Azure VNet Peering Basics and Configuration Guide

Azure VNet Peering allows you to connect two or more virtual networks in the same region, enabling communication between them. This is done by creating a peering connection between the VNets.

To create a peering connection, you need to select the VNets you want to peer and choose the peering direction. You can either create a peering connection in the same region or in a different region.

There are three types of peering connections: VNet-to-VNet, VNet-to-Classic, and VNet-to-ExpressRoute. Each type has its own use case and requirements.

If this caught your attention, see: Introduction to Azure Virtual Networks

Azure Virtual Network (VNet) Peering allows virtual networks to communicate with each other seamlessly.

With Azure VNet Peering, you can transfer data across Azure deployment models, subscriptions, and regions. This feature is particularly useful for database failover, disaster recovery, or cross-region data replication.

Azure VNet Peering provides a private network for network traffic, ensuring secure communication between virtual networks.

No downtime issues occur in global Azure virtual network peering, making it a reliable option for businesses.

Suggestion: Azure Data Studio vs Azure Data Explorer

Azure VNet Peering configures connections with high bandwidth and low latency in the VNet region.

Here are the primary types of VNet Peering:

To configure peering in Azure VNet, you need to follow these steps. Log in to the Azure portal and create two Virtual Networks in the same or different regions. Then, go to one of the Virtual Networks and select Peerings under Settings, and click Add.

The configuration process involves selecting the peering for the two virtual networks, where one is the "this virtual network" and the other is the "remote virtual network". Once you've added the peering, the PEERING STATUS will show as Connected.

Note that configuring peering on one VNet will automatically configure the peering on the other VNet as well. To test the peering, you can connect to one of your VMs and try to ping the Public IP of the second Virtual Machine.

Discover more: Azure Vnet Architecture Diagram

Configuring peering in Azure can be a bit complex, but understanding the different types of peering can make it easier. There are two main types of VNet peering: VNet Peering and Global VNet Peering.

VNet Peering enables connectivity between various VNets within the same Azure region. This is a great option for database failover or disaster recovery within a region.

Global VNet Peering allows Virtual networks to connect across different Azure regions. This provides private peering with low latency and high bandwidth in Azure backbone infrastructure.

Here are the two types of peering in a quick reference list:

To configure peering, start by logging in to the Azure portal at https://portal.azure.com. Create two virtual networks in the same or different regions, such as Vnet1 and Vnet2.

Now, go to one of the virtual networks and select Peerings under Settings. Click Add to create a new peering. In the Configuring the peering section, select "This virtual network" as Vnet1 and "Remote virtual network" as Vnet2.

A different take: Create Virtual Network Azure

The PEERING STATUS will show as Connected once the peering is established. Note that configuring peering on one virtual network will automatically configure it on the other virtual network as well.

To test the peering, connect to one of your VMs and try to ping the Public IP of the second VM. If you're using a Windows Server VM, the ping will fail due to the Internet Control Message Protocol (ICMP) not being allowed through the Windows firewall.

To allow ICMPv4-In on the VM, enter the following command in the VM's PowerShell: New-NetFirewallRule –DisplayName “Allow ICMPv4-In” –Protocol ICMPv4. This command needs to be executed on the other VM (VM2) to allow the ping to work.

Here's a step-by-step summary of the configuration process:

Before you start configuring peering, you need to have an Azure account with an active subscription. If you don't have one, create it for free.

To begin, you'll need to complete one of the following tasks: sign in to the Azure portal, run PowerShell, or use the Azure CLI. This will give you access to the necessary tools to work with peerings.

You'll need to sign in to the Azure portal with an account that has the necessary permissions to work with peerings. Make sure your account is assigned to the network contributor role or a custom role that grants the required actions.

To run the commands, you can either use the Azure Cloud Shell or run PowerShell or Azure CLI locally from your computer. The Azure Cloud Shell is a free interactive shell that has common Azure tools preinstalled and configured to use with your account.

Here are the specific requirements for each tool:

Once you have the necessary tools and permissions, you can proceed with configuring peering.

To view or change peering settings in Azure, start by searching for "Virtual network" in the Azure portal and selecting "Virtual networks" in the search results.

Before making any changes, it's essential to familiarize yourself with the requirements and constraints of the peering.

In the Azure portal, you can select the virtual network you want to view or change its peering settings for by clicking on it in the Virtual networks list.

To view or change peering settings, navigate to the "Peerings" section in the "Settings" menu and select the peering you want to modify.

You can change the appropriate setting by reading about the options for each setting in the "create a peering" instructions and then select "Save" to complete the configuration changes.

To list peerings of a virtual network and their settings using the Azure CLI, use the command "Get-AzVirtualNetworkPeering".

To change peering settings using the Azure CLI, use the command "Set-AzVirtualNetworkPeering".

Alternatively, you can use the Azure CLI commands "az network vnet peering list" and "az network vnet peering show" to list peerings of a virtual network and show settings for a specific peering.

To update peering settings using the Azure CLI, use the command "az network vnet peering update".

Related reading: Azure Vnet Gateway

Troubleshooting virtual network peering issues can be a challenge, but there are ways to confirm that virtual networks are peered by checking effective routes.

You can check routes for a network interface in any subnet in a virtual network, and if a virtual network peering exists, all subnets within the virtual network should have routes with next hop type Virtual network peering.

Azure Network Watcher can also be used to troubleshoot connectivity to a virtual machine in a peered virtual network by performing a connectivity check.

This check lets you see how traffic is routed from a source virtual machine's network interface to a destination virtual machine's network interface.

For more information, see Diagnose a virtual machine routing problem.

You can also use Azure Network Watcher to troubleshoot connections by using the Azure portal.

To create a virtual network peering, you'll need to have the right permissions in place. Permissions are required to create a virtual network peering, and you can learn more about them by following the link.

The accounts you use to work with virtual network peering must be assigned to specific roles. These roles include Network Contributor for virtual networks deployed through Resource Manager, and Classic Network Contributor for virtual networks deployed through the classic deployment model.

If your account isn't assigned to one of these roles, you'll need to assign it to a custom role that includes the necessary actions. Here are the required actions for a custom role:

To create a virtual network peering, you need to have the right permissions in place.

You can learn more about the specific permissions required by checking out the Permissions section of the documentation.

To work with virtual network peering, your account needs to be assigned to the Network Contributor or Classic Network Contributor role, depending on whether your virtual network is deployed through Resource Manager or the classic deployment model.

Here are the roles you need to be assigned to:

If your account isn't assigned to one of these roles, you'll need to create a custom role with the necessary actions. These actions include:

When creating virtual networks, it's essential to be aware of the constraints that come with global peering. Resources in one virtual network can't communicate with the front-end IP address of a basic load balancer in a globally peered virtual network.

Some services that use a basic load balancer don't work over global virtual network peering, so it's crucial to check the specific requirements for each service.

You can't perform virtual network peerings as part of the PUT virtual network operation, which can be a limitation when trying to connect multiple virtual networks.

To connect multiple virtual networks, you need to understand the supported number of peerings, which is outlined in the Networking limits section.

Here are some key takeaways to keep in mind: