Tutorial: Connect virtual networks with virtual network peering

You can connect virtual networks to each other with virtual network peering. These virtual networks can be in the same region or different regions (also known as global virtual network peering). Once virtual networks are peered, resources in both virtual networks can communicate with each other over a low-latency, high-bandwidth connection using Microsoft backbone network.

In this tutorial, you learn how to:

• Create virtual networks
• Connect two virtual networks with a virtual network peering
• Deploy a virtual machine (VM) into each virtual network
• Communicate between VMs

Prerequisites

Portal

• An Azure account with an active subscription. You can create an account for free.

PowerShell

• An Azure account with an active subscription. You can create an account for free.

Azure Cloud Shell

Azure hosts Azure Cloud Shell, an interactive shell environment that you can use through your browser. You can use either Bash or PowerShell with Cloud Shell to work with Azure services. You can use the Cloud Shell preinstalled commands to run the code in this article, without having to install anything on your local environment.

To start Azure Cloud Shell:

Option	Example/Link
Select Try It in the upper-right corner of a code or command block. Selecting Try It doesn't automatically copy the code or command to Cloud Shell.
Go to https://shell.azure.com, or select the Launch Cloud Shell button to open Cloud Shell in your browser.
Select the Cloud Shell button on the menu bar at the upper right in the Azure portal.

To use Azure Cloud Shell:

1. Start Cloud Shell.

2. Select the Copy button on a code block (or command block) to copy the code or command.

3. Paste the code or command into the Cloud Shell session by selecting Ctrl+Shift+V on Windows and Linux, or by selecting Cmd+Shift+V on macOS.

4. Select Enter to run the code or command.

If you choose to install and use PowerShell locally, this article requires the Azure PowerShell module version 1.0.0 or later. Run Get-Module -ListAvailable Az to find the installed version. If you need to upgrade, see Install Azure PowerShell module. If you're running PowerShell locally, you also need to run Connect-AzAccount to create a connection with Azure.

CLI

If you don't have an Azure subscription, create an Azure free account before you begin.

• Use the Bash environment in Azure Cloud Shell. For more information, see Quickstart for Bash in Azure Cloud Shell.

  

• If you prefer to run CLI reference commands locally, install the Azure CLI. If you're running on Windows or macOS, consider running Azure CLI in a Docker container. For more information, see How to run the Azure CLI in a Docker container.

  • If you're using a local installation, sign in to the Azure CLI by using the az login command. To finish the authentication process, follow the steps displayed in your terminal. For other sign-in options, see Sign in with the Azure CLI.

  • When you're prompted, install the Azure CLI extension on first use. For more information about extensions, see Use extensions with the Azure CLI.

  • Run az version to find the version and dependent libraries that are installed. To upgrade to the latest version, run az upgrade.

• This article requires version 2.0.28 or later of the Azure CLI. If using Azure Cloud Shell, the latest version is already installed.

Portal

Create a virtual network and an Azure Bastion host

The following procedure creates a virtual network with a resource subnet, an Azure Bastion subnet, and a Bastion host:

1. In the portal, search for and select Virtual networks.

2. On the Virtual networks page, select + Create.

3. On the Basics tab of Create virtual network, enter, or select the following information:

   Setting	Value
   Project details
   Subscription	Select your subscription.
   Resource group	Select Create new. Enter test-rg for the name. Select OK.
   Instance details
   Name	Enter vnet-1.
   Region	Select East US 2.

   

4. Select Next to proceed to the Security tab.

5. In the Azure Bastion section, select Enable Azure Bastion.

   Bastion uses your browser to connect to VMs in your virtual network over Secure Shell (SSH) or Remote Desktop Protocol (RDP) by using their private IP addresses. The VMs don't need public IP addresses, client software, or special configuration. For more information, see What is Azure Bastion?.

   Note

   Hourly pricing starts from the moment that Bastion is deployed, regardless of outbound data usage. For more information, see Pricing and SKUs. If you're deploying Bastion as part of a tutorial or test, we recommend that you delete this resource after you finish using it.

6. In Azure Bastion, enter or select the following information:

   Setting	Value
   Azure Bastion host name	Enter bastion.
   Azure Bastion public IP address	Select Create a public IP address. Enter public-ip-bastion in Name. Select OK.

