This chapter covers Azure VNet Peering, a core networking feature that enables connectivity between virtual networks. For the AZ-900 exam, this topic falls under Domain 2: Azure Architecture Services, Objective 2.3: Describe Azure networking services. Networking questions typically make up about 15-20% of the exam, and VNet Peering is a common concept tested. By the end of this chapter, you will understand what VNet Peering is, how it works, when to use it, and how it differs from other connectivity options like VPN Gateway. We will also dive into exam-specific traps and real-world scenarios to solidify your knowledge.
Jump to a section
Imagine two separate corporate office buildings owned by the same company, each with its own private internal network of phone lines and data cables. These buildings are in different cities, but employees in Building A need to share files and databases with employees in Building B as if they were in the same building. Building a dedicated physical cable between the two buildings is expensive and slow to set up. Instead, the company installs a private, high-speed virtual bridge that connects the two internal networks directly. This bridge is not the public internet—it's a private link that only the two buildings can use. Data travels across this bridge without touching the public road system, so it's fast, secure, and doesn't incur per-byte tolls. The bridge can be extended to connect more buildings (hub-and-spoke) or even to link buildings across different cities (global peering). This is exactly how Azure VNet Peering works: it connects two Azure virtual networks privately, using Microsoft's backbone infrastructure, so resources in each VNet can communicate as if they were on the same network, with low latency and high bandwidth.
What is Azure VNet Peering and Why Does It Exist?
Azure Virtual Network (VNet) is the fundamental building block for your private network in Azure. It enables Azure resources, like virtual machines (VMs), to securely communicate with each other, the internet, and on-premises networks. However, by default, VNets are isolated from each other. This isolation is a security feature – it prevents unintended traffic between different workloads. But what if you need resources in separate VNets to talk to each other? For example, you might have a web application VNet and a database VNet, and you want the web servers to access the database servers directly, without going over the public internet. Or you might have multiple VNets in different regions that need to exchange data. This is where VNet Peering comes in.
VNet Peering is a networking feature that connects two Azure virtual networks, allowing resources in each VNet to communicate directly with resources in the other VNet. The traffic between peered VNets is routed through Microsoft's backbone network, not the public internet. This means the connection is private, secure, and offers low latency and high bandwidth. VNet Peering is a regional or global service: you can peer VNets within the same Azure region (regional peering) or across different Azure regions (global peering).
Step-by-Step Mechanism of VNet Peering
Initiation: You create a peering connection from VNet A to VNet B. This is an asymmetric operation – you must also create a peering connection from VNet B back to VNet A for bidirectional communication. (Technically, you can create a one-way peering, but that is rarely used.)
Configuration: When you set up the peering, you specify:
- The name of the peering (e.g., "web-to-db"). - The subscription and VNet of the remote VNet. - Whether to allow virtual network access (yes, for communication). - Whether to allow forwarded traffic (if you want the peered VNet to route traffic through a network virtual appliance in the other VNet). - Whether to allow gateway transit (if you want to use a VPN gateway in one VNet to connect to on-premises from the other VNet). 3. Validation: Azure validates that the VNets exist, that there are no overlapping IP address spaces (they must not overlap, or peering will fail), and that you have the necessary permissions (at least Network Contributor role on both VNets). 4. Route Update: After both peering connections are established, Azure updates the routing tables in both VNets. Each VNet learns the address space of the peered VNet, and traffic destined for that address space is sent directly via the Microsoft backbone. 5. Traffic Flow: When a VM in VNet A sends a packet to a VM in VNet B, the packet is routed within VNet A to the Microsoft edge, then over the backbone to the region of VNet B, and then into VNet B. The entire path is managed by Azure; you don't need to configure any additional routing unless you have custom routes.
Key Components and Tiers
Regional VNet Peering: Connects VNets in the same Azure region. Data transfer costs are lower than global peering.
Global VNet Peering: Connects VNets across different Azure regions. Data transfer costs are higher (egress charges apply).
