Virtual Network Peering in Azure provides the ability to connect two or more Azure virtual networks (VNet) seamlessly. A significant benefit of using VNet peering is allowing resources present in each of the different networks to interact directly by using private IP addresses.
How to Create Virtual Network Peering in Azure?
Creating virtual network peering in Azure involves two key steps – creating a VNet, and then creating the peering.
Step 1: Create a Virtual Network
First, you need to create at least two Azure VNets which you’d later connect via peering.
Follow the steps below to create a VNet:
- Log in to the Azure portal.
- Navigate to Virtual Networks in the left-side menu and click on ‘Add’.
- Fill in the necessary details such as name, resource group, location, etc., and then click ‘Create’.
Repeat these steps once more because we require two VNets for peering.
Step 2: Create the VNet Peering
After the VNets are created, you can proceed with the peering.
- Click on the first Virtual Network.
- In the left menu panel, select ‘Peerings’, and then click ‘+Add’.
- Fill in the required details then click ‘Okay’.
- Repeat the same for the second Virtual Network. Remember to put the first VNet in the ‘Peer details’.
The status of peering will initially show as ‘Initiated’ and should automatically change to ‘Connected’ once completed properly.
Configurations of Virtual Network Peering
In creating VNet peering, you will come across several configurations. Below is a brief description on each:
- Name – This refers to the name you want to assign to the peering link.
- Peering type – Azure provides two options: ‘Virtual network peering’ and ‘Global virtual network peering’. The primary difference lies in the networking scope. The first limits peering within the same Azure region, while the latter allows peering across different Azure regions.
- Subscription – You need to specify the subscription if you have more than one subscribed to your Azure account.
- Virtual network – This involves selecting the virtual network you want to peer with the current VNet.
- Name (under Settings) – This will be the name of the peer connection from the other network’s perspective.
- Configuration settings – These include options such as ‘Allow virtual network access’, ‘Allow forwarded traffic’, ‘Allow gateway transit’, and ‘Use remote gateways’, each having a specific function in the virtual network peering.
Verifying Virtual Network Peering
To verify successful peering, you can use the ‘Effective routes’ tool in Azure.
- Go to the Azure Portal -> Virtual Networks.
- Select any one of your peered networks and go to its ‘Network Interface’.
- From there, go to ‘Effective routes’. You should be able to see the address space of the peered network in the ‘Source’ column which confirms that peering has been correctly established.
Implementing virtual network peering in Azure opens more avenues for your business operations. By enabling resources from different VNets to interact directly using private IP addresses, one can maintain the high level of performance needed for business operations while saving substantial resources that would otherwise be used to set up and manage formal site-to-site VPNs. Practice creating and experimenting with different configurations and see how best they can serve your business goals. It’s a powerful feature within Azure and one you should be comfortable with as you prepare for the AZ-104 Microsoft Azure Administrator exam.
Practice Test
True/False: Virtual network peering allows resources in either virtual network to communicate with each other.
- True
- False
Answer: True
Explanation: Virtual network peering allows private connectivity between two virtual networks. Resources in either virtual network can communicate with each other, as if they are on the same network.
Which of the following are valid peering types in Azure?
- a) Local peering
- b) Global peering
- c) VNet peering
- d) Network peering
Answer: a) Local peering, b) Global peering
Explanation: Azure supports Local peering and Global peering of virtual networks.
True/False: Peering between virtual networks in Azure can exist across different Azure regions.
- True
- False
Answer: True
Explanation: Global peering allows to connect virtual networks across Azure regions, providing a seamless and private connectivity experience.
Which of the following is NOT a configuration for virtual network peering?
- a) Traffic forwarded from one network to another
- b) Traffic between resources in the peered networks
- c) Traffic via a gateway
- d) Traffic between resources in separate Azure subscriptions
Answer: d) Traffic between resources in separate Azure subscriptions
Explanation: The configuration for virtual network peering includes forwarded traffic, traffic between resources, and traffic via a gateway. However, the configuration does not involve traffic between resources in separate Azure subscriptions.
True/False: Peering traffic makes use of the underlying Azure network, not the public internet.
