Introduction

Enabling cross‑VNet connectivity In this lesson we’ll learn how to connect Azure virtual networks (VNets) so they can communicate privately and securely. VNet peering creates a fast, low‑latency, private connection between VNets without routing traffic over the public internet. Learning objectives

Understand how to connect virtual networks for high‑speed, private communication.
Learn the difference between regional peering and global peering.
Learn the steps and settings involved when creating a peering connection in Azure.
Understand permission requirements and important peering options such as traffic forwarding and gateway transit.
Learn how to share a single gateway across multiple VNets when needed.

What is VNet peering? Azure VNet peering connects two virtual networks so resources in the VNets can communicate directly using private IPs. Peering behaves like a network-level link; it does not require routing through the public internet and provides the same network performance as intra-VNet traffic. Regional vs global peering

Regional peering: connects VNets within the same Azure region.
Global peering: connects VNets across different Azure regions (including different geographies).

Choosing between regional and global peering depends on network topology, latency tolerance, and inter-region data transfer costs. Comparison

Feature	Regional Peering	Global Peering
Scope	Same Azure region	Different Azure regions
Latency	Lowest within region	Higher, region-dependent
Data transfer cost	Typically lower	Typically higher (inter-region rates)
Use cases	Multi-subnet apps within a region	Multi-region apps, disaster recovery, global services

Peering configuration options When creating a VNet peering you configure several options that control traffic flow and gateway usage:

Option	Description
Allow virtual network access	Enables connectivity between the two VNets (required for basic peering)
Allow forwarded traffic	Allows traffic that is forwarded by network virtual appliances (NVAs) to traverse the peering
Allow gateway transit	Allows a peered VNet to use the other VNet’s gateway (useful for shared VPN/ExpressRoute gateways)
Use remote gateways	Configures the VNet to use the peer’s gateway instead of creating its own (requires the peer to allow gateway transit)

High-level steps to create a VNet peering

Verify VNets have non-overlapping address spaces.
Ensure you have the required permissions on both VNets (see the Permissions section below).
Decide whether you need regional or global peering.
Configure peering options: allowVnetAccess, allowForwardedTraffic, allowGatewayTransit, useRemoteGateways.
Create the peering from both sides if required (management plane or portal may create the reverse peering automatically depending on method).
Validate connectivity and routing (NSGs, UDRs, and NVAs may affect traffic flow).

Example: create peering with Azure CLI

# Create peering from VNetA to VNetB
az network vnet peering create \
  --resource-group MyResourceGroup \
  --vnet-name VNetA \
  --name VNetA-to-VNetB \
  --remote-vnet /subscriptions/<subId>/resourceGroups/PeerRg/providers/Microsoft.Network/virtualNetworks/VNetB \
  --allow-vnet-access true \
  --allow-forwarded-traffic true \
  --allow-gateway-transit true

# Create reverse peering from VNetB to VNetA (if needed)
az network vnet peering create \
  --resource-group PeerRg \
  --vnet-name VNetB \
  --name VNetB-to-VNetA \
  --remote-vnet /subscriptions/<subId>/resourceGroups/MyResourceGroup/providers/Microsoft.Network/virtualNetworks/VNetA \
  --allow-vnet-access true \
  --use-remote-gateways true

Permissions and roles Creating or managing a VNet peering requires permissions scoped to the virtual network resource. Typical actions required include Microsoft.Network/virtualNetworks/* operations on the VNets involved. Common built-in roles that permit peering management include:

Role	Scope
Network Contributor	Resource group or subscription (can manage VNets and peerings)
Owner	Subscription or resource group (full access)

If you encounter permission errors, ask your administrator to assign an appropriate role on the VNets or resource groups. Using a single gateway across multiple VNets You can share a single VPN or ExpressRoute gateway across peered VNets by configuring gateway transit and remote gateway options:

The VNet that hosts the gateway must have allowGatewayTransit enabled on its peering.
VNets that want to use that gateway enable useRemoteGateways on their peering.
Gateway sharing is useful to reduce cost and simplify on‑premises connectivity, but remember that performance and throughput limits of the gateway apply to all VNets using it.

Important constraints to keep in mind: VNet peering is non‑transitive (traffic does not automatically flow through a peered VNet to a third VNet), and peered VNets must not have overlapping address spaces.

Troubleshooting tips

If connectivity fails, check network security groups (NSGs), user-defined routes (UDRs), and NVA rules that might block traffic.
Confirm both sides of the peering exist and are in the Connected state.
Verify that allowForwardedTraffic, allowGatewayTransit, and useRemoteGateways flags are set as required for your topology.
For cross-region issues, confirm global peering is supported between the selected regions and check data transfer costs.

Links and references

So, with this overview in place, let’s start with how to link virtual networks.

Watch Video

Connect to Virtual Machines

Configuring Peering

Configure Internet Access with Azure Virtual NAT

Configure Peering for an Express Route Deployment

Configure Public IP Addresses

Connect Devices to Networks with Point to Site VPN Connections

Connect Networks with Site to Site VPN Connections

Connect Remote Resources by using Azure Virtual WA Ns

Create a Network Virtual Appliance NVA in a Virtual Hub

Deploy Azure D Do S Protection

Deploy and configure Network Security Groups

Design Azure Application Gateway

Design Azure Front Door

Design Name Resolution for Azure Virtual Network

Design an Express Route deployment

Design and Implement Azure Firewall

Design and Implement Azure Load Balancer

Design and Implement Azure VPN Gateway

Design and implement Azure Bastion

Enable Cross V Net Connectivity

Explain Virtual Network Service Endpoints

Explore Azure Express Route

Explore Azure Traffic Manager

Explore Azure Virtual Networks

Explore Load Balancing Options in the Azure

Express Route Advanced Features

Get Network Security Recommendations with Microsoft Defender for Cloud

Implement Virtual Network Traffic Routing

Implement a Web Application Firewall

Monitor your networks using Azure Monitor

Monitor your networks using Azure Network Watcher

Private Link Services and Private Endpoints

Troubleshooting Express Route Connections

Working with Azure Firewall Manager

Introduction

Watch Video