Azure Virtual Network (VNet) Peering

0
Azure Azure Networking

Introduction:

Azure Virtual Network (VNet) peering is an essential networking feature that allows seamless communication between virtual networks. Whether you are designing a multi-region network architecture or setting up secure communication between VNets, understanding VNet peering is crucial.

Virtual Network Peering

What is VNet Peering?

VNet Peering enables direct, low-latency connectivity between two or more Azure virtual networks. Peered VNets operate as if they are part of the same network, making cross-network communication easy and efficient.

Key Features of VNet Peering:

  • Intra-region Peering: VNets can be peered within the same Azure region.
VNET Peering same region
VNet Peering
  • Global VNet Peering: Virtual Network peering can be configured within an Azure Region and between Azure regions with Global network peering
Global VNet Peering
Global VNet Peering

Peered VNets must have non-overlapping IP address spaces.

VNet to VNet VPN Connection

While VNet Peering is the preferred method for most scenarios, there are cases where a VNet to VNet VPN Connection might be required:

  • If encryption is necessary for network traffic.
  • If lower network bandwidth is acceptable.

VPN connections between VNets traverse the internet, unlike VNet Peering, which stays within the Azure backbone network

VNet peering with VPN
VNet Peering with VPN

Virtual Network Topologies

Direct Peering

  • VNets that are directly peered can communicate seamlessly.
  • Traffic between directly peered VNets remains within the Azure backbone.
Direct Peering
Direct Peering

Non-Transitive Peering

  • Traffic does not automatically pass through multiple peered VNets.
  • If two VNets are not directly peered, they cannot communicate without an intermediary.
Non-Transitive

Mesh Network

  • All VNets in the architecture can be peered together to form a mesh network.
  • This setup ensures full connectivity among all VNets.
Mesh Network
Mesh Network

Hub-and-Spoke Topology

  • Hub-and-Spoke networks centralize connectivity through a hub VNet.
  • The Hub VNet can host a Network Virtual Appliance (NVA) or Azure Firewall to route traffic between spokes.
  • This setup allows traffic from non-directly peered VNets to be routed through an intermediary.
Hub and Spoke
Hub and Spoke

Expanding Across Regions

  • Regional hubs can be deployed to extend the hub-and-spoke topology across different Azure regions.
  • This provides scalability and inter-region communication.
Hub and Spoke- Multi region
Global Hub and Spoke

Enabling Gateway Transit

  • Gateway transit allows traffic forwarding to other parts of the Azure Virtual Network which includes on-premise and other cloud service provider networks
  • This can be done using:
    • A Virtual Network Gateway (for VPN or ExpressRoute connectivity).
    • A Network Virtual Appliance (NVA) for custom routing.
    • The same appliance can be used to handle routing within multiple VNets.
Hub and Spoke on-premise

Steps to create VNet Peering with Azure portal

Step 1: Log in to the Azure portal

Make sure you have below least privilege role to create a VNet peering

  • Microsoft.Network/VirtualNetworks/VirtualNetworkPeerings – Allows creation, retrieval, and deletion of VNet peerings.
  • Microsoft.Network/VirtualNetworks/Peer/Action – Grants permission to establish peering connections.

Step 2: Search for Virtual Network and pick one of your spoke VNet or create a new one, let’s peer it with the hub.

In my case, I created a spoke and hub VNet, named ase-dev-01-vnet and hub-dev-01-vnet respectively.

Step 3: Select the spoke and go to peering under the settings blade.

  • Under Remove virtual network summary, give the name for the peering, use resource manager as a deployment model, and select the subscription and the Virtual network that you want to peer, in my case, it is our hub network.
  • To make sure seamless network traffic between the network, enable “Allow [Hub network]” to access “[spoke network]” and allow “[Hub network]” to receive forwarded traffic from “[spoke network]”.
  • Under the Local Virtual Network summary, give the name of the peering.
  • To make sure seamless network traffic between the network enable “Allow [Spoke]” to access “[hub network]” and allow “[Spoke network]” to receive forwarded traffic from “[Hub network]”.
  • Finally, click on Add to start the provisioning.
  • You can check the status on the peering screen as shown in the below figure.

Peering status from Spoke

Peering status from Hub

Summary:

Azure Virtual Network (VNet) Peering allows seamless communication between Azure VNets with low latency and high bandwidth, either within the same region or across regions using Global VNet Peering. In the article, I explained VNet Peering by covering different network topologies such as mesh and hub-and-spoke, where traffic can be routed using Azure Firewall or Network Virtual Appliances. Additionally, I provided a step-by-step guide on how to configure VNet Peering using the Azure portal, including setting up permissions, configuring peering connections, and validating connectivity. This guide ensures a clear understanding of VNet Peering and its implementation to optimize Azure networking.

Gowtham K

Gowtham K has been awarded as MVP(Most Valuable Professional) for 9 times by Microsoft for his exceptional contribution in Microsoft technologies under the category “Developer Technologies & Security” . He has more than 12 years of experience on Microsoft technologies such as C#, ASP.NET MVC, ASP.NET WEB API, ASP.NET Core, MS SQL Server, Azure, Microsoft Entra ID, Azure AD B2C and other technologies such as JavaScript, jQuery, HTML and CSS .He is also a blogger and author of articles on various technologies. He is also a speaker and delivered talk on various technologies like ASP.NET MVC, Azure and Azure DevOps in the public events.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Articles

Azure Application Gateway path-based routing with App Services
Read More
Microsoft Entra ID Authentication Context
Read More
Secure Single Sign Out in Azure AD B2C
Read More