Virtual Network (VNet) peering and VPN gateway are two essential networking components in Azure that enable connectivity between virtual networks and on-premises infrastructure.
**Virtual Network Peering:**
VNet peering allows you to connect two Azure virtual networks seamlessly through the Micros…Virtual Network (VNet) peering and VPN gateway are two essential networking components in Azure that enable connectivity between virtual networks and on-premises infrastructure.
**Virtual Network Peering:**
VNet peering allows you to connect two Azure virtual networks seamlessly through the Microsoft backbone network. Once peered, the virtual networks appear as one for connectivity purposes. Traffic between virtual machines in peered networks uses private IP addresses and is routed through the Microsoft private network, not the public internet.
There are two types of VNet peering:
1. **Regional VNet peering** - connects VNets in the same Azure region
2. **Global VNet peering** - connects VNets across different Azure regions
Key benefits include low latency, high bandwidth connections, and the ability to transfer data across subscriptions and Azure Active Directory tenants. Peering is non-transitive, meaning if VNet A is peered with VNet B, and VNet B is peered with VNet C, VNet A cannot communicate with VNet C unless explicitly peered.
**VPN Gateway:**
Azure VPN Gateway is a specific type of virtual network gateway used to send encrypted traffic between an Azure virtual network and on-premises locations over the public internet, or between Azure VNets. Each virtual network can have only one VPN gateway.
VPN Gateway supports two connection types:
1. **Site-to-Site (S2S)** - connects on-premises networks to Azure over IPsec/IKE VPN tunnels
2. **Point-to-Site (P2S)** - connects individual client computers to Azure VNets
**Security Considerations:**
For Azure Security Engineers, understanding these components is crucial. VNet peering traffic remains on the Microsoft backbone, providing inherent security. VPN gateways use industry-standard protocols for encryption. Network Security Groups (NSGs) and Azure Firewall can further secure traffic flowing through these connections, ensuring comprehensive network protection.
Virtual Network Peering and VPN Gateway - Complete Guide for AZ-500
Why is This Important?
Virtual Network Peering and VPN Gateway are fundamental components of Azure networking security. As an Azure Security Engineer, understanding these technologies is critical because they control how traffic flows between networks, which directly impacts your organization's security posture. Misconfigurations can expose sensitive resources or create unauthorized access paths.
What is Virtual Network Peering?
Virtual Network Peering connects two Azure Virtual Networks (VNets) seamlessly through the Azure backbone network. Traffic between peered VNets uses private IP addresses and never traverses the public internet.
Key characteristics: - Low latency, high bandwidth connectivity - Works across Azure regions (Global VNet Peering) - Works across Azure subscriptions and Azure AD tenants - Non-transitive by default (if VNet A peers with VNet B, and VNet B peers with VNet C, VNet A cannot communicate with VNet C unless explicitly peered) - No gateway required - Traffic remains on Microsoft backbone
What is VPN Gateway?
VPN Gateway is a specific type of virtual network gateway that sends encrypted traffic between Azure VNets and on-premises locations, or between Azure VNets themselves.
Key characteristics: - Supports Site-to-Site (S2S) connections to on-premises networks - Supports Point-to-Site (P2S) connections for individual clients - Supports VNet-to-VNet connections - Uses IPsec/IKE protocols for encryption - Can enable transit routing between peered networks - Requires a dedicated gateway subnet (/27 or larger recommended)
How They Work Together
1. Gateway Transit: When VNet peering is combined with VPN Gateway, you can enable gateway transit. This allows a peered VNet to use the VPN gateway in another VNet to access on-premises resources.
2. Hub-and-Spoke Topology: A common architecture where a central hub VNet contains the VPN gateway, and spoke VNets peer with the hub. Spokes can access on-premises resources through the hub's gateway.
3. Configuration Requirements: - The VNet with the gateway must have Allow Gateway Transit enabled - The peered VNet must have Use Remote Gateways enabled - These settings are mutually exclusive on the same peering connection
Security Considerations
- Network Security Groups (NSGs): Continue to apply to peered traffic - Azure Firewall: Can be placed in the hub for centralized traffic inspection - Service Endpoints: Are not transitive across peering - Private Endpoints: Can be accessed across peered VNets - Forced Tunneling: Routes all internet-bound traffic through on-premises for inspection
Exam Tips: Answering Questions on Virtual Network Peering and VPN Gateway
1. Remember Non-Transitivity: VNet peering is NOT transitive. If asked how VNet A can reach VNet C through VNet B, the answer involves either creating a direct peering, using a VPN gateway with transit, or deploying a Network Virtual Appliance (NVA).
2. Gateway Transit Questions: When a question mentions accessing on-premises resources from a peered VNet, look for answers involving gateway transit configuration.
3. Subnet Requirements: VPN Gateway requires a subnet named exactly GatewaySubnet. This is a common exam question.
4. SKU Differences: Know that Basic SKU VPN gateways do not support coexistence with ExpressRoute or zone redundancy. Production workloads should use VpnGw1 or higher.
5. Peering vs VPN Gateway: If the question emphasizes lowest latency and highest bandwidth between Azure VNets, peering is preferred. If encryption in transit between VNets is required, VNet-to-VNet VPN is the answer.
6. Cross-Region Scenarios: Global VNet Peering works across regions. Data transfer costs apply for cross-region traffic.
7. Address Space Overlap: VNets with overlapping IP address spaces CANNOT be peered. Watch for this in scenario questions.
8. Peering State: Both sides of a peering must be configured and show Connected status for traffic to flow.
9. Service Chaining: Questions about routing traffic through an NVA require User Defined Routes (UDRs) in addition to peering.
10. Cost Optimization: Peering is more cost-effective than VPN gateway for Azure-to-Azure connectivity when encryption is not mandatory.