Hub-and-Spoke Topology: A common pattern where a central hub VNet (e.g., containing shared services like firewalls or Active Directory) is peered to multiple spoke VNets. This reduces the number of peering connections needed (each spoke peers only with the hub, not with each other).
Transitive Peering: VNet Peering is NOT transitive by default. If VNet A is peered with VNet B, and VNet B is peered with VNet C, VNet A cannot directly communicate with VNet C. You must create a direct peering between A and C, or use a hub VNet with routing capabilities (like a network virtual appliance) to enable transit.
Pricing Model
VNet Peering itself does not incur a setup fee. You pay for the data transfer between peered VNets. For regional peering, ingress/egress rates are lower; for global peering, egress rates are higher (similar to standard data transfer pricing). There is no per-peering charge, only data transfer costs.
Comparison to On-Premises Equivalent
In a traditional on-premises data center, connecting two separate networks (e.g., two different subnets or VLANs) typically requires a router or a Layer 3 switch with appropriate routing protocols (like OSPF or BGP). The configuration is complex and requires manual IP address management. Azure VNet Peering abstracts all of this: Azure handles the routing automatically, as long as IP address spaces don't overlap. It's like having a virtual router that instantly connects the two networks without any hardware or complex configuration.
Azure Portal and CLI Touchpoints
You can create VNet Peering via the Azure portal, Azure CLI, PowerShell, or ARM templates.
Azure Portal: 1. Navigate to your VNet (e.g., VNet-A). 2. Under Settings, click "Peerings". 3. Click "+ Add" to create a new peering. 4. Fill in the details: peering name, subscription, remote VNet, and access settings. 5. Repeat on the remote VNet to create the reverse peering.
Azure CLI:
# Create peering from VNet-A to VNet-B
ez network vnet peering create \
--name peering-A-to-B \
--resource-group RG-A \
--vnet-name VNet-A \
--remote-vnet /subscriptions/{sub-id}/resourceGroups/RG-B/providers/Microsoft.Network/virtualNetworks/VNet-B \
--allow-vnet-access
# Create peering from VNet-B to VNet-A
ez network vnet peering create \
--name peering-B-to-A \
--resource-group RG-B \
--vnet-name VNet-B \
--remote-vnet /subscriptions/{sub-id}/resourceGroups/RG-A/providers/Microsoft.Network/virtualNetworks/VNet-A \
--allow-vnet-accessPowerShell:
# Create peering from VNet-A to VNet-B
$vnetA = Get-AzVirtualNetwork -ResourceGroupName RG-A -Name VNet-A
$vnetB = Get-AzVirtualNetwork -ResourceGroupName RG-B -Name VNet-B
Add-AzVirtualNetworkPeering -Name peering-A-to-B -VirtualNetwork $vnetA -RemoteVirtualNetworkId $vnetB.Id
Add-AzVirtualNetworkPeering -Name peering-B-to-A -VirtualNetwork $vnetB -RemoteVirtualNetworkId $vnetA.IdBusiness Scenarios
Multi-tier applications: You can isolate web servers in one VNet and database servers in another VNet, then peer them for secure, low-latency communication.
Merger and acquisition: When two companies with separate Azure environments need to connect, VNet Peering allows them to link their VNets without redeploying resources.
Shared services: A central IT team manages a VNet with common services (like Active Directory, DNS, or firewalls) and peers it to multiple application VNets owned by different teams.
Plan IP Address Spaces
Before creating a peering, ensure that the VNets you want to connect have non-overlapping IP address ranges. If they overlap, peering will fail. For example, if VNet-A uses 10.0.0.0/16 and VNet-B uses 10.0.0.0/16, they conflict. You must redesign one VNet's address space (e.g., VNet-B uses 10.1.0.0/16). This is a critical design step because overlapping ranges cannot be changed after resources are deployed without redeploying them. Azure does not perform Network Address Translation (NAT) for peered VNets, so overlapping addresses would cause routing conflicts.
