Azurecloud~5 mins

VNet-to-VNet connectivity in Azure - Commands & Configuration

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Introduction

Sometimes you want two separate private networks in Azure to talk to each other securely. VNet-to-VNet connectivity lets you connect these networks so resources in one can reach resources in the other without going over the public internet.

When you have two different teams managing separate networks but want their apps to communicate.

When you want to connect a test network with a production network safely.

When you need to share data between two Azure regions privately.

When you want to connect a network for a web app with another network hosting a database.

When you want to extend your on-premises network through Azure VNets.

Config File - vnet-to-vnet-peering.json

vnet-to-vnet-peering.json

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "vnet1Name": {
      "type": "string",
      "defaultValue": "vnet-eastus"
    },
    "vnet2Name": {
      "type": "string",
      "defaultValue": "vnet-westus"
    },
    "resourceGroup": {
      "type": "string",
      "defaultValue": "example-rg"
    }
  },
  "resources": [
    {
      "type": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings",
      "apiVersion": "2021-05-01",
      "name": "[concat(parameters('vnet1Name'), '/peer-to-westus')]",
      "properties": {
        "remoteVirtualNetwork": {
          "id": "[resourceId(parameters('resourceGroup'), 'Microsoft.Network/virtualNetworks', parameters('vnet2Name'))]"
        },
        "allowVirtualNetworkAccess": true,
        "allowForwardedTraffic": false,
        "allowGatewayTransit": false,
        "useRemoteGateways": false
      }
    },
    {
      "type": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings",
      "apiVersion": "2021-05-01",
      "name": "[concat(parameters('vnet2Name'), '/peer-to-eastus')]",
      "properties": {
        "remoteVirtualNetwork": {
          "id": "[resourceId(parameters('resourceGroup'), 'Microsoft.Network/virtualNetworks', parameters('vnet1Name'))]"
        },
        "allowVirtualNetworkAccess": true,
        "allowForwardedTraffic": false,
        "allowGatewayTransit": false,
        "useRemoteGateways": false
      }
    }
  ]
}

This JSON is an Azure Resource Manager (ARM) template that creates peering connections between two VNets.

vnet1Name and vnet2Name: Names of the two VNets to connect.
virtualNetworkPeerings: Resources that define the peering from each VNet to the other.
allowVirtualNetworkAccess: Enables traffic between the VNets.

Deploying this template sets up a private link between the two VNets so their resources can communicate securely.

Commands

This command creates a peering from the eastus VNet to the westus VNet, allowing them to communicate privately.

Terminal

az network vnet peering create --name peer-to-westus --resource-group example-rg --vnet-name vnet-eastus --remote-vnet vnet-westus --allow-vnet-access

Expected OutputExpected

{ "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/example-rg/providers/Microsoft.Network/virtualNetworks/vnet-eastus/virtualNetworkPeerings/peer-to-westus", "name": "peer-to-westus", "properties": { "allowVirtualNetworkAccess": true, "peeringState": "Initiated", "remoteVirtualNetwork": { "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/example-rg/providers/Microsoft.Network/virtualNetworks/vnet-westus" } }, "type": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings" }

→

--allow-vnet-access - Allows traffic between the two VNets

This command creates the peering from the westus VNet back to the eastus VNet, completing the two-way connection.

Terminal

az network vnet peering create --name peer-to-eastus --resource-group example-rg --vnet-name vnet-westus --remote-vnet vnet-eastus --allow-vnet-access

Expected OutputExpected

{ "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/example-rg/providers/Microsoft.Network/virtualNetworks/vnet-westus/virtualNetworkPeerings/peer-to-eastus", "name": "peer-to-eastus", "properties": { "allowVirtualNetworkAccess": true, "peeringState": "Initiated", "remoteVirtualNetwork": { "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/example-rg/providers/Microsoft.Network/virtualNetworks/vnet-eastus" } }, "type": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings" }

→

--allow-vnet-access - Allows traffic between the two VNets

This command lists all peerings for the eastus VNet to verify the peering status.

Terminal

az network vnet peering list --resource-group example-rg --vnet-name vnet-eastus

Expected OutputExpected

[ { "name": "peer-to-westus", "peeringState": "Connected", "allowVirtualNetworkAccess": true } ]

This command lists all peerings for the westus VNet to verify the peering status from the other side.

Terminal

az network vnet peering list --resource-group example-rg --vnet-name vnet-westus

Expected OutputExpected

[ { "name": "peer-to-eastus", "peeringState": "Connected", "allowVirtualNetworkAccess": true } ]

Key Concept

If you remember nothing else from this pattern, remember: VNet peering creates a private, secure link between two Azure VNets so their resources can communicate as if on the same network.

Common Mistakes

Creating peering only from one VNet to the other but not the reverse.

Traffic will not flow both ways, so resources cannot communicate properly.

Always create peering from both VNets to each other to enable two-way communication.

Not enabling --allow-vnet-access flag during peering creation.

Without this flag, the VNets cannot send traffic to each other even if peered.

Use --allow-vnet-access to allow traffic between VNets.

Trying to peer VNets with overlapping IP address ranges.

Azure does not allow peering if IP ranges overlap, causing failure.

Ensure VNets have unique, non-overlapping IP address spaces before peering.

Summary

Create VNet peering from the first VNet to the second with traffic allowed.

Create VNet peering from the second VNet back to the first to complete connection.

Verify peering status with listing commands to ensure VNets are connected.