This chapter covers VNet peering security considerations, a critical topic for the AZ-500 exam under domain 3.1 (Network Security). Understanding how to securely configure and manage VNet peering is essential for designing secure multi-tier and multi-region architectures. Approximately 10-15% of exam questions in the Network Security domain touch on VNet peering, its security implications, and related features like service chaining and gateway transit.
Jump to a section
Imagine two corporate office buildings on opposite sides of a street. Each building has its own private internal network with assigned cubicles (IP addresses), security guards (network security groups), and a main switchboard (virtual network gateway). Without a dedicated connection, if an employee in Building A wants to send a document to Building B, they must go through the public postal service (the internet) — slow, insecure, and subject to interception. VNet peering is like building a private, enclosed skybridge between the two buildings. This skybridge has doors that can be locked from either side (firewall rules), and it allows direct, high-speed communication without ever touching the public street. Crucially, the skybridge is built at the switchboard level, not at individual cubicles — meaning traffic flows between the entire buildings (virtual networks) without needing to exit through a public gateway. The skybridge can be configured to allow only certain types of traffic (like interoffice mail only, not personal packages) by applying traffic policies (route tables and NSGs). This analogy mirrors VNet peering: it creates a direct, private, low-latency connection between two Azure virtual networks using the Microsoft backbone, bypassing the internet, with traffic subject to the security rules of each network.
What is VNet Peering?
VNet peering is a networking feature that connects two Azure virtual networks (VNets) directly, enabling private IP address space communication between resources in different VNets. Traffic flows over the Microsoft backbone network, never traversing the public internet. This provides low latency, high bandwidth, and a secure connection. VNet peering is non-transitive by default, meaning if VNet A is peered with VNet B, and VNet B is peered with VNet C, VNet A cannot communicate with VNet C unless explicitly configured via a hub-and-spoke topology with gateway transit or additional peerings.
How VNet Peering Works
When you create a peering, Azure establishes a connection between the two VNets at the Azure networking layer. The peering is bidirectional, requiring two peering objects: one from VNet A to VNet B, and one from VNet B to VNet A. Once established, resources in both VNets can communicate using private IP addresses as if they were on the same network. The routing is handled by Azure's system routes, which add a route for the peered VNet's address space to each VNet's route table. No gateways are required for the peering itself; however, if you want to use a VPN gateway in one VNet to connect to on-premises (gateway transit), that requires additional configuration.
Key Components and Defaults
Peering State: Each peering has a state property. The state must be 'Connected' on both sides for communication to work. Common states: 'Initiated' (one side created, other not yet), 'Connected' (both sides created and linked), 'Disconnected' (one side deleted, other still exists).
Allow Virtual Network Access: This setting must be 'Enabled' on both sides for resources to communicate. Disabling it on one side blocks traffic from that side.
Allow Forwarded Traffic: When enabled, traffic originating from outside the peered VNet (e.g., from a spoke VNet through a hub) can be forwarded through the peering. This is critical for hub-and-spoke topologies with network virtual appliances (NVAs).
Allow Gateway Transit: When enabled on a VNet that has a VPN/ExpressRoute gateway, that gateway can be used by the peered VNet to connect to on-premises or other networks. This is only allowed on one side of the peering.
Use Remote Gateways: The peered VNet can use the remote VNet's gateway if 'Allow Gateway Transit' is enabled on the remote side. This is mutually exclusive with having a gateway in the local VNet.
Service Chaining: By using user-defined routes (UDRs), you can force traffic through an NVA in a peered VNet. For example, you can create a route in VNet A that sends traffic to a specific IP prefix via the IP address of an NVA in VNet B. This requires 'Allow Forwarded Traffic' to be enabled on the peering from VNet B to VNet A.
Security Considerations
1. Network Security Groups (NSGs): NSGs are fully supported across VNet peering. By default, NSGs in each VNet apply to traffic coming from the peered VNet. You can create rules to allow or deny specific traffic. Remember that NSGs are stateful: if you allow inbound traffic from the peered VNet, the return traffic is automatically allowed regardless of outbound rules.
2. Azure Firewall: Can be deployed in a hub VNet and used to inspect traffic between spokes. You must configure UDRs in each spoke to send traffic to the Azure Firewall's private IP. The peering must have 'Allow Forwarded Traffic' enabled on the hub side.
3. Private Link and Private Endpoints: These do not require VNet peering; they work across peered VNets as long as DNS resolution is configured correctly. However, peering can simplify connectivity.
