This chapter covers VNet Peering and Global VNet Peering, two critical Azure networking features that enable private connectivity between virtual networks. You will learn how they work, how to configure them, and what the AZ-104 exam expects you to know. Approximately 10-15% of the networking domain questions on the AZ-104 exam touch on peering, making this a high-yield topic.
Jump to a section
Imagine two separate office buildings owned by the same company, each with its own private internal phone network (extension numbers like 100-199 in Building A, 200-299 in Building B). Normally, an employee in Building A can only call extensions within Building A. To enable cross-building calls without going through the public telephone network (the internet), the company installs a direct private fiber-optic cable between the two buildings' phone switches. This cable is VNet peering. Now, an employee in Building A dials extension 250, and the call is routed through the private cable directly to Building B's switch, which connects to extension 250. The call never touches the public network, so it's faster, more secure, and incurs no per-minute charges. However, the two buildings still have separate numbering plans—if both buildings have an extension 100, there would be a conflict. To fix this, the company might renumber one building (use non-overlapping address spaces) or use a prefix (e.g., dial '8' for Building B, then the extension). In Azure, VNet peering connects two VNets via the Microsoft backbone, enabling private IP communication across regions or within the same region, with no internet transit, low latency, and no bandwidth charges for same-region peering. But overlapping address spaces cause routing conflicts, just like duplicate extensions.
What is VNet Peering?
VNet Peering is a networking feature that connects two Azure Virtual Networks (VNets) directly, enabling private IP communication between resources in those VNets using the Microsoft backbone infrastructure. Traffic between peered VNets stays within Azure, never traversing the public internet. This provides low latency, high bandwidth, and a secure connection. VNet peering can be established between VNets in the same Azure region (regular VNet peering) or across different Azure regions (global VNet peering).
Why VNet Peering Exists
Before VNet peering, connecting VNets required either a VPN gateway (site-to-site VPN) or an ExpressRoute circuit. Both solutions involve gateways that introduce latency, cost, and bandwidth limitations. VNet peering eliminates the need for a gateway, providing a direct, high-speed connection with no single point of failure. It is the preferred method for connecting VNets in modern Azure architectures.
How VNet Peering Works Internally
When you create a peering connection, Azure configures the underlying network infrastructure to route traffic between the two VNets. Each VNet's routing table is updated with entries for the peer's address space. The Azure platform uses its internal routing technology to forward packets between VNets without encapsulation or tunneling. The connection is established at the Azure Fabric Controller level, which programs the virtual switches in the hypervisors to allow traffic between the VNets.
Here is the step-by-step mechanism at the packet level:
A VM in VNet-A (10.0.0.4) sends a packet to a VM in VNet-B (10.1.0.4).
The packet's source IP is 10.0.0.4, destination IP is 10.1.0.4.
The hypervisor's virtual switch checks its forwarding table. Because of peering, it knows that 10.1.0.0/16 is reachable via VNet-B.
The packet is forwarded directly to the virtual switch hosting the destination VM, without going through any gateway or VPN device.
The destination VM receives the packet, and the response follows the reverse path.
All traffic stays within the Azure backbone, ensuring low latency and high throughput.
Key Components and Configuration
To establish VNet peering, you must create two peering links: one from VNet-A to VNet-B, and another from VNet-B to VNet-A. Each link is configured separately. The following settings are critical:
Allow virtual network access: Must be set to Enabled for both links.
Allow forwarded traffic: If you want the peered VNets to accept traffic forwarded from a network virtual appliance (NVA) in the other VNet, you must enable this. For example, if VNet-A has a firewall that forwards traffic to VNet-B, VNet-B's peering link must allow forwarded traffic.
Allow gateway transit: If you want one VNet to use the other VNet's VPN/ExpressRoute gateway, you enable this on the peering link of the VNet that has the gateway. The other VNet then enables "Use remote gateways."