Create Peering from VNet-A to VNet-B
In the Azure portal, navigate to VNet-A, go to Peerings, and click Add. Provide a name for the peering (e.g., 'A-to-B'), select the subscription and VNet-B. Set 'Allow virtual network access' to Enabled. You can also configure 'Allow forwarded traffic' and 'Allow gateway transit' as needed. Click OK. This creates a peering object on VNet-A. At this point, VNet-A can send traffic to VNet-B, but VNet-B cannot reply because the reverse peering does not exist yet. The peering status will show 'Initiated'.
Create Peering from VNet-B to VNet-A
Repeat the process on VNet-B: navigate to VNet-B's Peerings, add a new peering named 'B-to-A', select VNet-A. Again, enable virtual network access. After this step, both peering objects exist. Azure will automatically update the routing tables in both VNets. The peering status will change to 'Connected'. Now, resources in VNet-A can communicate with resources in VNet-B using private IP addresses. Note that the peering names do not need to match, but it's a best practice to use descriptive names.
Verify Connectivity
After both peerings are connected, you should verify that resources can communicate. You can use tools like ping (if ICMP is allowed) or test-NetConnection in PowerShell. For example, from a VM in VNet-A, ping the private IP of a VM in VNet-B. If the ping succeeds, peering is working. Also check that the VM in VNet-B can ping back. If not, verify that Network Security Groups (NSGs) on the VMs or subnets allow inbound/outbound traffic. Remember that VNet Peering does not override NSG rules; you must explicitly allow traffic between the VNets.
Manage Peering Lifecycle
Once peering is established, you can modify settings (e.g., enable gateway transit) or delete the peering. To delete, you must remove both peering objects. If you delete one side, the other side's status changes to 'Disconnected' and communication stops. Also be aware that if you delete a VNet that has peerings, the peerings are automatically removed. For global peering, additional data transfer costs apply. You can monitor peering health and metrics in Azure Monitor. For exam purposes, remember that peering is not transitive and that you cannot peer VNets with overlapping address spaces.
Real-World Scenario 1: Multi-Region Disaster Recovery
A global e-commerce company runs its primary application in the East US region and wants a disaster recovery (DR) site in West US. They have two VNets: 'app-east' (10.1.0.0/16) and 'app-west' (10.2.0.0/16). They use global VNet Peering to connect these VNets. During normal operations, traffic is minimal (just database replication). If East US goes down, they fail over to West US, and the peering ensures that any remaining resources in East US can still communicate with West US. The team configures the peering with 'Allow forwarded traffic' disabled and 'Allow gateway transit' disabled. They monitor data transfer costs, which are higher for global peering. A common mistake is forgetting to create the reverse peering, which would break bidirectional communication. In this scenario, the company saves costs compared to using a VPN Gateway because peering is faster and does not require a separate gateway instance.
Real-World Scenario 2: Hub-and-Spoke Shared Services
A large enterprise has multiple application teams, each deploying their own VNets. To centralize security and management, the networking team creates a hub VNet containing a firewall (Azure Firewall) and a DNS server. Each application VNet (spoke) is peered to the hub. The spokes do not need to communicate with each other directly; all traffic goes through the hub firewall for inspection. The team configures 'Allow forwarded traffic' on the hub peering and 'Use remote gateways' on the spoke peerings. This allows the spokes to use the VPN gateway in the hub to connect to on-premises. The challenge is ensuring that IP address spaces do not overlap across all VNets. If a new spoke uses an overlapping range, peering fails. Also, because peering is not transitive, the spokes cannot talk to each other without routing through the hub. This topology scales well but requires careful planning of address spaces.
Real-World Scenario 3: SaaS Provider Isolation
A SaaS provider hosts customer environments in separate VNets for isolation. Customer A's VNet needs to access a shared database VNet. The provider peers Customer A's VNet with the database VNet. When Customer B needs similar access, they peer Customer B's VNet with the same database VNet. The database VNet becomes a hub. The provider must ensure that Customer A cannot access Customer B's VNet. Because peering is not transitive, this is automatically enforced – unless the provider explicitly creates a peering between A and B. However, if the database VNet has a route that forwards traffic between A and B (e.g., via a network virtual appliance), that could break isolation. So the provider disables 'Allow forwarded traffic' on both peerings. This scenario highlights the importance of understanding transitive behavior and the 'Allow forwarded traffic' setting.