4. Data Encryption: Traffic between peered VNets is private but not encrypted by default. For sensitive data, use application-level encryption (e.g., TLS) or deploy a VPN gateway in one VNet and use site-to-site VPN over the peering (though this adds complexity).
5. Gateway Transit Security: When using gateway transit, the spoke VNet's traffic to on-premises traverses the hub's gateway. The hub's NSGs and firewall rules apply. Ensure the hub is secured appropriately.
6. Peering Across Regions (Global VNet Peering): Global peering works across Azure regions. However, there are additional considerations: data may traverse the Azure backbone across regions, but it never leaves the Microsoft network. There is no charge for ingress/egress across regions, but there is a data transfer cost. Some services (like Basic internal load balancers) do not support global peering.
7. Subscription and Tenant Scoping: VNet peering can be between VNets in different subscriptions within the same Azure AD tenant. Cross-tenant peering is also possible, but requires consent from both tenants. Security implications: each subscription's administrator controls their own side of the peering. A misconfiguration in one subscription can affect the other.
8. Non-Transitivity: This is a key security feature. If VNet A is peered with VNet B, and VNet B is peered with VNet C, VNet A cannot talk to VNet C unless additional peerings or gateway transit is configured. This prevents unintended access.
9. Address Space Overlap: Peering requires non-overlapping address spaces. If there is overlap, the peering fails. Overlap can lead to routing issues and security holes if not caught early.
10. Traffic Monitoring and Logging: Use NSG flow logs, Traffic Analytics, or Network Watcher to monitor traffic between peered VNets. This helps detect anomalous patterns.
Configuration and Verification
To create a peering, you can use Azure Portal, Azure CLI, or PowerShell. Example CLI:
# Create peering from VNet1 to VNet2
az network vnet peering create \
--name VNet1-To-VNet2 \
--resource-group RG1 \
--vnet-name VNet1 \
--remote-vnet /subscriptions/.../resourceGroups/RG2/providers/Microsoft.Network/virtualNetworks/VNet2 \
--allow-vnet-access true \
--allow-forwarded-traffic false \
--allow-gateway-transit false
# Create peering from VNet2 to VNet1
az network vnet peering create \
--name VNet2-To-VNet1 \
--resource-group RG2 \
--vnet-name VNet2 \
--remote-vnet /subscriptions/.../resourceGroups/RG1/providers/Microsoft.Network/virtualNetworks/VNet1 \
--allow-vnet-access true \
--allow-forwarded-traffic false \
--use-remote-gateways falseTo verify peering state:
az network vnet peering list --resource-group RG1 --vnet-name VNet1 --output tableInteraction with Related Technologies
VPN Gateway: VNet peering does not require a VPN gateway. However, if you want to use a VPN gateway in one VNet to connect to on-premises from a peered VNet, you need gateway transit.
ExpressRoute: Similarly, gateway transit allows a peered VNet to use an ExpressRoute gateway in the hub.
Azure DNS: Private DNS zones can be linked to VNets across peerings, but resolution requires that the DNS zone is linked to the VNet or that the VNet is configured to use a custom DNS server.
Load Balancers: Standard Load Balancers support global peering; Basic Load Balancers do not. This affects high-availability designs across regions.
Virtual WAN: VNet peering is different from Virtual WAN connections. Virtual WAN uses a hub-and-spoke architecture with its own routing and security features.
Performance and Limits
Bandwidth: No additional bandwidth limits beyond the VM's NIC limits. Peering adds negligible latency (typically <2ms within region).
Maximum peerings per VNet: 500 (for VNets created after specific dates; older VNets may have lower limits).
Global peering latency: Higher than regional, but still low (e.g., US West to US East ~50-70ms).
Throughput: Up to 10 Gbps per peering, but practically limited by VM sizes.
Troubleshooting Common Issues
Peering state not 'Connected': Verify both peerings are created and that the remote VNet exists and has non-overlapping address space.
Cannot connect to resources: Check NSG rules on both sides. Ensure 'Allow Virtual Network Access' is enabled on both peerings.
Forwarded traffic not working: Enable 'Allow Forwarded Traffic' on the peering that receives the forwarded traffic. Verify UDRs are correctly configured.
Gateway transit not working: Enable 'Allow Gateway Transit' on the hub VNet peering and 'Use Remote Gateways' on the spoke VNet peering. Ensure the hub has a gateway configured.
Best Practices
Use hub-and-spoke topology with Azure Firewall for centralized inspection.
Enable 'Allow Forwarded Traffic' only when needed.
Use NSGs to restrict traffic between VNets.
Monitor peering health with Network Watcher.
