In Azure, Virtual Network (VNet) peering is a fundamental networking capability that enables you to connect two separate virtual networks. Once peered, the virtual networks appear as one for connectivity purposes. Traffic between virtual machines in the peered virtual networks is routed through the…In Azure, Virtual Network (VNet) peering is a fundamental networking capability that enables you to connect two separate virtual networks. Once peered, the virtual networks appear as one for connectivity purposes. Traffic between virtual machines in the peered virtual networks is routed through the Microsoft backbone infrastructure, rather than a gateway or the public internet. This ensures low latency, high bandwidth, and enhanced security by keeping data entirely within the private Azure network.
There are two types of peering: Regional VNet Peering, which connects VNets within the same Azure region, and Global VNet Peering, which connects VNets across different Azure regions. This is crucial for building geo-redundant applications and disaster recovery strategies.
Peering is essential for implementing a Hub-and-Spoke network topology. Through a feature called 'gateway transit,' peered networks (spokes) can use the VPN gateway in the hub network to connect to on-premises infrastructure, eliminating the need to deploy expensive gateways in every VNet.
Key administration constraints to remember are that the IP address spaces of the two VNets must not overlap, and peering is non-transitive (if VNet A peers with B, and B peers with C, A does not automatically connect to C). Peering can be established without downtime to the resources in either virtual network.
Virtual Network Peering: A Comprehensive Guide for AZ-104
What is Virtual Network Peering? Virtual Network (VNet) peering is a mechanism in Azure that allows you to connect two independent Virtual Networks seamlessly. Once peered, the virtual networks appear as one for connectivity purposes. The traffic between virtual machines in peered virtual networks involves no gateways or public internet; rather, it uses the Microsoft backbone infrastructure. There are two types of peering: 1. Regional VNet Peering: Currently connects virtual networks within the same Azure region. 2. Global VNet Peering: Connects virtual networks across different Azure regions.
Why is it Important? VNet peering is critical for network architecture for several reasons: Low Latency & High Bandwidth: Because traffic stays on the Microsoft backbone, it offers high-throughput and low-latency communication compared to VPN gateways. Security: Data is kept strictly on private networks and does not traverse the public internet. Hub and Spoke Topologies: It is the foundational technology for Hub and Spoke architectures, allowing workload isolation while sharing common services (like Firewalls or VPN Gateways).
How it Works When you establish a peering link, Azure updates the routing table for every subnet within the VNets to route traffic to the peered VNet directly using the 'VNet Peering' next hop type.
Requirements and Constraints: Non-overlapping Address Spaces: You cannot peer two VNets if their IP address ranges overlap. Reciprocal Configuration: Peering must be configured on both VNets to establish a connection. If VNet A peers to VNet B, but VNet B does not peer back to VNet A, the state will remain 'Initiated' and traffic will not flow. Cross-Subscription/Tenant: You can peer VNets across different subscriptions and even different Azure Active Directory tenants.
Gateway Transit and Service Chaining: Peering allows for Gateway Transit, where a 'Spoke' VNet uses the VPN Gateway of the 'Hub' VNet to access on-premises resources. It also supports Service Chaining, where traffic is directed to a Network Virtual Appliance (NVA) in the peered network via User Defined Routes (UDRs).
Exam Tips: Answering Questions on Virtual network peering When facing AZ-104 scenario questions, look for these specific details to select the correct answer:
1. Check for Overlapping IPs: If a scenario states that peering fails to create, the most common reason is overlapping address spaces (e.g., VNet1 is 10.0.0.0/16 and VNet2 is 10.0.1.0/24). This is an instant invalid configuration.
2. Peering Status - 'Initiated' vs. 'Connected': If connectivity is failing, check the status. If VNet A says Connected but VNet B says Initiated, the peering configuration is missing on VNet B. Peering must be established in both directions.
3. Transitivity is NOT supported: Remember that peering is non-transitive. If VNet A is peered to VNet B, and VNet B is peered to VNet C, VNet A cannot talk to VNet C automatically. You would need to peer A and C directly or use an NVA in VNet B (acting as a router).
4. Gateway Transit Configuration: If a question involves a Spoke VNet trying to use a Hub's VPN Gateway: - The Hub VNet peering must have 'Allow Gateway Transit' enabled. - The Spoke VNet peering must have 'Use Remote Gateway' enabled.
5. Global Peering Restrictions: While Global Peering connects regions, remember that it does not currently support all the features of regional peering in older scenarios, though mapped drives and internal load balancers are now supported. However, if a question asks about minimizing latency within a region, verify they aren't accidentally setting up a convoluted path.