VNet Peering

🎯 Lab Objective

In this hands-on lab, you will learn how to:

• Understand Azure VNet Peering and its connectivity benefits
• Create bidirectional VNet peering connections between virtual networks
• Configure peering settings for different scenarios (gateway transit, forwarded traffic)
• Test connectivity across peered virtual networks
• Troubleshoot peering issues and validate configuration
• Implement hub-and-spoke network topologies using VNet peering

Goal: Establish secure, high-performance connectivity between virtual networks using VNet peering to enable resource communication across network boundaries.

---

🏗️ Pre-Provisioned Environment

The following Azure resources have been pre-deployed in your environment:

Resource Overview

Resource Type	Resource Name	Configuration	Purpose
Resource Group	VNetPeering-Lab-RG	Contains all lab resources	Logical container
Hub Virtual Network	HubVNet	Address space: 10.0.0.0/16	Central hub network
Spoke Virtual Network	SpokeVNet	Address space: 10.1.0.0/16	Spoke network
Hub Subnet	HubSubnet	Range: 10.0.1.0/24	Hub resources
Spoke Subnet	SpokeSubnet	Range: 10.1.1.0/24	Spoke resources
Hub VM	HubVM	Windows Server 2019	Hub network server
Spoke VM	SpokeVM	Ubuntu 20.04 LTS	Spoke network server

Network Architecture

Before Peering:
┌─ HubVNet (10.0.0.0/16) ─┐    ┌─ SpokeVNet (10.1.0.0/16) ─┐
│  └── HubSubnet           │    │  └── SpokeSubnet          │
│      └── HubVM           │ ❌ │      └── SpokeVM           │
│          (10.0.1.4)      │    │          (10.1.1.4)       │
└──────────────────────────┘    └───────────────────────────┘

After Peering:
┌─ HubVNet (10.0.0.0/16) ─┐    ┌─ SpokeVNet (10.1.0.0/16) ─┐
│  └── HubSubnet           │    │  └── SpokeSubnet          │
│      └── HubVM           │ ✅ │      └── SpokeVM           │
│          (10.0.1.4)      │◄──►│          (10.1.1.4)       │
└──────────────────────────┘    └───────────────────────────┘

VM Details

VM	Private IP	Operating System	Purpose
HubVM	10.0.1.4	Windows Server 2019	Hub network testing
SpokeVM	10.1.1.4	Ubuntu 20.04 LTS	Spoke network testing

---

🚀 Lab Exercises

Part 1: Verify Initial Connectivity (Before Peering)

Step 1: Connect to Hub VM

1. Navigate to VNetPeering-Lab-RG resource group
2. Click on HubVM
3. Click Connect → RDP
4. Use credentials:
   • Username: azureuser
   • Password: LabPassword123!

Step 2: Test Cross-VNet Connectivity

From HubVM, open Command Prompt and test:

# Test connectivity to SpokeVM (should fail)
ping 10.1.1.4

# Test with extended timeout
ping -t 10.1.1.4

# Test port connectivity
telnet 10.1.1.4 22

Expected Results:

• ❌ Ping to SpokeVM should fail (no route)
• ❌ All cross-VNet connectivity should be blocked

Step 3: Connect to Spoke VM

1. Navigate to SpokeVM
2. Click Connect → SSH
3. Use Azure Cloud Shell or SSH client:

ssh azureuser@[SpokeVM-Public-IP]
# Password: LabPassword123!

Step 4: Test Reverse Connectivity

From SpokeVM, test connectivity to HubVM:

# Test connectivity to HubVM (should fail)
ping 10.0.1.4

# Test with count limit
ping -c 4 10.0.1.4

# Check routing table
ip route show

Expected Results:

• ❌ Ping to HubVM should fail
• ❌ No routes exist for the other VNet

---

Part 2: Create VNet Peering (Hub to Spoke)

Step 1: Navigate to Hub VNet

1. Go to VNetPeering-Lab-RG
2. Click on HubVNet
3. In the left menu, select Peerings
4. Click + Add

Step 2: Configure Hub-to-Spoke Peering

Configure the peering connection:

Setting	Value	Purpose
Peering link name	HubToSpoke	Connection identifier
Traffic to remote virtual network	Allow	Enable traffic flow
Traffic forwarded from remote virtual network	Allow	Enable forwarded traffic
Virtual network gateway or Route Server	None	No gateway transit

Step 3: Configure Remote VNet Settings

Setting	Value	Purpose
Virtual network	SpokeVNet	Target VNet
Peering link name	SpokeToHub	Remote connection name
Traffic to remote virtual network	Allow	Enable bidirectional traffic
Traffic forwarded from remote virtual network	Allow	Enable forwarded traffic
Virtual network gateway or Route Server	None	No gateway configuration

4. Important: Check “Configure remote virtual network peering settings”
5. Click Add

⏱️ Creation Time: Peering typically establishes within 2-3 minutes.