Plan address spaces to avoid overlap.
Use tags and naming conventions for peerings.
Implement Azure Policy to enforce peering settings (e.g., require 'Allow Forwarded Traffic' to be disabled unless approved).
Plan Address Spaces
Before creating a VNet peering, ensure the address spaces of the VNets do not overlap. Overlapping address spaces cause the peering to fail. Use private IP address ranges (RFC 1918: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) or Azure reserved ranges. Verify that no subnet within the VNet overlaps with the remote VNet's address space. This step is critical because overlapping addresses lead to routing conflicts and traffic black-holing. Use Azure's 'Check IP address availability' tool in the portal or PowerShell to validate.
Create the First Peering
In the Azure Portal, navigate to VNet A and select 'Peerings' under Settings. Click 'Add' and configure the peering: give it a name (e.g., 'VNetA-to-VNetB'), select the resource manager deployment model (typically Resource Manager), select the subscription and VNet B. Enable 'Allow virtual network access' to permit communication. Disable 'Allow forwarded traffic' and 'Allow gateway transit' unless needed. Click 'OK'. This creates a peering object in VNet A with state 'Initiated'.
Create the Second Peering
Navigate to VNet B and create a peering to VNet A. Use the same settings as the first peering, but note that 'Allow gateway transit' and 'Use remote gateways' are mutually exclusive with having a gateway in VNet B. Also, if you enabled 'Allow gateway transit' on VNet A, you can enable 'Use remote gateways' on VNet B. Once created, the peering state on both sides becomes 'Connected'. Verify this in the portal or CLI.
Configure NSGs and Firewalls
By default, NSGs allow all traffic within a VNet and between peered VNets. To restrict traffic, create NSG rules on each subnet or NIC. For example, allow only TCP port 443 from VNet B to VNet A. Remember that NSGs are stateful: if you allow inbound from the peer, return traffic is automatically allowed. If you use Azure Firewall, configure UDRs in each spoke to send traffic to the firewall's private IP, and enable 'Allow forwarded traffic' on the hub-side peering.
Test Connectivity
Deploy test VMs in each VNet. Use tools like ping (if ICMP is allowed), Test-NetConnection in PowerShell, or Azure Network Watcher's 'Connection troubleshoot' to verify communication. Check that the peering state is 'Connected' and that NSGs are not blocking traffic. If connectivity fails, check effective routes on the VM's NIC to ensure the route to the peered VNet exists. Also verify that the VMs have proper firewall rules within the OS.
Monitor and Audit
Use Network Watcher's 'Connection monitor' to track latency and packet loss between peered VNets. Enable NSG flow logs and Traffic Analytics to analyze traffic patterns. Set up alerts for peering state changes (e.g., if peering becomes disconnected). Regularly review peering configurations to ensure they align with security policies. Use Azure Policy to audit peering settings, such as requiring 'Allow forwarded traffic' to be disabled.
Enterprise Scenario 1: Hub-and-Spoke with Azure Firewall
A multinational corporation deploys a hub-and-spoke topology across multiple Azure regions. The hub VNet contains shared services like Azure Firewall, Active Directory Domain Controllers, and a VPN gateway for on-premises connectivity. Each spoke VNet hosts application tiers (web, app, data) in different subscriptions. VNet peering connects each spoke to the hub. To enforce security, the hub's Azure Firewall inspects all traffic between spokes and to on-premises. UDRs in each spoke route all traffic (0.0.0.0/0) to the firewall's private IP. The hub VNet peering has 'Allow forwarded traffic' enabled to accept traffic from spokes destined elsewhere. The spokes do not have direct peerings between each other, preventing lateral movement. This design centralizes security policy management and reduces the attack surface. Common issues: misconfigured UDRs that bypass the firewall, or enabling 'Allow forwarded traffic' on the spoke side, which could allow unintended forwarding.
Enterprise Scenario 2: Multi-Tier Application Across Regions
A SaaS provider runs a multi-tier application with web servers in East US and database servers in West US for disaster recovery. They use global VNet peering to connect the two VNets. NSGs on the database subnet only allow inbound traffic from the web subnet's IP range over port 1433. The peering is configured with 'Allow virtual network access' enabled, but 'Allow forwarded traffic' disabled because no NVAs are used. The application uses TLS for encryption between tiers. Performance is critical: global peering adds ~60ms latency, which is acceptable for database queries. The challenge is ensuring that DNS resolution works across regions; they use Azure Private DNS zones linked to both VNets. Misconfiguration: if the database VNet's NSG accidentally allows all inbound traffic, the database could be exposed.
