
โโ Peering Type: Global (different regions)
โโ Network access: Enabled
โโ Traffic forwarding: Can be enabled
โโ Virtual network gateway: Optional
Performance:
โโ Latency: ~100ms (depends on distance) โ
โโ Bandwidth: Unlimited โ
โโ Cost: Charged per GB (ingress only) โ
Use case: Multi-region deployment (US HQ + EU office), replicated services
Worked Example: Real Scenario
The Scenario
TechCorp has:
- Dev VNet in East US: 10.0.0.0/16
- Dev App Server: 10.0.1.0/24
- Dev Database: 10.0.2.0/24
- Prod VNet in East US: 172.16.0.0/16
- Prod App Server: 172.16.1.0/24
- Prod Database: 172.16.2.0/24
Goal: Let Dev and Prod communicate (e.g., backup dev data to prod storage).
Step 1: Create Peering
Azure Portal โ VNet-Dev โ Peerings โ Add
Peering name: dev-to-prod
VNet: VNet-Prod
Wait for status: Connected โ
Result:
โโ VNet-Dev has new route: 172.16.0.0/16 โ Peered Network
โโ VNet-Prod has new route: 10.0.0.0/16 โ Peered Network
โโ Both VNets can reach each other's subnets โ
Step 2: Verify NSG Rules
Dev App Server (10.0.1.10) tries to backup to Prod Storage (172.16.2.20):
NSG on Prod Subnet (172.16.2.0/24):
Rule: Allow inbound from 10.0.1.0/24 (Dev App subnet)
Port: 443 (HTTPS for backup)
Action: ALLOW โ
Traffic flow:
Dev App โ Routing: 172.16.0.0/16 matches peering โ Forward โ
โ NSG: Allow from 10.0.1.0/24 on 443 โ Allow โ
โ Reaches Prod Storage โ
Step 3: Bidirectional Traffic
Prod App Server (172.16.1.10) wants to query Dev Database (10.0.2.5):
NSG on Dev Subnet (10.0.2.0/24):
Rule: Allow inbound from 172.16.1.0/24 (Prod App subnet)
Port: 5432 (PostgreSQL)
Action: ALLOW โ
Traffic flow:
Prod App โ Routing: 10.0.0.0/16 matches peering โ Forward โ
โ NSG: Allow from 172.16.1.0/24 on 5432 โ Allow โ
โ Reaches Dev Database โ
Key: Peering is bidirectional (both directions work automatically) โ
Gateway Transit (Advanced)
What Is Gateway Transit?
Gateway Transit = Allow peered VNets to use one VNet's VPN/ExpressRoute gateway.
Use Case: Hub-and-Spoke with Gateway
Hub VNet (10.0.0.0/16)
โโโ Has VPN Gateway
โโโ On-premises connection: 192.168.0.0/16
โ
โโ Spoke A (10.1.0.0/16) โ Peered
โ โโโ Needs on-premises access
โ โโโ Enable gateway transit โ
โ
โโ Spoke B (10.2.0.0/16) โ Peered
โโโ Needs on-premises access
โโโ Enable gateway transit โ
Result:
Spoke A traffic to on-prem: Spoke A โ Hub Gateway โ VPN โ On-prem โ
Spoke B traffic to on-prem: Spoke B โ Hub Gateway โ VPN โ On-prem โ
No need for separate gateways in each spoke (cost savings) โ
Configuration
When creating peering:
โโ Source VNet (Hub): Enable "Allow gateway transit"
โโ Target VNet (Spoke): Enable "Use remote gateway"
โโ Result: Spoke can reach on-premises through Hub's gateway โ
Cost benefit:
โโ One gateway for entire organization
โโ Spokes don't need their own gateways
โโ Saves money (gateways are expensive) โ
Common Mistakes (What NOT to Do)
โ Mistake 1: Overlapping Address Spaces
Wrong
VNet-A: 10.0.0.0/16
VNet-B: 10.0.0.0/16 (same address space!)
Try to create peering:
โโ Azure rejects peering โ
โโ Error: "Address space overlaps"
Fix
Make address spaces non-overlapping:
โโ VNet-A: 10.0.0.0/16 โ
โโ VNet-B: 172.16.0.0/16 โ
โโ Peering works โ
Why it fails: Overlapping addresses cause routing confusion.
โ Mistake 2: Forgetting NSG Rules
Wrong
Peering created: VNet-A โ VNet-B
VM-A (10.0.1.5) tries to reach VM-B (172.16.1.10)
Routing works: 172.16.0.0/16 โ Peered VNet โ
NSG on VNet-B Subnet: All inbound DENIED โ
Result: Traffic blocked even though peering exists โ
Fix
Add NSG rule on VNet-B:
Source: 10.0.1.0/24 (VM-A's subnet)
Port: 443 (whatever service needs)
Action: ALLOW โ
Now traffic flows โ
Why it fails: Peering enables the route but doesn't override NSG rules.
โ Mistake 3: Not Enabling Traffic Forwarding
Wrong
Scenario: Three VNets, two connected via peering
VNet-A โ VNet-B (peered)
VNet-B โ VNet-C (peered)
VM in VNet-A tries to reach VNet-C:
โโ Routing: Does 10.2.0.0/16 (VNet-C) exist in VNet-A? NO โ
โโ VNet-B should forward traffic, but routing not configured
โโ Result: Connection fails โ
Fix
Use custom routing in VNet-A:
Destination: 10.2.0.0/16 (VNet-C)
Next Hop: VNet-B appliance IP
โโ Requires VNet-B to enable "forwarded traffic" โ
Or use a hub-and-spoke with gateway transit (cleaner) โ
Why it fails: Peering doesn't automatically forward between spokes (no transitive routing).
Peering Checklist
โก VNets have non-overlapping address spaces
โโ Check: Does 10.0.0.0/16 overlap with 172.16.0.0/16? NO โ
โก Create peering from both sides (or wait for request)
โโ VNet-A initiates โ VNet-B accepts โ
โโ Connection status: Connected โ
โก Check routing (automatic system routes created)
โโ Can VNet-A reach 172.16.0.0/16? Route should exist โ
โก Verify NSG rules allow traffic
โโ NSG on peered VNet allows source/port โ
โก Test connectivity
โโ Ping, SSH, or RDP from VM-A to VM-B โ
โก For gateway transit (if needed)
โโ Hub VNet: "Allow gateway transit" enabled โ
โโ Spoke VNet: "Use remote gateway" enabled โ
โโ Routes configured to use hub gateway โ
How This Connects to Other Topics
Related to Module 01 (Identity & Governance)
- RBAC + Peering: Only network admins can create/delete peering
- Policy: Require peering in hub-and-spoke topology
Related to Module 02 (Storage)
- Storage Access: Use peering to reach storage in another VNet securely
Related to Module 03 (Compute)
- VM Communication: VMs in peered VNets can communicate directly
Related to Module 05 (Monitor)
- Monitor Peering: Check peering metrics (bytes in/out)
Key Takeaways
๐ก Summary
- Peering = direct connection between VNets (private, fast)
- Regional peering = same region (low latency, minimal cost)
- Global peering = different regions (higher latency, higher cost)
- Peering is bidirectional (both VNets automatically get routes)
- Routing is automatic (Azure creates system routes)
- NSG rules still apply (peering enables route, NSGs control traffic)
- Non-overlapping address spaces required (or peering fails)
- Gateway transit = spokes use hub's VPN/ExpressRoute gateway (cost savings)