Use remote gateways: This setting is used when you want a VNet to use the remote VNet's gateway for outbound connectivity to on-premises or other VNets. It can only be enabled if the remote peering link has "Allow gateway transit" enabled.
Defaults and Timers
Peering is instantaneous after configuration (no provisioning delay).
There is no built-in timer for peering; it remains active until explicitly deleted or until one of the VNets is deleted.
For global VNet peering, traffic between regions incurs standard egress charges per GB (same as inter-region traffic).
There is no bandwidth limit on peering itself; throughput is limited by the VM's NIC and the underlying Azure infrastructure.
Verification Commands
You can verify peering status using Azure CLI:
az network vnet peering list --resource-group MyRG --vnet-name VNetA --output tableOutput example:
Name PeeringState PeeringSyncLevel RemoteAddressSpace
------------ ------------- ----------------- -------------------
VNetAtoB Connected InSync 10.1.0.0/16PowerShell:
Get-AzVirtualNetworkPeering -VirtualNetworkName VNetA -ResourceGroupName MyRGInteraction with Related Technologies
Azure DNS: VMs in peered VNets can resolve each other's private IP addresses only if DNS is configured appropriately (e.g., using Azure DNS private zones or custom DNS servers). By default, Azure's internal DNS does not resolve across peered VNets unless they are in the same virtual network or you configure DNS forwarding.
Network Security Groups (NSGs): NSGs in each VNet still apply. By default, all traffic within a VNet is allowed, but peering does not automatically allow all traffic between VNets. You must configure NSGs to permit desired traffic. For example, if VNet-A has an NSG that denies all inbound traffic from VNet-B, the peering will be established but communication will fail.
User-Defined Routes (UDRs): UDRs can override the default system routes for peered VNets. For instance, you can force traffic destined to the peer to go through an NVA for inspection.
Azure Firewall: You can deploy Azure Firewall in a hub VNet and use peering to connect spoke VNets. The firewall can then inspect traffic between spokes.
VPN Gateway: Peering does not require a VPN gateway. However, if you enable gateway transit, a VNet can use the remote VNet's VPN gateway to connect to on-premises networks.
Global VNet Peering
Global VNet peering extends the same functionality across Azure regions. For example, you can peer a VNet in East US with a VNet in West Europe. The traffic still stays on the Microsoft backbone, but it traverses inter-region links. There are two key differences from regular peering:
Latency: Higher than same-region peering due to geographic distance.
Cost: Inbound and outbound traffic incurs standard inter-region data transfer charges.
Service Chaining: Not supported with global peering. You cannot configure a UDR in one VNet to forward traffic to a virtual appliance in a globally peered VNet. The next hop must be local to the VNet.
Limitations and Constraints
Maximum peering connections per VNet: 500 (soft limit, can be increased by support).
Address overlap: VNets with overlapping or identical address spaces cannot be peered. You must ensure non-overlapping CIDR ranges.
Transitive peering: Not supported. If VNet-A is peered with VNet-B, and VNet-B is peered with VNet-C, VNet-A cannot directly communicate with VNet-C. You must create a direct peering between VNet-A and VNet-C, or use a hub-and-spoke topology with a network virtual appliance.
Gateway transit: Only one VNet in a peering relationship can have a gateway. You cannot have both VNets with active gateways and use gateway transit simultaneously.
Classic VNets: Can only be peered with Resource Manager VNets if the classic VNet is deployed via a specific configuration (not generally recommended).
Exam-Relevant Details
The AZ-104 exam often tests the difference between regular and global peering, especially regarding service chaining and cost.
You may be asked to identify why a peering connection fails (e.g., overlapping address spaces, missing peering link, incorrect DNS configuration).
Know that you must create two peering links for bidirectional communication.
Understand that peering is not transitive; you need a hub-and-spoke design with NVAs for transitive routing.
Remember that global peering does not support service chaining (UDR with next hop in remote VNet).