- True
- False
Answer: True
Explanation: Traffic that is flowing between virtual networks through peering utilizes the underlying Azure network, not the public internet.
True/False: Virtual network peering charges are based on both inbound and outbound data transfer.
- True
- False
Answer: True
Explanation: With Azure, virtual network peering charges are applied for both inbound and outbound data transfer between peered networks.
Multiple Choice: Virtual network peering supports _____.
- a) Uni-directional access
- b) Bi-directional access
- c) No access
Answer: b) Bi-directional access
Explanation: Virtual network peering supports bi-directional access. If network ‘A’ is peered with network ‘B’, resources in both networks can communicate with each other.
True/False: Deleting a peering in Azure is a reversible operation.
- True
- False
Answer: False
Explanation: Deleting a peering removes the connection and all related configurations, the action is not reversible and you would have to reconfigure the peering from scratch if it’s deleted.
Multiple Choice: Virtual network peering can be done _____.
- a) Within different Azure subscriptions
- b) With different Azure Active Directory tenants
- c) Both a and b
Answer: c) Both a and b
Explanation: Virtual network peering supports peering virtual networks that are in different Azure subscriptions and also different Azure Active Directory tenants.
True/False: You can have more than one virtual network peering between the same two virtual networks.
- True
- False
Answer: False
Explanation: You cannot have more than one virtual network peering between the same two virtual networks. Peering is always a one-to-one relationship between networks.
Interview Questions
What is virtual network peering in Azure?
Virtual network peering in Azure allows the linking of two Azure virtual networks, making them appear as one for connectivity purposes. The traffic between virtual machines in the peered virtual networks directly routes through Microsoft’s backbone infrastructure, providing low-latency, high-bandwidth connections.
What are the prerequisites for virtual network peering?
The prerequisites for virtual network peering include: both networks must be in the same Azure subscription, both virtual networks must be in the same region, and neither virtual network can have overlapping IP ranges.
Are there any charges for data transfer between peered virtual networks?
Yes, outbound data transfer is subject to charges. However, peering within the same region incurs no additional costs; inter-region peering does have associated costs specified in Azure’s bandwidth pricing page.
Are there any restrictions on virtual network peering?
Yes, peering is non-transitive, which means if there are more than two virtual networks, each network needs to be peered with every other one. Further, each network can have a maximum of 500 peering connections.
What happens if I delete a virtual network that has a peering relationship?
If a virtual network in a peering relationship is deleted, the peering relationship is also deleted, and network traffic between the two virtual networks is interrupted.
What are the types of peering in Azure?
Azure supports two types of peering – Virtual Network (VNet) peering for resources within the same region, and Global VNet peering for resources across different Azure regions.
Can I peer virtual networks in different subscriptions?
Yes, you can peer virtual networks in different Azure subscriptions as long as those subscriptions are associated with the same Azure Active Directory tenant.
Can I add or remove address ranges from a peered VNet?
Yes, you can add or remove address ranges in a peered VNet, but it does require the peering connection to be recreated.
Is virtual network peering in Azure secure?
Yes, the traffic between peered virtual networks is private and secure, similar to traffic within a single network. Neither the Internet, public IP addresses, nor gateways are involved in the data transfer.
Can I enable/disable network access control on a peered virtual network?
Yes, you can use network security groups to control inbound and outbound access to a peered virtual network.
What is required to enable communication over private IP addresses?
To enable communication over private IP address, both virtual networks should exchange IP routes either through Azure (for virtual networks in the same subscription) or through VPN gateways (for virtual networks in different subscriptions).
Can Virtual Network Peering be configured across Azure Active Directory tenants?
No, Virtual Network Peering can be set up only between Virtual Networks that are under the same Azure Active Directory tenant.
Is the traffic between Virtual Networks encrypted when Peering is enabled?
No, the network traffic between peered virtual networks is not encrypted by default.
Can I peer a VNet with a virtual network in a different region?
Yes, using Azure’s Global VNet Peering function, you can peer a VNet with a virtual network in a different Azure region.
Can I use the same address space in peered VNets?
No, overlapping address spaces are not allowed. Each VNet must have a unique address space.