Connect virtual networks with virtual network peering using the Azure CLI

You can connect virtual networks to each other with virtual network peering. Once virtual networks are peered, resources in both virtual networks are able to communicate with each other, with the same latency and bandwidth as if the resources were in the same virtual network. In this article, you learn how to:

  • Create two virtual networks
  • Connect two virtual networks with a virtual network peering
  • Deploy a virtual machine (VM) into each virtual network
  • Communicate between VMs

If you don't have an Azure subscription, create an Azure free account before you begin.

Prerequisites

  • This article requires version 2.0.28 or later of the Azure CLI. If using Azure Cloud Shell, the latest version is already installed.

Create virtual networks

Before creating a virtual network, you have to create a resource group for the virtual network, and all other resources created in this article. Create a resource group with az group create. The following example creates a resource group named myResourceGroup in the eastus location.

az group create --name myResourceGroup --location eastus

Create a virtual network with az network vnet create. The following example creates a virtual network named myVirtualNetwork1 with the address prefix 10.0.0.0/16.

az network vnet create \
  --name myVirtualNetwork1 \
  --resource-group myResourceGroup \
  --address-prefixes 10.0.0.0/16 \
  --subnet-name Subnet1 \
  --subnet-prefix 10.0.0.0/24

Create a virtual network named myVirtualNetwork2 with the address prefix 10.1.0.0/16:

az network vnet create \
  --name myVirtualNetwork2 \
  --resource-group myResourceGroup \
  --address-prefixes 10.1.0.0/16 \
  --subnet-name Subnet1 \
  --subnet-prefix 10.1.0.0/24

Peer virtual networks

Peerings are established between virtual network IDs, so you must first get the ID of each virtual network with az network vnet show and store the ID in a variable.

# Get the id for myVirtualNetwork1.
vNet1Id=$(az network vnet show \
  --resource-group myResourceGroup \
  --name myVirtualNetwork1 \
  --query id --out tsv)

# Get the id for myVirtualNetwork2.
vNet2Id=$(az network vnet show \
  --resource-group myResourceGroup \
  --name myVirtualNetwork2 \
  --query id \
  --out tsv)

Create a peering from myVirtualNetwork1 to myVirtualNetwork2 with az network vnet peering create. If the --allow-vnet-access parameter is not specified, a peering is established, but no communication can flow through it.

az network vnet peering create \
  --name myVirtualNetwork1-myVirtualNetwork2 \
  --resource-group myResourceGroup \
  --vnet-name myVirtualNetwork1 \
  --remote-vnet $vNet2Id \
  --allow-vnet-access

In the output returned after the previous command executes, you see that the peeringState is Initiated. The peering remains in the Initiated state until you create the peering from myVirtualNetwork2 to myVirtualNetwork1. Create a peering from myVirtualNetwork2 to myVirtualNetwork1.

az network vnet peering create \
  --name myVirtualNetwork2-myVirtualNetwork1 \
  --resource-group myResourceGroup \
  --vnet-name myVirtualNetwork2 \
  --remote-vnet $vNet1Id \
  --allow-vnet-access

In the output returned after the previous command executes, you see that the peeringState is Connected. Azure also changed the peering state of the myVirtualNetwork1-myVirtualNetwork2 peering to Connected. Confirm that the peering state for the myVirtualNetwork1-myVirtualNetwork2 peering changed to Connected with az network vnet peering show.

az network vnet peering show \
  --name myVirtualNetwork1-myVirtualNetwork2 \
  --resource-group myResourceGroup \
  --vnet-name myVirtualNetwork1 \
  --query peeringState

Resources in one virtual network cannot communicate with resources in the other virtual network until the peeringState for the peerings in both virtual networks is Connected.

Create virtual machines

Create a VM in each virtual network so that you can communicate between them in a later step.

Create the first VM

Create a VM with az vm create. The following example creates a VM named myVm1 in the myVirtualNetwork1 virtual network. If SSH keys do not already exist in a default key location, the command creates them. To use a specific set of keys, use the --ssh-key-value option. The --no-wait option creates the VM in the background, so you can continue to the next step.

az vm create \
  --resource-group myResourceGroup \
  --name myVm1 \
  --image UbuntuLTS \
  --vnet-name myVirtualNetwork1 \
  --subnet Subnet1 \
  --generate-ssh-keys \
  --no-wait

Create the second VM

Create a VM in the myVirtualNetwork2 virtual network.

az vm create \
  --resource-group myResourceGroup \
  --name myVm2 \
  --image UbuntuLTS \
  --vnet-name myVirtualNetwork2 \
  --subnet Subnet1 \
  --generate-ssh-keys

The VM takes a few minutes to create. After the VM is created, the Azure CLI shows information similar to the following example:

{
  "fqdns": "",
  "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/myVm2",
  "location": "eastus",
  "macAddress": "00-0D-3A-23-9A-49",
  "powerState": "VM running",
  "privateIpAddress": "10.1.0.4",
  "publicIpAddress": "13.90.242.231",
  "resourceGroup": "myResourceGroup"
}

Take note of the publicIpAddress. This address is used to access the VM from the internet in a later step.

Note

Azure provides a default outbound access IP for VMs that either aren't assigned a public IP address or are in the back-end pool of an internal basic Azure load balancer. The default outbound access IP mechanism provides an outbound IP address that isn't configurable.

The default outbound access IP is disabled when a public IP address is assigned to the VM, the VM is placed in the back-end pool of a standard load balancer, with or without outbound rules, or if an Azure Virtual Network NAT gateway resource is assigned to the subnet of the VM.

VMs that are created by virtual machine scale sets in flexible orchestration mode don't have default outbound access.

For more information about outbound connections in Azure, see Default outbound access in Azure and Use source network address translation (SNAT) for outbound connections.

Communicate between VMs

Use the following command to create an SSH session with the myVm2 VM. Replace <publicIpAddress> with the public IP address of your VM. In the previous example, the public IP address is 13.90.242.231.

ssh <publicIpAddress>

Ping the VM in myVirtualNetwork1.

ping 10.0.0.4 -c 4

You receive four replies.

Close the SSH session to the myVm2 VM.

Clean up resources

When no longer needed, use az group delete to remove the resource group and all of the resources it contains.

az group delete --name myResourceGroup --yes

Next steps

In this article, you learned how to connect two networks in the same Azure region, with virtual network peering. You can also peer virtual networks in different supported regions and in different Azure subscriptions, as well as create hub and spoke network designs with peering. To learn more about virtual network peering, see Virtual network peering overview and Manage virtual network peerings.

You can connect your own computer to a virtual network through a VPN, and interact with resources in a virtual network, or in peered virtual networks. For reusable scripts to complete many of the tasks covered in the virtual network articles, see script samples.