VNet Peering

Definition:
Virtual Network (VNet) Peering connects two Azure VNets so they appear as a single network for connectivity purposes.

Types:

1. Regional VNet Peering: Connects VNets in the same Azure region.

2. Global VNet Peering: Connects VNets across different Azure public or China cloud regions (not supported for Government cloud regions).

Benefits:

• Private: Traffic stays on Microsoft’s backbone network, no public Internet required.

• Performance: Low-latency, high-bandwidth connectivity.

• Seamless Communication: Resources in one VNet can communicate with those in another.

• No Disruption: Peering does not cause downtime for resources.

• Cross-subscription/region support: Works across subscriptions and regions.

Global Peering Special Considerations:

• Peered VNets cannot communicate with an internal load balancer in the other VNet.

• Hub-and-spoke or other architectures require user-defined routes to achieve transitive connectivity.

Gateway Transit and Connectivity

• A VNet can have one VPN gateway, which can be shared with peered VNets using Gateway Transit.

• Use Cases:

  • Site-to-site VPN to on-premises network

  • VNet-to-VNet connections

  • Point-to-site VPNs

• When Allow Gateway Transit is enabled on one VNet, the peered VNet can select Use Remote Gateway to leverage it.

Service Chaining & Non-Transitivity

• VNet Peering is non-transitive:

  • If VNet1 ↔ VNet2 and VNet2 ↔ VNet3, VNet1 cannot reach VNet3 directly.

• Solution:

  • Use user-defined routes and service chaining.

  • This allows:

    • Hub-and-spoke architectures

    • Traffic routing through network virtual appliances or VPN gateways

Configuring VNet Peering (Step-by-Step)

1. Create two virtual networks (VNets).

2. Create virtual machines in each VNet.

3. Peer the VNets:

   • Azure portal → first VNet → Peerings → + Add

   • Name the peering (e.g., VNet1toVNet2)

   • Select second VNet

   • Optional: Allow forwarded traffic, Allow gateway transit

   • Peering is automatically created on the second VNet

4. Configure a VPN Gateway (if needed for gateway transit):

   • Azure portal → Virtual Network Gateways → + Add

   • Create gateway in the same region as first VNet

   • Assign public IP

5. Enable Gateway Transit:

   • First VNet: select peering → Allow gateway transit

   • Second VNet: Use remote gateway enabled automatically

Checking VNet Peering Connectivity

• Peering Status:

  • Initiated: First peering created, waiting for second VNet

  • Connected: Peering established successfully

• Test connectivity by pinging or accessing VMs in the peered VNet.

✅ Key Notes:

• VNet Peering provides full connectivity by default; Network Security Groups (NSGs) can restrict traffic if needed.

• Service chaining allows VNets to route traffic through gateways or virtual appliances even with non-transitive peering.