   

7. Select Next to proceed to the IP Addresses tab.

8. In the address space box in Subnets, select the default subnet.

9. In Edit subnet, enter or select the following information:

   Setting	Value
   Subnet purpose	Leave the default of Default.
   Name	Enter subnet-1.
   IPv4
   IPv4 address range	Leave the default of 10.0.0.0/16.
   Starting address	Leave the default of 10.0.0.0.
   Size	Leave the default of /24 (256 addresses).

   

10. Select Save.

11. Select Review + create at the bottom of the window. When validation passes, select Create.

Repeat the previous steps to create a second virtual network with the following values:

Note

The second virtual network can be in the same region as the first virtual network or in a different region. You can skip the Security tab and the Bastion deployment for the second virtual network. After the network peer, you can connect to both virtual machines with the same Bastion deployment.

Setting	Value
Name	vnet-2
Address space	10.1.0.0/16
Resource group	test-rg
Subnet name	subnet-1
Subnet address range	10.1.0.0/24

PowerShell

Before creating a virtual network, you have to create a resource group for the virtual network, and all other resources created in this article. Create a resource group with New-AzResourceGroup. The following example creates a resource group named test-rg in the eastus location.

Azure PowerShell

$resourceGroup = @{
    Name = "test-rg"
    Location = "EastUS2"
}
New-AzResourceGroup @resourceGroup

Create a virtual network with New-AzVirtualNetwork. The following example creates a virtual network named vnet-1 with the address prefix 10.0.0.0/16.

Azure PowerShell

$vnet1 = @{
    ResourceGroupName = "test-rg"
    Location = "EastUS2"
    Name = "vnet-1"
    AddressPrefix = "10.0.0.0/16"
}
$virtualNetwork1 = New-AzVirtualNetwork @vnet1

Create a subnet configuration with Add-AzVirtualNetworkSubnetConfig. The following example creates a subnet configuration with a 10.0.0.0/24 address prefix:

Azure PowerShell

$subConfig = @{
    Name = "subnet-1"
    AddressPrefix = "10.0.0.0/24"
    VirtualNetwork = $virtualNetwork1
}
$subnetConfig1 = Add-AzVirtualNetworkSubnetConfig @subConfig

Create a subnet configuration for Azure Bastion with Add-AzVirtualNetworkSubnetConfig. The following example creates a subnet configuration with a 10.0.1.0/24 address prefix:

Azure PowerShell

$subBConfig = @{
    Name = "AzureBastionSubnet"
    AddressPrefix = "10.0.1.0/24"
    VirtualNetwork = $virtualNetwork1
}
$subnetConfig2 = Add-AzVirtualNetworkSubnetConfig @subBConfig

Write the subnet configuration to the virtual network with Set-AzVirtualNetwork, which creates the subnet:

Azure PowerShell

$virtualNetwork1 | Set-AzVirtualNetwork

Create Azure Bastion

Create a public IP address for the Azure Bastion host with New-AzPublicIpAddress. The following example creates a public IP address named public-ip-bastion in the vnet-1 virtual network.

Azure PowerShell

$publicIpParams = @{
    ResourceGroupName = "test-rg"
    Name = "public-ip-bastion"
    Location = "EastUS2"
    AllocationMethod = "Static"
    Sku = "Standard"
}
New-AzPublicIpAddress @publicIpParams

Create an Azure Bastion host with New-AzBastion. The following example creates an Azure Bastion host named bastion in the AzureBastionSubnet subnet of the vnet-1 virtual network. Azure Bastion is used to securely connect Azure virtual machines without exposing them to the public internet.

Azure PowerShell

$bastionParams = @{
    ResourceGroupName = "test-rg"
    Name = "bastion"
    VirtualNetworkName = "vnet-1"
    PublicIpAddressName = "public-ip-bastion"
    PublicIpAddressRgName = "test-rg"
    VirtualNetworkRgName = "test-rg"
}
New-AzBastion @bastionParams -AsJob

Create a second virtual network

Create a second virtual network with New-AzVirtualNetwork. The following example creates a virtual network named vnet-2 with the address prefix 10.1.0.0/16.

