Extended guide on creating Virtual Network Peering in Azure

Creating Virtual Network (VNet) peering in Azure is a straightforward process that enables direct connectivity between two VNets.

This guide provides an extensive walkthrough, including prerequisites, configuration steps, verification, and best practices.

Prerequisites

Before you begin, ensure the following:

1. Azure Subscription

• Both VNets should be in the same Azure AD tenant.

• VNets can be in the same or different subscriptions.

2. VNet Address Spaces

• VNets must have non-overlapping IP address spaces.

• Example: VNet1: 10.0.0.0/16 and VNet2: 10.1.0.0/16.

3. Permissions

• You need the Network Contributor role on both VNets to configure peering.

4. Region and Gateway Compatibility

• VNets can be in the same region (regional peering) or different regions (global peering).

Steps to Create VNet Peering

Option 1: Using Azure Portal

Step 1: Navigate to the Virtual Network

1. Log in to the Azure Portal.

2. Go to the Virtual Networks blade.

3. Select the first VNet (e.g., VNet1).

Step 2: Create a Peering Connection

1. Under Settings, click on Peerings.

2. Click + Add to create a new peering.

3. Fill in the following details:

   • Name: Enter a unique name for the peering (e.g., VNet1-to-VNet2).

   • Peer Virtual Network: Select the second VNet (VNet2).

   • Traffic Options:

     • Allow virtual network access: Enable to allow communication between VNets.

     • Allow forwarded traffic: Enable if you need to forward traffic (optional).

     • Allow gateway transit: Enable if the peer VNet needs to use your gateway (optional).

Step 3: Create the Reverse Peering

1. Navigate to the second VNet (VNet2).

2. Repeat the above steps to create the reverse peering (VNet2-to-VNet1).

Option 2: Using Azure CLI

1. Install and Configure CLI:

   • Ensure the Azure CLI is installed and configured with the right subscription.

2. Create Peering for the First VNet:

xxxxxxxxxx
6
1
az network vnet peering create \
2
--name VNet1-to-VNet2 \
3
--resource-group RG1 \
4
--vnet-name VNet1 \
5
--remote-vnet /subscriptions/{subscription-id}/resourceGroups/RG2/providers/Microsoft.Network/virtualNetworks/VNet2 \
6
--allow-vnet-access

3. Create Peering for the Second VNet:

xxxxxxxxxx
6
1
az network vnet peering create \
2
--name VNet2-to-VNet1 \
3
--resource-group RG2 \
4
--vnet-name VNet2 \
5
--remote-vnet /subscriptions/{subscription-id}/resourceGroups/RG1/providers/Microsoft.Network/virtualNetworks/VNet1 \
6
--allow-vnet-access

Option 3: Using PowerShell

1. Create Peering for the First VNet:

xxxxxxxxxx
6
1
Add-AzVirtualNetworkPeering `
2
   -Name "VNet1-to-VNet2" `
3
   -VirtualNetwork $vnet1 `
4
   -RemoteVirtualNetworkId $vnet2.Id `
5
   -AllowForwardedTraffic `
6
   -AllowGatewayTransit

2. Create Peering for the Second VNet:

xxxxxxxxxx
6
1
Add-AzVirtualNetworkPeering `
2
   -Name "VNet2-to-VNet1" `
3
   -VirtualNetwork $vnet2 `
4
   -RemoteVirtualNetworkId $vnet1.Id `
5
   -AllowForwardedTraffic `
6
   -AllowGatewayTransit

Verifying VNet Peering

Check the Peering Status

1. Navigate to the Peerings blade for both VNets.

2. Ensure the peering status shows Connected.

Test Connectivity

1. Deploy two Virtual Machines (VMs):

   • VM1 in VNet1.

   • VM2 in VNet2.

2. Test connectivity using tools like ping, curl, or Test-NetConnection:

xxxxxxxxxx
3
1
Test-NetConnection `
2
   -ComputerName 10.1.0.4 `
3
   -Port 3389

3. Ensure there are no Network Security Group (NSG) rules blocking traffic.

Advanced Configuration

Gateway Transit

If you have a hub-and-spoke architecture:

1. In the hub VNet, enable Allow gateway transit.

2. In the spoke VNet, enable Use remote gateways.

Forwarded Traffic

Enable Allow forwarded traffic for scenarios like NVAs (Network Virtual Appliances).

Network Security Groups

Apply NSG rules for fine-grained traffic control between VNets.

Troubleshooting

1. Peering Status Not Connected

• Verify that both VNets are correctly peered.

• Check permissions and ensure the peering settings are symmetrical.

2. Connectivity Issues

• Ensure there are no overlapping IP address ranges.

• Verify NSG and route table configurations.

3. Latency Issues

• For global peering, ensure traffic routing is optimized using Azure Monitor.

Best Practices

1. IP Address Planning:

   • Use well-planned, non-overlapping CIDR blocks for VNets.

2. Monitoring and Logging:

   • Enable logging via Azure Monitor to track traffic between peered VNets.

3. Use Tags:

   • Tag peering connections to easily identify them in large environments.

4. Secure Traffic:

   • Use NSGs to limit traffic between VNets to only required ports and protocols.

5. Gateway Transit:

   • Centralize VPN or ExpressRoute connectivity in hub VNets for cost and operational efficiency.

Do write in comments if you want a tailored guidance for specific scenarios.