Enterprise Scenario 3: Mergers and Acquisitions
After an acquisition, Company A needs to connect its Azure VNet to Company B's VNet, which resides in a different Azure AD tenant. They use cross-tenant VNet peering. Company A's administrator initiates the peering from their subscription, and Company B's administrator accepts it from their side. To maintain security, both sides apply restrictive NSGs. They also set up Azure Policy to deny any peering that allows forwarded traffic or gateway transit. This ensures that the peering is used only for direct resource communication, not for routing traffic to third parties. Common pitfalls: one side may accidentally enable 'Allow forwarded traffic', creating a backdoor. Regular audits are essential.
Performance and Scale Considerations
In production, a single VNet can have up to 500 peerings. For large-scale hub-and-spoke designs with hundreds of spokes, consider using Virtual WAN instead, which simplifies routing and security. Bandwidth is not a limitation of peering itself, but VM sizes and NICs determine throughput. For high-throughput scenarios, use accelerated networking on VMs. Global peering charges apply for data transfer (ingress/egress), which can be significant for large volumes. Always monitor costs.
What Goes Wrong When Misconfigured
Accidental Overlap: If address spaces overlap, peering fails. This can cause deployment delays.
Missing Second Peering: If only one side is created, state remains 'Initiated' and no traffic flows.
NSG Blocks: Overly restrictive NSGs can block legitimate traffic. Common mistake: blocking ICMP and then assuming the peering is broken.
Forgotten 'Allow Forwarded Traffic': In hub-and-spoke, if this is not enabled on the hub side, traffic from spoke to on-premises via the hub's gateway fails.
Gateway Transit Misconfiguration: Enabling 'Allow gateway transit' on both sides causes an error. It must be on only one side.
DNS Resolution Failure: Without proper DNS configuration, resources cannot resolve each other's names across peerings.
AZ-500 Exam Focus on VNet Peering Security
The AZ-500 exam tests your ability to secure VNet peering in the context of Network Security (Objective 3.1). Specific sub-objectives include: - Configure and manage VNet peering settings: You must know the effects of each setting (Allow Virtual Network Access, Allow Forwarded Traffic, Allow Gateway Transit, Use Remote Gateways). - Implement network segmentation: Understand how peering fits into hub-and-spoke and zero-trust architectures. - Secure traffic between VNets: Use NSGs, Azure Firewall, and UDRs. - Monitor and troubleshoot peering: Use Network Watcher, NSG flow logs.
Common Wrong Answers and Traps
'VNet peering encrypts all traffic by default.' This is false. Traffic is private but not encrypted. The exam may show a scenario requiring encryption; the correct answer is to use application-level encryption or VPN gateway, not rely on peering.
'VNet Peering is NOT transitive.' This is a classic trap. Peering is non-transitive. A question might describe VNet A to B to C and ask if A can talk to C. The answer is no without additional configuration.
'You need a VPN gateway for VNet peering.' False. Peering works without any gateway. Gateways are only needed for on-premises connectivity via gateway transit.
'Global VNet peering supports Basic Load Balancers.' False. Basic Load Balancers are not supported across global peering. The exam may present a scenario with Basic LB and global peering; the correct answer is to upgrade to Standard LB.
'Allow Forwarded Traffic must be enabled on both sides.' Not necessarily. It only needs to be enabled on the side that receives forwarded traffic. For example, in hub-and-spoke, enable it on the hub side only.
Specific Numbers and Terms
Maximum peerings per VNet: 500 (for most VNets).
Peering states: Initiated, Connected, Disconnected.
Gateway transit: Only one side can have 'Allow Gateway Transit' enabled.
Non-overlapping address spaces: Required for peering.
Cross-tenant peering: Requires consent from both tenants.
Edge Cases and Exceptions
Classic VNets: Can peer with Resource Manager VNets but with limitations (e.g., no gateway transit).
Basic Load Balancers: Not supported across global peering.
Azure Bastion: Does not require peering; it works across peered VNets if the Bastion is in the same VNet as the target VM.
Service Endpoints: Work across peered VNets, but Private Endpoints require DNS configuration.
How to Eliminate Wrong Answers
If a question mentions 'transitive' peering, it's likely wrong.
If it mentions 'encryption' as a built-in feature of peering, it's wrong.
If it suggests using a VPN gateway for peering, it's wrong.
If it claims that NSGs are not supported across peering, it's wrong.
Look for keywords: 'non-transitive', 'private', 'Microsoft backbone', 'no encryption'. These are correct.
