Create a virtual network peering - Resource Manager, different subscriptions and Azure Active Directory tenants

In this tutorial, you learn to create a virtual network peering between virtual networks created through Resource Manager. The virtual networks exist in different subscriptions that may belong to different Azure Active Directory (Azure AD) tenants. Peering two virtual networks enables resources in different virtual networks to communicate with each other with the same bandwidth and latency as though the resources were in the same virtual network. Learn more about Virtual network peering.

Depending on whether the virtual networks are in the same, or different subscriptions the steps to create a virtual network peering are different. Steps to peer networks created with the classic deployment model are different. For more information about deployment models, see Azure deployment model.

Learn how to create a virtual network peering in other scenarios by selecting the scenario from the following table:

Azure deployment model Azure subscription
Both Resource Manager Same
One Resource Manager, one classic Same
One Resource Manager, one classic Different

A virtual network peering can't be created between two virtual networks deployed through the classic deployment model. If you need to connect virtual networks that were both created through the classic deployment model, you can use an Azure VPN Gateway to connect the virtual networks.

This tutorial peers virtual networks in the same region. You can also peer virtual networks in different supported regions. It's recommended that you familiarize yourself with the peering requirements and constraints before peering virtual networks.

Prerequisites

  • An Azure account(s) with two active subscriptions. Create an account for free.

  • An Azure account with permissions in both subscriptions or an account in each subscription with the proper permissions to create a virtual network peering. For a list of permissions, see Virtual network peering permissions.

    • If the virtual networks are in different subscriptions and Active Directory tenants, add the user from each tenant as a guest in the opposite tenant. For more information about guest users, see Add Azure Active Directory B2B collaboration users in the Azure portal.

    • Each user must accept the guest user invitation from the opposite Azure Active Directory tenant.

  • This how-to article requires version 2.31.0 or later of the Azure CLI. If using Azure Cloud Shell, the latest version is already installed.

  • Azure PowerShell installed locally or Azure Cloud Shell.

  • Sign in to Azure PowerShell and ensure you've selected the subscription with which you want to use this feature. For more information, see Sign in with Azure PowerShell.

  • Ensure your Az.Network module is 4.3.0 or later. To verify the installed module, use the command Get-InstalledModule -Name "Az.Network". If the module requires an update, use the command Update-Module -Name Az.Network if necessary.

If you choose to install and use PowerShell locally, this article requires the Azure PowerShell module version 5.4.1 or later. Run Get-Module -ListAvailable Az to find the installed version. If you need to upgrade, see Install Azure PowerShell module. If you're running PowerShell locally, you also need to run Connect-AzAccount to create a connection with Azure.

In the following steps, you'll learn how to peer virtual networks in different subscriptions and Azure Active Directory tenants.

You can use the same account that has permissions in both subscriptions or you can use separate accounts for each subscription to set up the peering. An account with permissions in both subscriptions can complete all of the steps without signing out and signing in to portal and assigning permissions.

The following resources and account examples are used in the steps in this article:

User account Resource group Subscription Virtual network
UserA myResourceGroupA SubscriptionA myVNetA
UserB myResourceGroupB SubscriptionB myVNetB

Create virtual network - myVNetA

Note

If you are using a single account to complete the steps, you can skip the steps for logging out of the portal and assigning another user permissions to the virtual networks.

  1. Sign-in to the Azure portal as UserA.

  2. In the search box a the top of the portal, enter Virtual network. Select Virtual networks in the search results.

  3. Select + Create.

  4. In the Basics tab of Create virtual network, enter or select the following information:

    Setting Value
    Project details
    Subscription Select your SubscriptionA.
    Resource group Select Create new.
    Enter myResourceGroupA in Name.
    Select OK.
    Instance details
    Name Enter myVNetA.
    Region Select a region.
  5. Select Next: IP Addresses.

  6. In IPv4 address space, enter 10.1.0.0/16.

  7. Select + Add subnet.

  8. Enter or select the following information:

    Setting Value
    Subnet name Enter mySubnet.
    Subnet address range Enter 10.1.0.0/24.
  9. Select Add.

  10. Select Review + create.

  11. Select Create.

Assign permissions for UserB

A user account in the other subscription that you want to peer with must be added to the network you previously created. If you're using a single account for both subscriptions, you can skip this section.

  1. Remain signed in to the portal as UserA.

  2. In the search box a the top of the portal, enter Virtual network. Select Virtual networks in the search results.

  3. Select myVNetA.

  4. Select Access control (IAM).

  5. Select + Add -> Add role assignment.

  6. In Add role assignment in the Role tab, select Network Contributor.

  7. Select Next.

  8. In the Members tab, select + Select members.

  9. In Select members in the search box, enter UserB.

  10. Select Select.

  11. Select Review + assign.

  12. Select Review + assign.

Obtain resource ID of myVNetA

  1. Remain signed in to the portal as UserA.

  2. In the search box a the top of the portal, enter Virtual network. Select Virtual networks in the search results.

  3. Select myVNetA.

  4. In Settings, select Properties.

  5. Copy the information in the Resource ID field and save for the later steps. The resource ID is similar to the following example: /subscriptions/<Subscription Id>/resourceGroups/myResourceGroupA/providers/Microsoft.Network/virtualNetworks/myVnetA.

