I’ve recently been reviewing VNet peering for Azure in detail and if you have VNet VPN gateways today, it’s time to switch to VNet peering if you have VNets connected together with the old method, especially now that it is in general availability. This is only a consideration for VNet’s connected in the same region as currently VNet peering is not available across Azure regions e.g. UK West and UK South.
VNet peering allows you to connect two or more Azure VNet’s together with a few simple steps vs the old method of provisioning gateway subnets and VPN Gateways. You also don’t have to provision a VPN gateway for VNet peering as the traffic travels through the Azure backbone and not through a site-to-site (S2S) IPSEC VPN tunnel. This obviously has numerous benefits, with Azure regional virtual networks that have provide the appropriate infrastructure for high bandwidth use. VNet-to-VNet connections always had limited connectivity based on the gateway type that was provisioned.
You can follow the Microsoft Azure article below if you have a need to provision VNet-to-VNet connections using VPN gateways, based on your requirements e.g. you need to connect two VNet’s together in different Azure regions.
Here’s my example of how to create two Azure VNet’s and peer them using PowerShell. I’ll wrap these into my custom Azure PowerShell module in a couple of functions, with the appropriate parameter input types, for future use.
# Login to Azure Login-AzureRmAccount # Use Select-AzureRmSubscription to select the subscription you want to create the VNets into # New resource group in the location where we will hold all the resources New-AzureRmResourceGroup -Name RG-VNETS -Location ukwest # Create Virtual Network A with a subnet in the UK West Region $NSGSubNetA = New-AzureRmNetworkSecurityGroup -Name NSG-SubNetA -ResourceGroupName RG-VNETS -Location ukwest $SubNetA = New-AzureRmVirtualNetworkSubnetConfig -Name SubnetA -AddressPrefix 10.1.1.0/24 -NetworkSecurityGroup $NSGSubNetA $VNetA = New-AzureRmVirtualNetwork -Name VNETA -ResourceGroupName RG-VNETS -Location ukwest -AddressPrefix 10.1.0.0/16 -Subnet $SubNetA # Create Virtual Network B with a subnet in the UK West Region $NSGSubNetB = New-AzureRmNetworkSecurityGroup -Name NSG-SubNetB -ResourceGroupName RG-VNETS -Location ukwest $SubNetB = New-AzureRmVirtualNetworkSubnetConfig -Name SubnetB -AddressPrefix 10.2.1.0/24 -NetworkSecurityGroup $NSGSubNetB $VNetB = New-AzureRmVirtualNetwork -Name VNETB -ResourceGroupName RG-VNETS -Location ukwest -AddressPrefix 10.2.0.0/16 -Subnet $SubNetB # Add peering VNETA to VNETB (this initiates the peering) Add-AzureRmVirtualNetworkPeering -Name Peering-VNETA-to-VNETB -VirtualNetwork $VNETA -RemoteVirtualNetworkId $VNETB.Id
Notice that the peering status is initiated.
We now need to create the peering from VNETB to VNETA.
# Add peering VNETB to VNETA (this completes the peering) Add-AzureRmVirtualNetworkPeering -Name Peering-VNETB-to-VNETA -VirtualNetwork $VNETB -RemoteVirtualNetworkId $VNETA.Id
The peering is now complete.
Be aware of the additional settings that are available to peering connections shown below.
You can enable or disable virtual network access from a peered VNet.
Allow forwarded traffic: Allows traffic from the peered network, not originating from the peered network, into the local VNet.
Allow gateway transit: allows the peered VNet to use the gateway in the local VNet. The peered network “use remote gateways option” must be enabled. It will only be available if the local VNet has a gateway configured.
Use Remote Gateways: The VNet will use the remote peered VNet gateway, but the remote VNet must have the “Allow gateway transit option enabled”.
You cannot daisy chain VNets and expect them all to act as one address space with routing between then, regardless of the number of options you specify above. Daisy chaining isn’t really the best networking practice to follow in any case. I recommended that a hub and spoke topology is implemented with the appropriate security controls. I also recommended that you have Network Virtual Appliances (NVAs) in the hub as that will provide you with the most flexibility for controlling your network traffic between the VNet’s and subnets. Managing lots of NSG’s can be very cumbersome, but this depends on your release mechanism and experience as you could still use ARM templates to manage updates to NSGs.
The most common NVAs are CheckPoint vSEC, Barracuda NextGen and Fortinet FortiGate. For further information see the Microsoft Azure Docs article below.
For further information on VNet Peering, you can review Microsoft Azure Docs overview article below.