1.3 Design and Implement VNet Connectivity and Routing
📘Microsoft Azure Networking Solutions (AZ-700)
1. What is VNet Peering?
VNet Peering allows two or more Azure Virtual Networks (VNets) to connect directly with each other.
When VNets are peered:
- Resources in different VNets can communicate privately
- Traffic stays on the Microsoft backbone network
- No public internet is used
- Communication feels like the VNets are part of one large network
From an exam point of view, VNet Peering is the most common method to connect VNets in Azure.
2. Why Do We Use VNet Peering?
VNet peering is used when:
- Applications are split across multiple VNets
- Different teams manage different VNets
- Environments like production, test, and development are separated
- Central services (firewalls, DNS, monitoring) are in one VNet
- High-speed and low-latency communication is required
3. Types of VNet Peering
3.1 Regional VNet Peering
- VNets are in the same Azure region
- Traffic is very fast
- Lower latency
- Lower cost
3.2 Global VNet Peering
- VNets are in different Azure regions
- Traffic still stays on Microsoft’s backbone
- Slightly higher latency
- Higher cost than regional peering
⚠️ Exam Tip:
VNet peering works both within a region and across regions.
4. How VNet Peering Works (Important for Exam)
Once VNets are peered:
- They can communicate using private IP addresses
- No VPN gateway is required
- No NAT is required
- No public IPs are required
Each VNet:
- Keeps its own address space
- Does not merge with the other VNet
5. Address Space Requirements
Non-Overlapping IP Ranges (VERY IMPORTANT)
Peered VNets:
- Must NOT have overlapping IP address ranges
Example:
- VNet-A: 10.0.0.0/16
- VNet-B: 10.1.0.0/16 → ✅ Allowed
- VNet-B: 10.0.0.0/16 → ❌ Not allowed
⚠️ Exam Alert:
Overlapping IP addresses will prevent peering.
6. Peering Is NOT Transitive
VNet peering is not transitive by default.
Example:
- VNet-A is peered with VNet-B
- VNet-B is peered with VNet-C
- ❌ VNet-A cannot communicate with VNet-C automatically
To allow communication:
- Each VNet must be explicitly peered
⚠️ This is a very common exam question.
7. Traffic Flow and Performance
Performance Characteristics
- Low latency
- High bandwidth
- No bottleneck from gateways
- Uses Microsoft’s internal network
Supported Traffic
- TCP
- UDP
- ICMP (Ping)
- Application traffic (web apps, APIs, databases)
8. Security Behavior in VNet Peering
Network Security Groups (NSGs)
- NSGs still apply
- You must allow traffic between VNets if NSGs block it
Azure Firewall / NVA
- Peering does not bypass security
- User Defined Routes (UDRs) can force traffic through firewalls
⚠️ Exam Tip:
VNet peering allows connectivity, but NSGs and routes still control traffic.
9. Peering Configuration Options (VERY IMPORTANT)
When creating VNet peering, you see these options:
9.1 Allow Virtual Network Access
- Allows resources in both VNets to communicate
- Enabled by default
- If disabled → no communication
✅ Usually enabled
9.2 Allow Forwarded Traffic
- Allows traffic that is forwarded by:
- Network Virtual Appliances (NVAs)
- Firewalls
- Required when traffic passes through a firewall
✅ Needed for hub-and-spoke architectures
9.3 Allow Gateway Transit
- Allows one VNet to share its VPN or ExpressRoute gateway
- Used in hub-and-spoke designs
- Enabled on the hub VNet
9.4 Use Remote Gateways
- Enabled on the spoke VNet
- Allows the spoke to use the hub’s gateway
⚠️ Exam Rule:
- Hub: Allow gateway transit = ON
- Spoke: Use remote gateway = ON
10. VNet Peering and Routing
System Routes
- Azure automatically adds routes for peered VNets
- No manual route configuration needed for basic connectivity
User Defined Routes (UDRs)
- Can override default routes
- Used to:
- Send traffic to firewalls
- Control traffic inspection
- Enforce security paths
11. Hub-and-Spoke Architecture with VNet Peering
Very important for AZ-700.
Hub VNet
- Contains:
- Azure Firewall
- VPN Gateway
- ExpressRoute Gateway
- Shared services
Spoke VNets
- Host workloads
- Connect to hub using VNet peering
- Do not connect directly to each other
Benefits:
- Centralized security
- Simplified management
- Cost-effective design
12. VNet Peering Limitations
Be aware of these limitations:
- No overlapping IP ranges
- Peering is one-to-one
- Not transitive
- DNS resolution must be configured manually if using custom DNS
- Cannot change address space once overlapping exists
13. VNet Peering vs VPN (Exam Comparison)
| Feature | VNet Peering | VPN |
|---|---|---|
| Uses Internet | No | Yes |
| Latency | Low | Higher |
| Encryption | Not needed | Required |
| Setup Complexity | Simple | More complex |
| Cost | Lower | Higher |
⚠️ Exam prefers VNet peering when VNets are in Azure.
14. DNS Considerations with VNet Peering
- Azure does not automatically share DNS
- Options:
- Azure-provided DNS (works automatically)
- Custom DNS servers (manual configuration required)
- Azure Private DNS Zones
15. Key Exam Points to Remember
✔ VNet peering connects VNets privately
✔ Works within region and across regions
✔ IP address ranges must not overlap
✔ Peering is not transitive
✔ NSGs and UDRs still apply
✔ Gateway transit is used in hub-and-spoke
✔ No VPN gateway required
✔ Traffic stays on Microsoft backbone
16. Summary (Quick Revision)
VNet Peering is a fast, secure, and simple way to connect Azure VNets. It is widely used in enterprise architectures, especially hub-and-spoke designs. Understanding peering options, routing behavior, and security controls is critical for passing the AZ-700 exam.
