Azure virtual network peering – Part 1 – Connecting VNETs within same region

An azure subscription may have multiple virtual networks based on the services are organized and also depending on how the organisation is structured.  Azure virtual networks is a way to give your azure services an ability to secure them and provide an isolation in terms of network and IP addresses.

Traditionally, resources within an Azure Virtual Network could communicate with other resources in another virtual network either through public internet by addressing the public endpoint of the resources. If data that is exchanged between the secured and isolated resources are senstive, then, we wouldnt want the traffic to travel over the public internet. The other ways was to exchange data privately, through a VPN gateway by establishing  a VNET to VNET connection  or through a site to site VPN connection.

Both the options result in traffic being routed through public internet, but they are tunnelled securely and encrypted by the gateway. The limiting factor here becomes the VPN gateway bandwidth which has its own bandwidth limits based on the SKU of the gateway and the number of connections. Bandwidth becomes factor in a scenario when you have a database set up within a virtual network in a region and the write traffic to the database is being replicated across to the secondaries in another region. Depending on the size of the database records/documents/key-values/graphs/columns and the number of writes and the number of replicas which needs syncing, you may run out of bandwidth and end up with secondaries in the paried region being out of sync with the primary by a long margin and playing catch up.

The latest way to connect azure virtual networks, is through Azure Virtual Network peering. This doesnt require a VPN gateway and thereby eliminating the limiting factors that come along with gateway.

Azure Virtual Network peering comes with the following features :

  • Ability to connect VNETs with same region without a VPN gateway
  • Ability to connect VNETs across regions(This is in preview at the time of blogging this and limited to certain regions)
  • Not restricted by bandwidth(Network limits of Azure virtual machines still apply)
  • Peered VNET traffic goes through Microsoft’s backbone network and not through public internet
  • Ability to connect VNETs across different subscriptions backed by same AAD tenant
  • Ability to restrict access of resources through NSGs between resources within peered VNETs
  • Ability to peer classic VNETs with ARM VNETs
  • ARM VNETs can be peered without causing downtime

Azure Virtual Network peering limitations :

  • Cannot peer between classic VNETs
  • Cannot peer between VNETs in different subscriptions backed by different AAD tenants
  • Adding or removing address spaces when VNETs are peered causes downtime
  • Just like site to site VPN, when peering, we need to make sure there arent any overlapping ip address spaces