  6. Sign out of the portal as UserA.

Create virtual network - myVNetB

In this section, you'll sign in as UserB and create a virtual network for the peering connection to myVNetA.

  1. Sign in to the portal as UserB. If you're using one account for both subscriptions, change to SubscriptionB in the portal.

  2. In the search box a the top of the portal, enter Virtual network. Select Virtual networks in the search results.

  3. Select + Create.

  4. In the Basics tab of Create virtual network, enter or select the following information:

    Setting Value
    Project details
    Subscription Select your SubscriptionB.
    Resource group Select Create new.
    Enter myResourceGroupB in Name.
    Select OK.
    Instance details
    Name Enter myVNetB.
    Region Select a region.
  5. Select Next: IP Addresses.

  6. In IPv4 address space, enter 10.2.0.0/16.

  7. Select + Add subnet.

  8. Enter or select the following information:

    Setting Value
    Subnet name Enter mySubnet.
    Subnet address range Enter 10.2.0.0/24.
  9. Select Add.

  10. Select Review + create.

  11. Select Create.

Assign permissions for UserA

A user account in the other subscription that you want to peer with must be added to the network you previously created. If you're using a single account for both subscriptions, you can skip this section.

  1. Remain signed in to the portal as UserB.

  2. In the search box a the top of the portal, enter Virtual network. Select Virtual networks in the search results.

  3. Select myVNetB.

  4. Select Access control (IAM).

  5. Select + Add -> Add role assignment.

  6. In Add role assignment in the Role tab, select Network Contributor.

  7. Select Next.

  8. In the Members tab, select + Select members.

  9. In Select members in the search box, enter UserA.

  10. Select Select.

  11. Select Review + assign.

  12. Select Review + assign.

Obtain resource ID of myVNetB

The resource ID of myVNetB is required to set up the peering connection from myVNetA to myVNetB. Use the following steps to obtain the resource ID of myVNetB.

  1. Remain signed in to the portal as UserB.

  2. In the search box a the top of the portal, enter Virtual network. Select Virtual networks in the search results.

  3. Select myVNetB.

  4. In Settings, select Properties.

  5. Copy the information in the Resource ID field and save for the later steps. The resource ID is similar to the following example: /subscriptions/<Subscription Id>/resourceGroups/myResourceGroupB/providers/Microsoft.Network/virtualNetworks/myVnetB.

  6. Sign out of the portal as UserB.

Create peering connection - myVNetA to myVNetB

You'll need the Resource ID for myVNetB from the previous steps to set up the peering connection.

  1. Sign in to the Azure portal as UserA. If you're using one account for both subscriptions, change to SubscriptionA in the portal.

  2. In the search box a the top of the portal, enter Virtual network. Select Virtual networks in the search results.

  3. Select myVNetA.

  4. Select Peerings.

  5. Select + Add.

  6. Enter or select the following information in Add peering:

    Setting Value
    This virtual network
    Peering link name Enter myVNetAToMyVNetB.
    Traffic to remote virtual network Leave the default of Allow (default).
    Traffic forwarded from remote virtual network Leave the default of Allow (default).
    Virtual network gateway or Route Server Leave the default of None (default).
    Remote virtual network
    Peering link name Leave blank.
    Virtual network deployment model Select Resource manager.
    Select the box for I know my resource ID.
    Resource ID Enter or paste the Resource ID for myVNetB.
  7. In the pull-down box, select the Directory that corresponds with myVNetB and UserB.

  8. Select Authenticate.

  9. Select Add.

  10. Sign out of the portal as UserA.

The peering connection will show in Peerings in a Initiated state. To complete the peer, a corresponding connection must be set up in myVNetB.

Create peering connection - myVNetB to myVNetA

You'll need the Resource IDs for myVNetA from the previous steps to set up the peering connection.

  1. Sign in to the Azure portal as UserB. If you're using one account for both subscriptions, change to SubscriptionB in the portal.

  2. In the search box a the top of the portal, enter Virtual network. Select Virtual networks in the search results.

  3. Select myVNetB.

  4. Select Peerings.

  5. Select + Add.

  6. Enter or select the following information in Add peering:

    Setting Value
    This virtual network
    Peering link name Enter myVNetBToMyVNetA.
    Traffic to remote virtual network Leave the default of Allow (default).
    Traffic forwarded from remote virtual network Leave the default of Allow (default).
    Virtual network gateway or Route Server Leave the default of None (default).
    Remote virtual network
    Peering link name Leave blank.
    Virtual network deployment model Select Resource manager.
    Select the box for I know my resource ID.
    Resource ID Enter or paste the Resource ID for myVNetA.
  7. In the pull-down box, select the Directory that corresponds with myVNetA and UserA.

  8. Select Authenticate.

  9. Select Add.

The peering is successfully established after you see Connected in the Peering status column for both virtual networks in the peering. Any Azure resources you create in either virtual network are now able to communicate with each other through their IP addresses. If you're using default Azure name resolution for the virtual networks, the resources in the virtual networks aren't able to resolve names across the virtual networks. If you want to resolve names across virtual networks in a peering, you must create your own DNS server or use Azure DNS.

For more information about using your own DNS for name resolution, see, Name resolution using your own DNS server.

For more information about Azure DNS, see What is Azure DNS?.

Next steps