What AZ-900 Tests on VNet Peering (Objective 2.3)
The AZ-900 exam covers VNet Peering under "Describe Azure networking services." You are expected to understand:
The purpose of VNet Peering (connecting VNets privately).
The difference between regional and global peering.
That peering is not transitive.
That IP address spaces must not overlap.
That traffic uses Microsoft's backbone, not the internet.
Basic pricing (data transfer costs, no setup fee).
Common Wrong Answers and Why Candidates Choose Them
Mistake: Assuming VNet Peering works transitively – This is the #1 exam trap. Candidates think that if A is peered to B and B to C, then A can reach C automatically. Correct rule: Peering is NOT transitive. You must create a direct peering between A and C, or route traffic through a hub VNet with a network virtual appliance.
"VNet Peering requires a VPN gateway." – No. VNet Peering is a direct connection and does not use a VPN gateway. A VPN Gateway is used for site-to-site or point-to-site connections to on-premises. Candidates confuse peering with VPN.
"You can peer VNets with overlapping address spaces." – This is false. Overlapping IP ranges cause routing conflicts and peering fails. Candidates might think Azure handles NAT, but it does not.
"Global peering is not supported." – Global VNet Peering is supported across Azure regions. Some candidates think peering is only regional because of older documentation. The exam includes global peering.
Specific Terms and Values on the Exam
"Microsoft backbone" – the private network used for peering traffic.
"Not transitive" – exact phrase used in questions.
"Non-overlapping IP address spaces" – a prerequisite.
"Regional vs. Global" – know the difference.
"Data transfer costs" – you pay for egress; no setup fee.
Edge Cases and Tricky Distinctions
Gateway transit: If you enable gateway transit on a peering, a spoke VNet can use the hub's VPN gateway to connect to on-premises. This is a common exam scenario.
Allow forwarded traffic: If you have a network virtual appliance in the hub that routes traffic between spokes, you must enable this setting. Otherwise, the appliance cannot forward traffic.
Peering across subscriptions: Supported as long as both subscriptions are within the same Azure AD tenant. The exam may test that you need appropriate RBAC permissions.
Peering deletion: If you delete one side, the other side becomes disconnected. The exam may ask about the impact.
Memory Trick / Decision Tree
To decide if VNet Peering is the right solution, ask: 1. Do I need to connect two VNets? If yes, consider peering. 2. Do I need transitive connectivity? If yes, use hub-and-spoke with a network virtual appliance or multiple peerings. 3. Do I need to connect to on-premises? If yes, use VPN Gateway or ExpressRoute, not peering alone. 4. Are the IP ranges overlapping? If yes, you cannot use peering; redesign the VNets.
Remember the acronym PEN: Peering is Private (Microsoft backbone), not transitive (Explicit), and requires Non-overlapping IPs.
VNet Peering connects two Azure virtual networks privately over the Microsoft backbone.
Peering is not transitive; each VNet pair requires a direct peering connection.
IP address spaces of peered VNets must not overlap.
Global VNet Peering connects VNets across different Azure regions; regional peering is within the same region.
You pay only for data transfer between peered VNets; no setup or hourly fees.
Traffic between peered VNets never traverses the public internet.
To enable a spoke VNet to use a hub's VPN gateway, enable 'Allow gateway transit' on the hub peering and 'Use remote gateways' on the spoke peering.
These come up on the exam all the time. Here's how to tell them apart.
VNet Peering
Connects two Azure VNets directly using Microsoft backbone.
No gateway required; lower latency and higher bandwidth.
Not transitive; requires direct peering for each pair.
Supports global peering across regions.
Pricing based on data transfer; no hourly gateway cost.