Create VNet-A peering link
Navigate to VNet-A in the Azure portal, select 'Peerings' under Settings, and click '+ Add'. Provide a name for the peering (e.g., 'VNetAtoB'). Select the Resource Manager deployment model and choose VNet-B from the same subscription or a different subscription. If cross-subscription, you need the Resource ID of VNet-B. Configure the settings: Allow virtual network access (Enabled), Allow forwarded traffic (as needed), Allow gateway transit (if VNet-A has a gateway), Use remote gateways (if VNet-B has a gateway). Click 'Add'. The peering state will initially show 'Initiated'.
Create VNet-B peering link
Now go to VNet-B and create a corresponding peering link back to VNet-A. This is mandatory; without it, communication is one-way. Use a name like 'VNetBtoA'. Ensure 'Allow virtual network access' is Enabled. The settings for forwarded traffic and gateway transit should match the intended topology. Once added, the peering state on both sides will change to 'Connected'. Verify using the portal or CLI.
Verify connectivity between VMs
Deploy a test VM in each VNet. Ensure NSGs allow ICMP or TCP traffic on the desired port (e.g., RDP 3389). From VM-A, ping the private IP of VM-B. If successful, peering is working. If not, check NSG rules, firewall settings, and confirm that both peering links show 'Connected'. Also verify that the VMs have the correct DNS settings to resolve each other's hostnames if needed.
Configure advanced routing if needed
If you require traffic inspection or filtering, deploy an NVA (like a firewall) in one VNet. Create a UDR in the other VNet that directs traffic destined to the peer's address space to the NVA's IP. Ensure the NVA has IP forwarding enabled. On the peering link from the NVA's VNet to the other VNet, enable 'Allow forwarded traffic'. This allows the NVA to forward packets between VNets. Test the path using traceroute or by checking the firewall logs.
Monitor and troubleshoot peering
Use Azure Monitor to track metrics like bytes in/out for the peering connection. If issues arise, check the peering state: 'Connected' means working, 'Initiated' means only one link is created, 'Disconnected' means one side was deleted. Common problems: overlapping address spaces (cannot peer), NSG blocking traffic, or DNS resolution failure. Use Network Watcher's 'Next Hop' tool to verify the routing path between VMs.
Enterprise Scenario 1: Hub-and-Spoke Network Topology
A large enterprise uses a hub-and-spoke design to centralize security and connectivity. The hub VNet contains Azure Firewall, VPN Gateway, and domain controllers. Each spoke VNet (e.g., for different departments) is peered to the hub. All spoke-to-spoke traffic must pass through the firewall for inspection. To achieve this, the enterprise creates a UDR in each spoke with a route for 0.0.0.0/0 and the spoke's own address range pointing to the firewall's private IP. The hub's peering link to each spoke has 'Allow forwarded traffic' enabled. The firewall is configured with appropriate rules to allow or deny traffic between spokes. This setup scales to dozens of spokes, each with its own peering link. Performance is excellent because traffic stays on the Azure backbone, but costs include firewall throughput and inter-region data transfer if spokes are in different regions.
Enterprise Scenario 2: Multi-Region Disaster Recovery
A financial services company has an active application in East US and a passive disaster recovery (DR) site in West US. The VNets in both regions are globally peered. The DR VNet is configured with identical address space (e.g., 10.0.0.0/16) but since they are in different regions, peering is possible only if address spaces don't overlap. To avoid overlap, the company uses different address spaces (e.g., 10.0.0.0/16 for East, 10.1.0.0/16 for West). Data replication between SQL databases in the two VNets uses private IPs over the global peering, avoiding internet exposure. During a failover, DNS records are updated to point to the West region. The global peering provides low-latency replication (though higher than same-region) and avoids VPN gateway costs. A common misconfiguration here is forgetting to update NSGs to allow replication traffic after peering is established.
