0
0
Azurecloud~5 mins

VNet peering for connectivity in Azure - Commands & Configuration

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Introduction
Sometimes you have two separate private networks in the cloud and want them to talk to each other securely and fast. VNet peering connects these networks so resources in one can reach resources in the other without going over the public internet.
When you have two different apps in separate virtual networks that need to share data quickly.
When you want to connect a test environment network to a production network for monitoring.
When you run services in different regions and want them to communicate privately.
When you want to avoid exposing your network traffic to the internet for security reasons.
When you want to simplify network architecture by linking multiple VNets.
Config File - vnet-peering-template.json
vnet-peering-template.json
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "vnet1Name": {
      "type": "string",
      "defaultValue": "vnet-eastus"
    },
    "vnet2Name": {
      "type": "string",
      "defaultValue": "vnet-westus"
    },
    "resourceGroup": {
      "type": "string",
      "defaultValue": "example-rg"
    }
  },
  "resources": [
    {
      "type": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings",
      "apiVersion": "2021-05-01",
      "name": "[concat(parameters('vnet1Name'), '/peer-to-vnet2')]",
      "properties": {
        "remoteVirtualNetwork": {
          "id": "[resourceId(parameters('resourceGroup'), 'Microsoft.Network/virtualNetworks', parameters('vnet2Name'))]"
        },
        "allowVirtualNetworkAccess": true,
        "allowForwardedTraffic": false,
        "allowGatewayTransit": false,
        "useRemoteGateways": false
      }
    },
    {
      "type": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings",
      "apiVersion": "2021-05-01",
      "name": "[concat(parameters('vnet2Name'), '/peer-to-vnet1')]",
      "properties": {
        "remoteVirtualNetwork": {
          "id": "[resourceId(parameters('resourceGroup'), 'Microsoft.Network/virtualNetworks', parameters('vnet1Name'))]"
        },
        "allowVirtualNetworkAccess": true,
        "allowForwardedTraffic": false,
        "allowGatewayTransit": false,
        "useRemoteGateways": false
      }
    }
  ]
}

This JSON template creates a peering connection between two Azure virtual networks named vnet-eastus and vnet-westus in the resource group example-rg.

Each virtualNetworkPeerings resource defines one side of the peering, allowing both VNets to communicate.

The allowVirtualNetworkAccess set to true enables traffic between the VNets.

Other flags like allowForwardedTraffic, allowGatewayTransit, and useRemoteGateways are set to false for simple peering without gateway sharing or forwarded traffic.

Commands
This command creates a peering from the 'vnet-eastus' virtual network to the 'vnet-westus' virtual network, allowing them to communicate privately.
Terminal
az network vnet peering create --name peer-to-vnet2 --resource-group example-rg --vnet-name vnet-eastus --remote-vnet vnet-westus --allow-vnet-access
Expected OutputExpected
{ "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/example-rg/providers/Microsoft.Network/virtualNetworks/vnet-eastus/virtualNetworkPeerings/peer-to-vnet2", "name": "peer-to-vnet2", "properties": { "allowVirtualNetworkAccess": true, "allowForwardedTraffic": false, "allowGatewayTransit": false, "remoteVirtualNetwork": { "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/example-rg/providers/Microsoft.Network/virtualNetworks/vnet-westus" }, "peeringState": "Initiated" }, "type": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings" }
--allow-vnet-access - Allows traffic between the two virtual networks.
This command creates the peering from 'vnet-westus' back to 'vnet-eastus' to complete the two-way connection.
Terminal
az network vnet peering create --name peer-to-vnet1 --resource-group example-rg --vnet-name vnet-westus --remote-vnet vnet-eastus --allow-vnet-access
Expected OutputExpected
{ "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/example-rg/providers/Microsoft.Network/virtualNetworks/vnet-westus/virtualNetworkPeerings/peer-to-vnet1", "name": "peer-to-vnet1", "properties": { "allowVirtualNetworkAccess": true, "allowForwardedTraffic": false, "allowGatewayTransit": false, "remoteVirtualNetwork": { "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/example-rg/providers/Microsoft.Network/virtualNetworks/vnet-eastus" }, "peeringState": "Initiated" }, "type": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings" }
--allow-vnet-access - Allows traffic between the two virtual networks.
This command lists all peering connections for 'vnet-eastus' so you can verify the peering is active.
Terminal
az network vnet peering list --resource-group example-rg --vnet-name vnet-eastus
Expected OutputExpected
[ { "name": "peer-to-vnet2", "properties": { "peeringState": "Connected", "allowVirtualNetworkAccess": true } } ]
This command lists all peering connections for 'vnet-westus' to confirm the two-way peering is established.
Terminal
az network vnet peering list --resource-group example-rg --vnet-name vnet-westus
Expected OutputExpected
[ { "name": "peer-to-vnet1", "properties": { "peeringState": "Connected", "allowVirtualNetworkAccess": true } } ]
Key Concept

If you remember nothing else from this pattern, remember: VNet peering connects two virtual networks so they can communicate privately and directly without using the internet.

Common Mistakes
Creating peering only from one VNet to another but not the reverse.
Peering must be created in both directions to allow two-way communication.
Always create peering from VNet A to VNet B and from VNet B to VNet A.
Not setting the --allow-vnet-access flag when creating peering.
Without this flag, the VNets cannot send traffic to each other even if peering exists.
Include --allow-vnet-access to enable traffic flow between the VNets.
Trying to peer VNets in different subscriptions without proper permissions.
Peering across subscriptions requires permissions on both sides and correct resource IDs.
Ensure you have access to both subscriptions and use full resource IDs when peering.
Summary
Use 'az network vnet peering create' to connect two VNets in both directions.
Verify peering status with 'az network vnet peering list' to ensure connectivity.
Set '--allow-vnet-access' flag to enable traffic between the VNets.