For scenario-based questions, identify the topology: if it's hub-and-spoke, the answer likely involves 'Allow Forwarded Traffic' and UDRs.
If the scenario involves on-premises connectivity, look for 'gateway transit' or 'VPN gateway'.
VNet peering is non-transitive; you must create explicit peerings for each VNet pair.
Traffic between peered VNets stays on the Microsoft backbone and is not encrypted by default.
Gateway transit allows a peered VNet to use a VPN/ExpressRoute gateway in the hub VNet.
Allow Forwarded Traffic must be enabled on the hub side for service chaining through an NVA.
Global VNet peering supports Standard Load Balancers but not Basic Load Balancers.
Maximum of 500 peerings per VNet for most VNets.
Address spaces must not overlap; overlapping causes peering failure.
NSGs are fully supported across peering; they are stateful.
Cross-tenant peering requires consent from both Azure AD tenants.
Use Network Watcher to monitor peering health and connectivity.
These come up on the exam all the time. Here's how to tell them apart.
VNet Peering
Direct connection over Microsoft backbone; no internet exposure.
No gateway required; lower cost and complexity.
Supports up to 500 peerings per VNet.
Latency <2ms within region; higher for global peering.
Non-transitive; requires explicit peerings for each pair.
VPN Gateway
Encrypted tunnel over the internet or ExpressRoute.
Requires a VPN gateway in each VNet; higher cost.
Limited by gateway throughput (e.g., 1.25 Gbps for VpnGw1).
Latency depends on internet routing; typically higher.
Transitive if using VNet-to-VNet VPN; gateway transit enables transitive routing.
Mistake
VNet peering encrypts all traffic between VNets by default.
Correct
Traffic is private and stays on the Microsoft backbone, but it is not encrypted. Encryption must be implemented at the application layer (e.g., TLS) or by using a VPN gateway over the peering.
Mistake
VNet peering is transitive.
Correct
VNet peering is non-transitive by design. If VNet A is peered with B, and B with C, A cannot communicate with C unless additional peerings or gateway transit is configured.
Mistake
You need a VPN gateway to establish VNet peering.
Correct
No gateway is required for VNet peering. Gateways are only needed for gateway transit scenarios to connect to on-premises networks.
Mistake
Global VNet peering supports all Azure load balancers.
Correct
Global VNet peering supports Standard Load Balancers but not Basic Load Balancers. Basic Load Balancers are scoped to a single availability set or zone within a region.
Mistake
Allow Forwarded Traffic must be enabled on both sides of a peering for service chaining to work.
Correct
Allow Forwarded Traffic only needs to be enabled on the side that receives forwarded traffic. In a hub-and-spoke topology, it is enabled on the hub side, not on the spoke side.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Yes, this is called global VNet peering. It connects VNets across Azure regions, allowing resources to communicate over the Microsoft backbone. There are no additional restrictions beyond the standard peering requirements, but some services like Basic Load Balancers are not supported. Global peering incurs data transfer charges based on the source and destination regions.
No, VNet peering does not require any gateway. It is a direct connection between VNets at the Azure networking layer. Gateways are only needed if you want to use gateway transit to connect to on-premises networks or other VNets via VPN/ExpressRoute.
You can use Network Security Groups (NSGs) on subnets or NICs to filter traffic. For centralized inspection, deploy Azure Firewall in a hub VNet and configure user-defined routes (UDRs) in spoke VNets to send traffic through the firewall. Additionally, enable application-level encryption (TLS) for sensitive data.
'Allow Forwarded Traffic' enables the VNet to receive traffic that is not destined to it, typically for network virtual appliances (NVAs) in a hub-and-spoke topology. 'Allow Gateway Transit' allows a peered VNet to use the VPN/ExpressRoute gateway in the hub VNet. They are independent settings.
Yes, VNet peering supports cross-subscription peering within the same Azure AD tenant. You can also peer VNets across different tenants (cross-tenant peering) with consent from both administrators. Ensure that the address spaces do not overlap.
This means that only one side of the peering has been created. You need to create the peering from the remote VNet as well. Once both peerings are created, the state will change to 'Connected'. Also verify that the remote VNet exists and that the address spaces do not overlap.
No, VNet peering does not provide encryption. Traffic is private and stays on the Microsoft backbone, but it is not encrypted. To encrypt traffic, you must use application-layer encryption (e.g., TLS) or deploy a VPN gateway over the peering.
You've just covered VNet Peering Security Considerations — now see how well it sticks with free AZ-500 practice questions. Full explanations included, no account needed.
Done with this chapter?