Enterprise Scenario 3: Merged Company Integration
After an acquisition, Company A (with VNet in North Europe) needs to connect to Company B's VNet in Southeast Asia. Both VNets are in different Azure tenants. Global VNet peering supports cross-tenant peering: Company A's admin creates a peering link using the resource ID of Company B's VNet, and Company B's admin accepts the request. This allows seamless integration without VPNs. However, the administrators must coordinate to ensure non-overlapping address spaces. In production, this peering handles terabytes of data transfer daily for application integration. The main challenge is managing cross-tenant permissions and ensuring that network security groups are updated correctly.
What Goes Wrong When Misconfigured
Missing return peering link: Traffic flows only one way, causing asymmetric routing and connection timeouts.
Overlapping address spaces: Peering creation fails with an error message. The only fix is to redesign address spaces.
Forgetting to allow forwarded traffic: Traffic from an NVA is dropped silently, leading to hours of troubleshooting.
Incorrect gateway transit settings: If both VNets have gateways and you enable gateway transit on one, the other must use remote gateways, else routing conflicts occur.
What AZ-104 Tests on VNet Peering
The AZ-104 exam objectives for Networking (4.1) specifically require you to: "Configure VNet peering" and "Configure global VNet peering." Exam questions will test your ability to design a peering topology, troubleshoot connectivity issues, and understand the differences between regular and global peering. You must know the configuration steps, the settings (Allow forwarded traffic, Allow gateway transit, Use remote gateways), and the limitations.
Common Wrong Answers and Why Candidates Choose Them
Mistake: Assuming VNet Peering works transitively – Correct rule: Peering is NOT transitive. You must create a direct peering between each pair of VNets, or route through a hub VNet with a network virtual appliance.
"Global VNet peering supports service chaining" — Candidates often think that because regular peering supports service chaining (UDR with next hop in peered VNet), global peering does too. The exam will test this exception: service chaining is NOT supported for global peering. If you need traffic to go through an NVA in a remote region, you must use a VPN gateway or ExpressRoute.
"You only need one peering link for bidirectional communication" — This is a common mistake. The exam will show a scenario where only one peering link is created, and the question asks why traffic is one-way. The answer: both peering links must be established.
"Peering works with overlapping address spaces" — Candidates may think that as long as the VNets are in different regions, overlapping is allowed. The exam will test that address spaces must be unique regardless of region. Overlap causes peering to fail.
Specific Numbers and Terms That Appear on the Exam
Maximum peering connections per VNet: 500.
Peering state: "Initiated" (one link created), "Connected" (both links created).
Gateway transit: Only one VNet in a peering can have a gateway. The other VNet uses "Use remote gateways."
Global peering cost: Standard inter-region data transfer rates apply.
Service chaining: Supported only for regular (same-region) peering.
Edge Cases and Exceptions
Cross-subscription peering: You can peer VNets in different subscriptions, even in different Azure AD tenants. You need the Resource ID of the remote VNet.
Classic VNets: Peering with classic VNets is possible but requires specific steps. The exam may ask about limitations.
Gateway transit with ExpressRoute: If a VNet has an ExpressRoute gateway, you can enable gateway transit so that peered VNets can access on-premises via ExpressRoute.
How to Eliminate Wrong Answers
If the question mentions three VNets and asks about connectivity, look for the word "transitive" — if the answer claims transitive peering, it's wrong.
If the scenario involves different regions and service chaining, the answer that allows it is wrong.
Always check the number of peering links: if only one is mentioned, connectivity is one-way.
For cost questions, remember that same-region peering has no data transfer charges, but global peering does.
VNet peering connects two VNets privately over the Microsoft backbone; no internet or VPN gateway required.
You must create two peering links (one from each VNet) for bidirectional communication.
Transitive peering is NOT supported; VNet-A cannot talk to VNet-C via VNet-B without a direct peering or NVA.
Global VNet peering works across regions but incurs data transfer costs and does not support service chaining.
Overlapping address spaces prevent peering; VNets must have unique CIDR ranges.
Gateway transit allows a VNet to use another VNet's VPN/ExpressRoute gateway; only one gateway per peering relationship.
NSGs and UDRs still apply; peering does not bypass security rules.