---

Part 3: Verify Peering Status

Step 1: Check Peering Status in Hub VNet

1. In HubVNet, go to Peerings
2. Verify status: HubToSpoke should show Connected

Step 2: Check Peering Status in Spoke VNet

1. Navigate to SpokeVNet
2. Go to Peerings
3. Verify status: SpokeToHub should show Connected

Step 3: Understand Peering States

Status	Meaning	Action Required
Connected	Peering active and working	None
Initiated	Peering created, waiting for remote	Configure remote peering
Disconnected	Peering exists but not functional	Check configuration

---

Part 4: Test Cross-VNet Connectivity

Step 1: Test from Hub VM

Return to HubVM RDP session and test:

# Test connectivity to SpokeVM (should now succeed)
ping 10.1.1.4

# Test sustained connectivity
ping -t 10.1.1.4

# Test SSH port (if accessible)
telnet 10.1.1.4 22

# Check routing table
route print

Expected Results:

• ✅ Ping to SpokeVM should succeed
• ✅ Low latency (typically less than 1ms within region)
• ✅ Consistent connectivity

Step 2: Test from Spoke VM

From SpokeVM SSH session:

# Test connectivity to HubVM (should now succeed)
ping 10.0.1.4

# Test with statistics
ping -c 10 10.0.1.4

# Test RDP port
nc -zv 10.0.1.4 3389

# Verify routing
ip route show | grep 10.0

Expected Results:

• ✅ Ping to HubVM should succeed
• ✅ Bidirectional connectivity established
• ✅ Azure routes automatically created

---

Part 5: Advanced Peering Configuration

Step 1: Test Name Resolution

From HubVM, test hostname resolution:

# Test NetBIOS name resolution (may not work)
ping SpokeVM

# Use nslookup for DNS testing
nslookup SpokeVM

# Test reverse DNS
nslookup 10.1.1.4

Step 2: Configure Custom DNS (Optional)

1. Go to HubVNet → DNS servers
2. Configure custom DNS if needed:
   • Custom: Enter DNS server IP
   • Default (Azure-provided): Use Azure DNS

Step 3: Test Performance

From either VM, test network performance:

# Windows (HubVM) - Test with pathping
pathping 10.1.1.4

# Check network utilization
netstat -e

# Linux (SpokeVM) - Test with mtr
sudo apt update && sudo apt install -y mtr-tiny
mtr -c 10 10.0.1.4

# Test bandwidth (if iperf available)
iperf3 -c 10.0.1.4 -t 10

---

Part 6: Explore Peering Options

Step 1: Modify Peering Settings

1. Navigate to HubVNet → Peerings
2. Click on HubToSpoke
3. Experiment with settings:

Setting	Options	Impact
Allow traffic	Allow/Block	Controls basic connectivity
Allow forwarded traffic	Allow/Block	Controls transit routing
Allow gateway transit	Allow/Block	Enables gateway sharing
Use remote gateways	Allow/Block	Uses remote VNet gateway

Step 2: Test Setting Changes

1. Temporarily block traffic:

   • Set “Traffic to remote virtual network” to Block
   • Click Save
   • Test connectivity (should fail)

2. Re-enable traffic:

   • Set back to Allow
   • Click Save
   • Test connectivity (should succeed)

---

🔧 Troubleshooting Guide

Common Peering Issues and Solutions

Issue	Symptoms	Possible Cause	Solution
Peering shows “Initiated”	One-way connectivity only	Remote peering not configured	Create bidirectional peering
No connectivity despite “Connected”	Ping fails	NSG blocking traffic	Check NSG rules
Partial connectivity	Some ports work, others don’t	Port-specific blocking	Review NSG port rules
High latency	Slow response times	Cross-region peering	Consider region proximity
Peering creation fails	Cannot create peering	Address space overlap	Ensure non-overlapping CIDR blocks

Peering Validation Checklist

Component	Check	Expected Result
Peering Status	Both VNets show “Connected”	✅ Bidirectional connection
Address Spaces	No CIDR overlap	✅ Unique IP ranges
NSG Rules	Allow required traffic	✅ Appropriate rules
Route Tables	No conflicting UDRs	✅ Proper routing
Effective Routes	Peering routes present	✅ Auto-generated routes

---

🧪 Additional Experiments

Try these optional exercises to deepen your understanding:

1. Hub-and-Spoke Topology: Add a third VNet and create spoke-to-spoke connectivity
2. Cross-Region Peering: Peer VNets in different Azure regions
3. Service Chaining: Use peering with network virtual appliances
4. Gateway Transit: Configure VPN gateway sharing via peering
5. Global VNet Peering: Test performance across global regions

---

🎓 Key Takeaways

After completing this lab, you should understand:

• VNet Peering enables private connectivity between Azure virtual networks
• Bidirectional configuration requires peering setup in both VNets
• Non-overlapping address spaces are required for successful peering
• Azure automatically creates routes for peered VNet address spaces
• NSG rules still apply and can block peered traffic
• Low latency and high bandwidth connectivity within the same region
• Global VNet Peering enables cross-region connectivity

---

📊 VNet Peering vs Alternatives

VNet Peering vs VPN Gateway

Feature	VNet Peering	VPN Gateway
Performance	High bandwidth, low latency	Lower bandwidth, higher latency
Cost	Data transfer charges only	Gateway + data transfer charges
Encryption	No (private Azure backbone)	Yes (IPSec encryption)
Setup Complexity	Simple	More complex
Cross-premises	No	Yes

When to Use VNet Peering

• ✅ High-performance Azure-to-Azure connectivity needed
• ✅ Cost-effective solution for VNet communication
• ✅ Simple setup and management preferred
• ✅ Same tenant connectivity requirements
• ❌ Not suitable for on-premises connectivity

---

📚 Additional Resources

• VNet Peering Overview
• Create VNet Peering
• Hub-and-Spoke Network Topology
• Global VNet Peering