VPN Gateway
Connects on-premises networks to Azure VNets via encrypted tunnels.
Requires a VPN gateway instance in the VNet; incurs hourly cost.
Supports transitive routing with BGP (if configured).
Typically used for site-to-site (S2S) or point-to-site (P2S) VPNs.
Pricing includes gateway hours and data transfer out.
Mistake
VNet Peering is transitive, so if VNet A is peered with VNet B and VNet B with VNet C, then VNet A can communicate with VNet C.
Correct
VNet Peering is NOT transitive. You must create a direct peering between VNet A and VNet C for them to communicate. This is a critical exam point.
Mistake
VNet Peering requires a VPN Gateway or ExpressRoute circuit to work.
Correct
No. VNet Peering is a direct connection using Azure's backbone. VPN Gateway is used for hybrid connectivity to on-premises networks. Peering is simpler and does not involve gateways.
Mistake
You can peer VNets even if their IP address spaces overlap; Azure will handle the conflict.
Correct
Overlapping IP address spaces are not allowed. Azure will reject the peering creation. You must ensure the VNets have unique, non-overlapping address ranges.
Mistake
Global VNet Peering is not available in all regions and is more expensive than regional peering but still uses the public internet.
Correct
Global VNet Peering is available in all Azure regions. It uses Microsoft's backbone network, not the public internet. It is more expensive than regional peering due to higher data transfer costs.
Mistake
Once a peering is established, all resources in both VNets can communicate without any additional configuration.
Correct
While peering enables connectivity, Network Security Groups (NSGs) and firewall rules still apply. You must explicitly allow traffic between the VNets in NSGs if they block by default.
Azure VNet Peering is a service that connects two virtual networks, allowing resources in each to communicate directly using private IP addresses. It works by creating a peering connection from each VNet to the other. Azure updates the routing tables so traffic is sent over the Microsoft backbone. No gateways are needed. Exam tip: Remember that peering is not transitive and requires non-overlapping IP spaces.
Yes, you can peer VNets in different subscriptions, as long as both subscriptions are within the same Azure Active Directory tenant. You need appropriate permissions (e.g., Network Contributor) on both VNets. The peering setup is the same as within a single subscription. Exam tip: This is a common scenario for enterprises with multiple subscriptions.
No, VNet Peering is not free. While there is no charge to create a peering, you pay for data transfer between the peered VNets. Regional peering has lower rates; global peering has higher rates (similar to standard egress charges). Exam tip: Know that there are data transfer costs, not a flat fee.
VNet Peering connects two Azure VNets directly without a gateway, using Microsoft's backbone. VPN Gateway connects on-premises networks to Azure VNets via encrypted tunnels over the internet. VNet Peering is faster, lower latency, and simpler for VNet-to-VNet connectivity. VPN Gateway is for hybrid connectivity. Exam tip: Use peering for VNet-to-VNet, VPN Gateway for on-premises connections.
No, VNet Peering only connects Azure VNets to each other. To connect an Azure VNet to an on-premises network, you need a site-to-site VPN (using VPN Gateway) or ExpressRoute. However, you can use VNet Peering to allow a spoke VNet to access an on-premises network through a hub VNet that has a VPN gateway (gateway transit). Exam tip: Peering itself does not provide hybrid connectivity.
If you delete the peering on one VNet, the peering on the other VNet will show a status of 'Disconnected' and communication stops. You must delete both peerings to fully remove the connection. Exam tip: Deleting one side breaks connectivity; you cannot have a one-way peering for communication.
No, VNet Peering does not support transitive routing by default. If VNet A is peered with VNet B, and VNet B is peered with VNet C, VNet A cannot communicate with VNet C unless you create a direct peering between A and C. For transitive routing, you need a network virtual appliance (NVA) or use Azure Virtual WAN. Exam tip: This is a frequently tested concept.
You've just covered Azure VNet Peering — now see how well it sticks with free AZ-900 practice questions. Full explanations included, no account needed.
Done with this chapter?