Azure VNET to VNET connectivity options

Azure VNET to VNET connectivity options

Azure VNET to VNET connectivity options

We all know about the Azure Vnet connectivity options and they are – Point-to-Site VPN, Site-to-Site VPN, Multi-Site VPN and Express Route.

In this article we will discuss below Vnet connectivity scenario, where there are set of Vnets deployed in multiple region and you need them connected. Can VNET 1 talk to VNET 2 and VNET 3? Let us find out.

However, complex Azure deployments in multi-region require connectivity between Vnets using peering / Gateways without creating complex Vnet peering mesh that is difficult to manage. This article will list some of the limitations of Azure Vnet peering, Gateway based VPNs and limitations.

First of all, let us remember the BIG RULES of Vnet peering –

  • VNET peering / VPN connections can’t have overlapping IP Address spaces
  • Transitive peering is not allowed in VNET peering, which means if VNET-B with peered with VNET-A and VNET-C, then VNET-A and VNET-C can’t communicate with each other via VNET-B
  • VNETs peering traffic is internal to Azure Data center and doesn’t incur Ingress or Egress bandwidth changes for traffic between them
  • Vnets can allow transitive peering for the traffic that is routed through its gateway but not through peering. Confused. I will explain it later in this article.
  • Peering helps with routing traffic such as Internet to network appliance deployed in another Vnet
  • One of the peering Vnet needs to be in Resource Manager and in same subscription

Below are the Azure VNET Connectivity options –

Source Target Connectivity Option
Vnet A – Region 1 Vnet B – Region 1 Vnet peering
Vnet A – Region 1 Vnet B – Region 2 Gateway VPN
Vnet A – Region 1 Vnet B – Region 1 (another AD Tenant) Gateway VPN
Vnet A – Region 1 Vnet B – Region 2 (another AD Tenant) Gateway VPN


Peer Core 1 with Vnet 1 and Vnet 2

Peer Core 2 with Vnet 3 and Vnet 4, as shown in the diagram above.

What are configuration options?

Allow forwarded traffic – This when configured on the Vnet, allows traffic into the Vnet when it is not originated from the peered Vnet. In our example, If Vnet 3 to accept traffic from Vnet 1 via Core Vnets then this setting needs to be turned ON on Vnet 3. Alternatively, all Vnets can have this setting turned ON.

Allow Gateway transit – This setting allows peered Vnet to use Gateway deployed on the current Vnet. In our example, Core Vnets will have this setting turned ON to allow other Vnets to use its Gateway for transit.

Use remote gateways – This setting tells Vnet to use remote gateways to send traffic to. This setting needs to be turned ON on other Vnets but not on the Core Vnet.

Once Vnet peering is done, now create Gateway in the gateway subnet in the core Vnet.

Please note that Core Vnet has two subnet. One for VMs and other for Gateway subnet.

To create gateway, go to Virtual network gateway and create VPN gateway with default steps –



About The Author

Related posts

Leave a Reply

Your email address will not be published. Required fields are marked *