- If you wish to have multiple subscriptions and/or use multiple regions you will have multiple virtual networks
- In the past we could connect virtual networks using S25 VPN or by connecting to the same ExpressRoute circuit but both approaches have problems
- VNet Peering enables VNets to be connected via the Microsoft backbone in the same or different regions (global peering)
- There is a small ingress and egress charge for traffic via network peering
- IP address spaces CANNOT overlap
VNet Peering
- Best option
- Can span subscriptions and tenants
- Not transitive i.e. VNET1 can not talk to VNET3 / Need to create peering relationship between them
- Without peering, I could add Azure Firewall or Network virtual appliance in Hub network (VNET2) and tell:
- VNET3 if you want to talk to VNET1, next hop is IP of that forwarder
- VNET1 if you want to talke to VNET3, next hop is IP of that forwarder
- This above thing is UDR
- There is also border gateway protocol
- Without peering, I could add Azure Firewall or Network virtual appliance in Hub network (VNET2) and tell:
flowchart LR
VNET1 --> |Peer| VNET2 --> |Peer| VNET3
VNET1 --- |NotTransitive|VNET3Express Route
- Bad idea because of latency
- Traffic goes from VNET1 to express route MeetME and then from there to VNET2
flowchart LR
VNET1 --> ExpressRoute --> VNET2
ExpressRoute --> MeetME --> ExpressRouteS2S VPN
- VPN is basically encrypting traffic
- Bad idea because of bad throughput and bandwidth
flowchart LR
VNET1 <--> |S2SVPN| VNET2Priority
- More specific subnet chosen
- Between, 10.0.0.0/16 and 10.0.0.0/24, /24 route will be chosen
Between different route types for the same prefix:
- User-defined routes
- BGP routes
- System routes
references:
Subscribe to NordLetter
A weekly newsletter on living in Finland.