Cross-subscription and cross-tenant peering are supported using Resource IDs.
Default Azure DNS does not resolve across peered VNets; configure custom DNS or Azure DNS private zones.
Maximum of 500 peering connections per VNet (soft limit).
These come up on the exam all the time. Here's how to tell them apart.
VNet Peering (Same Region)
No data transfer charges for traffic crossing the peering.
Supports service chaining (UDR with next hop in peered VNet).
Lower latency because VNets are in the same region.
Maximum peering connections per VNet: 500.
Gateway transit is supported.
Global VNet Peering
Incurs standard inter-region data transfer charges.
Does NOT support service chaining (UDR cannot point to remote VNet).
Higher latency due to geographic distance.
Same limit of 500 peering connections per VNet.
Gateway transit is supported (same as regular).
Mistake
VNet peering encrypts traffic between VNets.
Correct
VNet peering does not encrypt traffic. Traffic stays on the Microsoft backbone, which is physically secure, but no additional encryption is applied. For encryption, use IPSec over VPN gateway or application-level encryption.
Mistake
You can peer VNets with overlapping address spaces as long as they are in different regions.
Correct
Overlapping address spaces are never allowed for peering, regardless of region. Azure will reject the peering request with an error. You must use non-overlapping CIDR ranges.
Mistake
Global VNet peering is free.
Correct
Global VNet peering incurs standard egress charges for data transfer between regions. Same-region peering has no data transfer charges. The exam often tests this distinction.
Mistake
Peering automatically enables DNS resolution between VNets.
Correct
Azure's default DNS does not resolve hostnames across peered VNets. You must configure custom DNS servers or use Azure DNS private zones with appropriate virtual network links.
Mistake
You can use a VPN gateway in both peered VNets simultaneously.
Correct
Only one VNet in a peering relationship can have a gateway if you use gateway transit. Both VNets can have gateways, but you cannot use gateway transit on both sides simultaneously. Each VNet can have its own gateway for independent connectivity.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
To create a VNet peering, navigate to VNet-A in the Azure portal, go to 'Peerings', click '+ Add', and configure the peering to VNet-B. Then repeat the process from VNet-B back to VNet-A. Both peering links must show 'Connected' for bidirectional communication. You can also use Azure CLI: 'az network vnet peering create' for each direction.
Yes, you can peer VNets across different subscriptions, even if they are in different Azure AD tenants. When creating the peering, select the Resource Manager deployment model and choose 'Another subscription'. You will need the Resource ID of the remote VNet. The admin of the remote subscription must then accept the peering request.
The 'Initiated' state means only one side of the peering link has been created. For the peering to become 'Connected', you must create the corresponding peering link from the other VNet. Once both links are established, the state will change to 'Connected' on both sides.
No, VNet peering does not support overlapping address spaces. If the VNets have overlapping CIDR ranges (e.g., both use 10.0.0.0/16), the peering creation will fail. You must redesign the address spaces to be non-overlapping before peering.
Yes, you can deploy Azure Firewall in a hub VNet and peer spoke VNets to the hub. Configure user-defined routes (UDRs) in the spoke VNets to send traffic to the firewall's private IP. On the hub's peering link, enable 'Allow forwarded traffic' to permit the firewall to forward packets between spokes.
VNet peering provides a direct, low-latency connection between VNets over the Microsoft backbone, with no bandwidth limit and no gateway required. VPN gateway uses IPSec tunnels over the internet, has bandwidth limits (depending on SKU), and incurs gateway costs. Peering is preferred for connecting VNets within Azure; VPN gateway is used for connecting on-premises networks.
No, global VNet peering does not support service chaining. You cannot configure a user-defined route (UDR) in one VNet with a next hop pointing to a virtual appliance in a globally peered VNet. This is only supported for same-region peering.
You've just covered VNet Peering and Global VNet Peering — now see how well it sticks with free AZ-104 practice questions. Full explanations included, no account needed.
Done with this chapter?