How to Quickly Create VNet Peering in Azure

Networks are the foundation of any IT solution, and this remains true in the cloud with Azure Virtual Networks (VNets). VNets are typically large CIDR ranges, like 10.0.0.0/16. Each VNet is then usually divided into smaller subnets, like 10.0.0.0/24 for example. By default, VNets are isolated from one another. However, there are often cases where you need to establish connections between VNets.

In this tutorial, we will learn about VNet peering – the most common way to connect two Azure VNets. We will walk through an example step-by-step to peer two sample VNets.

Now, there are two other options for connecting VNets – VNet-to-VNet and Site-to-Site VPN (IPsec), but these are more complex solutions requiring things like virtual network gateways. We will focus specifically on VNet peering in this tutorial as it is the most commonly used method.

VNet peering basics

Virtual network peering (VNet peering) enables you to connect 2 or more virtual networks. There are a multitude of reasons an org might need to do this.

Maybe two separate departments want to communicate now due to company restructuring. Or two regions want to exchange data, let’s say between US East and Europe. Or even two separate companies, with different Azure subscriptions, are now merged and want to connect their networks. All of these, and more, are valid reasons to create VNet peerings.

VNet peering types

There are two types of VNet peerings:

• Virtual network peering: Connecting VNets in the same Azure region (e.g. US East to US East).
• Global virtual network peering: Connecting VNets in different Azure regions (e.g. US East to West Europe).

VNet peering benefits

The obvious benefit is having connections between two virtual networks. But there are more:

• Connection is private, not via the internet.
• Latency is low, if peered networks are in the same region, then latency would be as low as if resources were in the same virtual network.
• If peered networks are in different regions, then traffic is going via the fast Microsoft backbone network, so it’s private, and latency/bandwidth is much better than via the internet or some VPN connection.
• Routing is handled automatically by the peering, no need to manually add routes into route tables.

Create VNet peerings via the Azure portal

There are multiple ways to create peerings between two virtual networks. We can do this via the Azure Portal or command line either with Azure Powershell or Azure CLI. Of course, the manual way via Azure Portal is straightforward, but if you have to create dozens of peerings, you might consider the command line tools to finish it faster.

Let’s start with the manual way via the Azure portal.

Step 1: Verify Vnets to be peered don’t have overlapping subnets

Let’s visit the portal, and go to Virtual Networks. I already have two virtual networks called “Operation-vnet” and “Sales-vnet”, both in the same “RG1” resource group.

Before any peering configuration, we need to check if there is any overlapping between the two virtual network’s address spaces.

Operation-vnet has the 172.16.0.0/16 address space, which is every IP address from 172.16.0.1 to 172.16.255.255.

Sales-vnet has the 10.0.0.0/16 address space, which is every IP address from 10.0.0.1 to 10.0.255.255. This means there is no overlapping between the two virtual networks, we can move forward with peering creation.

Step 2: Select the virtual network you want to peer

Select one of the virtual networks and then select Peerings. Currently, there is no peering setup, so let’s click on the Add button.

This will guide us to a page, where we need to add the details of the peering we want to create. Eventually, it will create 2 peerings, one from virtual network A to B, and a second from virtual network B to A. 

Step 3: Initiate the peering

We pressed the Add button from the Operation-vnet page, so that will be “This virtual network” on the screenshot. Sales-vnet will be the “Remote virtual network”, at least from the Operation-vnet point of view.

For both “This virtual network” and “Remote virtual network” virtual networks the first checkbox is enabled, this will create a connection from both networks to the other. If not enabled for both, the peerings will still be created successfully, but the connection won’t work, so the first checkbox should be enabled for both.

Once we hit Add, the peering is created in a few seconds. The peering status should be connected, and the peer VNet should be visible.

Step 4: Verify the peering routes have been created

Once the peering is connected, what does that mean from the resources/virtual machines perspective? If we check a virtual machine’s network card in the Sales VNet, we can see interesting details in the Effective routes list. Of course, we see the Sales VNet address space as active and the default route towards the internet, but we can also see the Operation address space, and the next hop type is a VNet peering. 

So, our resources in the two VNets should be able to reach each other since Azure has created routing table updates with the peering creation. Our VNet peering is fully functional and ready to be used.

Create peerings via the Azure command line interface (CLI)

Azure CLI is a great way to interact with Azure resources. As I mentioned earlier, it’s a much quicker way of configuring things and can be easily automated and scripted to deploy dozens of peerings in a matter of seconds. Let’s step through an example of how to quickly set up VNet peering using the CLI.

For this demonstration, I deleted the previously created peerings, so now we have two separate virtual networks, again the Operation-vnet and Sales-vnet.

Step 1: Open the Cloud Shell or Azure CLI

You can execute the following commands from cloud shell CLI by clicking on the Cloud Shell icon in the Azure portal, or from your own command line if you install Azure CLI. 

To open the cloud shell, navigate to the Azure portal toolbar at the top and click on the Cloud Shell icon in the upper right corner of the window.

Step 2: Execute CLI VNet peering commands

Execute the following commands, replacing our example text with that of your own environment, to create a peering:

## Create peering from Sales to Operation. ##
az network vnet peering create \
    --name Sales-to-Operation \
    --vnet-name Sales-vnet \
    --remote-vnet Operation-vnet \
    --resource-group RG1 \
    --allow-vnet-access \

## Create peering from Operation to Sales. ##
az network vnet peering create \
    --name Operation-to-Sales \
    --vnet-name Operation-vnet \
    --remote-vnet Sales-vnet \
    --resource-group RG1 \
    --allow-vnet-access \

Step 3: Verify the VNet peering details

The peering should be created almost instantly. Here are the commands to see the peering details:

## List Sales to Operation peering. ##
az network vnet peering list \
    --resource-group RG1 \
    --vnet-name Sales-vnet \
    --out table

## List Operation to Sales peering. ##
az network vnet peering list \
    --resource-group RG1 \
    --vnet-name Operation-vnet \
    --out table

Step 4: Delete the VNet peering (Optional Example)

Deleting the peerings is just as simple with some modification. Here are the commands to delete peering:

## Delete Sales to Operation peering. ##
az network vnet peering delete \
    --resource-group RG1 \
    --name Sales-to-Operation \
    --vnet-name Sales-vnet

## Delete Operation to Sales peering. ##
az network vnet peering delete \
    --resource-group RG1 \
    --name Operation-to-Sales \
    --vnet-name Operation-vnet