How to create a VNet peering in Azure?

  1. In the search box at the top of the Azure portal, enter virtual networks in the search box. When Virtual networks appear in the search results, select it. Do not select Virtual networks (classic) if it appears in the list, as you cannot create a peering from a virtual network deployed through the classic deployment model.
  2. Select the virtual network in the list that you want to create a peering for.
  3. Under SETTINGS, select Peerings.
  4. Select + Add.
  5. Enter or select values for the following settings:
  • Name: The name for the peering must be unique within the virtual network.
  • Virtual network deployment model: Select which deployment model the virtual network you want to peer with was deployed through.
  • I know my resource ID: If you have read access to the virtual network you want to peer with, leave this checkbox unchecked. If you don’t have read access to the virtual network or subscription you want to peer with, check this box. Enter the full resource ID of the virtual network you want to peer with in the Resource ID box that appeared when you checked the box. The resource ID you enter must be for a virtual network that exists in the same, or supported different Azure region as this virtual network. The full resource ID looks similar to /subscriptions/<Id>/resourceGroups/<resource-group-name>/providers/Microsoft.Network/virtualNetworks/<virtual-network-name>. You can get the resource ID for a virtual network by viewing the properties for a virtual network. To learn how to view the properties for a virtual network, see Manage virtual networks. If the subscription is associated to a different Azure Active Directory tenant than the subscription with the virtual network you’re creating the peering from, first add a user from each tenant as a guest user in the opposite tenant.
  • Subscription: Select the subscription of the virtual network you want to peer with. One or more subscriptions are listed, depending on how many subscriptions your account has read access to. If you checked the Resource ID checkbox, this setting isn’t available.
  • Virtual network: Select the virtual network you want to peer with. You can select a virtual network created through either Azure deployment model. If you want to select a virtual network in a different region, you must select a virtual network in a supported region. You must have read access to the virtual network for it to be visible in the list. If a virtual network is listed, but grayed out, it may be because the address space for the virtual network overlaps with the address space for this virtual network. If virtual network address spaces overlap, they cannot be peered. If you checked the Resource ID checkbox, this setting isn’t available.
  • Allow virtual network access: Select Enabled (default) if you want to enable communication between the two virtual networks through the default VirtualNetwork flow. Enabling communication between virtual networks allows resources connected to either virtual network to communicate with each other with the same bandwidth and latency as if they were connected to the same virtual network. All communication between resources in the two virtual networks is over the Azure private network. The VirtualNetwork service tag for network security groups encompasses the virtual network and peered virtual network when this setting is Enabled. (To learn more about network security group service tags, see Network security groups overview.) Select Disabled if you don’t want traffic to flow to the peered virtual network by default. You might select Disabled if you’ve peered a virtual network with another virtual network, but occasionally want to disable default traffic flow between the two virtual networks. You may find enabling/disabling is more convenient than deleting and re-creating peerings. When this setting is disabled, traffic doesn’t flow between the peered virtual networks by default; however, traffic may still flow if explicitly allowed through a network security group rule that includes the appropriate IP addresses or application security groups.
  • Allow forwarded traffic: Check this box to allow traffic forwarded by a network virtual appliance in a virtual network (that didn’t originate from the virtual network) to flow to this virtual network through a peering. For example, consider three virtual networks named Spoke1, Spoke2, and Hub. A peering exists between each spoke virtual network and the Hub virtual network, but peerings don’t exist between the spoke virtual networks. A network virtual appliance is deployed in the Hub virtual network, and user-defined routes are applied to each spoke virtual network that route traffic between the subnets through the network virtual appliance. If this checkbox is not checked for the peering between each spoke virtual network and the hub virtual network, traffic doesn’t flow between the spoke virtual networks because the hub is not forwarding the traffic between the virtual networks. While enabling this capability allows the forwarded traffic through the peering, it does not create any user-defined routes or network virtual appliances. User-defined routes and network virtual appliances are created separately. Learn about user-defined routes. You don’t need to check this setting if traffic is forwarded between virtual networks through an Azure VPN Gateway.
  • Allow gateway transit: Check this box if you have a virtual network gateway attached to this virtual network and want to allow traffic from the peered virtual network to flow through the gateway. For example, this virtual network may be attached to an on-premises network through a virtual network gateway. The gateway can be an ExpressRoute or VPN gateway. Checking this box allows traffic from the peered virtual network to flow through the gateway attached to this virtual network to the on-premises network. If you check this box, the peered virtual network cannot have a gateway configured. The peered virtual network must have the Use remote gateways checkbox checked when setting up the peering from the other virtual network to this virtual network. If you leave this box unchecked (default), traffic from the peered virtual network still flows to this virtual network, but cannot flow through a virtual network gateway attached to this virtual network. If the peering is between a virtual network (Resource Manager) and a virtual network (classic), the gateway must be in the virtual network (Resource Manager).In addition to forwarding traffic to an on-premises network, a VPN gateway can forward network traffic between virtual networks that are peered with the virtual network the gateway
  • is in, without the virtual networks needing to be peered with each other. Using a VPN gateway to forward traffic is useful when you want to use a VPN gateway in a hub (see the hub and spoke example described for Allow forwarded traffic) virtual network to route traffic between spoke virtual networks that aren’t peered with each other. To learn more about allowing use of a gateway for transit, see Configure a VPN gateway for transit in a virtual network peering. This scenario requires implementing user-defined routes that specify the virtual network gateway as the next hop type. Learn about user-defined routes. You can only specify a VPN gateway as a next hop type in a user-defined route, you cannot specify an ExpressRoute gateway as the next hop type in a user-defined route.
  • Use remote gateways: Check this box to allow traffic from this virtual network to flow through a virtual network gateway attached to the virtual network you’re peering with. For example, the virtual network you’re peering with has a VPN gateway attached that enables communication to an on-premises network. Checking this box allows traffic from this virtual network to flow through the VPN gateway attached to the peered virtual network. If you check this box, the peered virtual network must have a virtual network gateway attached to it and must have the Allow gateway transit checkbox checked. If you leave this box unchecked (default), traffic from the peered virtual network can still flow to this virtual network, but cannot flow through a virtual network gateway attached to this virtual network.Only one peering for this virtual network can have this setting enabled.You can’t use remote gateways if you already have a gateway configured in your virtual network. To learn more about using a gateway for transit, see Configure a VPN gateway for transit in a virtual network peering
  • Select OK to add the peering to the virtual network you selected.

Add Comment