Note

The second virtual network can be in the same region as the first virtual network or in a different region. You don't need a Bastion deployment for the second virtual network. After the network peer, you can connect to both virtual machines with the same Bastion deployment.

Azure PowerShell

$vnet2 = @{
    ResourceGroupName = "test-rg"
    Location = "EastUS2"
    Name = "vnet-2"
    AddressPrefix = "10.1.0.0/16"
}
$virtualNetwork2 = New-AzVirtualNetwork @vnet2

Create a subnet configuration with Add-AzVirtualNetworkSubnetConfig. The following example creates a subnet configuration with a 10.1.0.0/24 address prefix:

Azure PowerShell

$subConfig = @{
    Name = "subnet-1"
    AddressPrefix = "10.1.0.0/24"
    VirtualNetwork = $virtualNetwork2
}
$subnetConfig = Add-AzVirtualNetworkSubnetConfig @subConfig

Write the subnet configuration to the virtual network with Set-AzVirtualNetwork, which creates the subnet:

Azure PowerShell

$virtualNetwork2 | Set-AzVirtualNetwork

CLI

Before creating a virtual network, you have to create a resource group for the virtual network, and all other resources created in this article. Create a resource group with az group create. The following example creates a resource group named test-rg in the eastus location.

Azure CLI

az group create \
    --name test-rg \
    --location eastus2

Create a virtual network with az network vnet create. The following example creates a virtual network named vnet-1 with the address prefix 10.0.0.0/16.

Azure CLI

az network vnet create \
    --name vnet-1 \
    --resource-group test-rg \
    --address-prefixes 10.0.0.0/16 \
    --subnet-name subnet-1 \
    --subnet-prefix 10.0.0.0/24

Create the Bastion subnet with az network vnet subnet create.

Azure CLI

# Create a bastion subnet.
az network vnet subnet create \
    --vnet-name vnet-1 \
    --resource-group test-rg \
    --name AzureBastionSubnet \
    --address-prefix 10.0.1.0/24

Create Azure Bastion

Create a public IP address for the Azure Bastion host with az network public-ip create. The following example creates a public IP address named public-ip-bastion in the vnet-1 virtual network.

Azure CLI

az network public-ip create \
    --resource-group test-rg \
    --name public-ip-bastion \
    --location eastus2 \
    --allocation-method Static \
    --sku Standard

Create an Azure Bastion host with az network bastion create. The following example creates an Azure Bastion host named bastion in the AzureBastionSubnet subnet of the vnet-1 virtual network. Azure Bastion is used to securely connect Azure virtual machines without exposing them to the public internet.

Azure CLI

az network bastion create \
    --resource-group test-rg \
    --name bastion \
    --vnet-name vnet-1 \
    --public-ip-address public-ip-bastion \
    --location eastus2 \
    --no-wait

Create a second virtual network

Create a second virtual network with az network vnet create. The following example creates a virtual network named vnet-2 with the address prefix 10.1.0.0/16.

Note

The second virtual network can be in the same region as the first virtual network or in a different region. You don't need a Bastion deployment for the second virtual network. After the network peer, you can connect to both virtual machines with the same Bastion deployment.

Azure CLI

az network vnet create \
    --name vnet-2 \
    --resource-group test-rg \
    --address-prefixes 10.1.0.0/16 \
    --subnet-name subnet-1 \
    --subnet-prefix 10.1.0.0/24

Portal

Create virtual network peer

Use the following steps to create a two way network peer between vnet1 and vnet2.

1. In the search box at the top of the portal, enter Virtual network. Select Virtual networks in the search results.

2. Select vnet-1.

3. In Settings select Peerings.

4. Select + Add.

5. Enter or select the following information in Add peering:

   Setting	Value
   Remote virtual network summary
   Peering link name	Enter vnet-2-to-vnet-1.
   Virtual network deployment model	Leave the default of Resource Manager.
   Subscription	Select your subscription.
   Virtual network	Select vnet-2.
   Remote virtual network peering settings
   Allow 'vnet-2' to access 'vnet-1'	Leave the default of selected.
   Allow 'vnet-2' to receive forwarded traffic from 'vnet-1'	Select the checkbox.
   Allow gateway or route server in 'vnet-2' to forward traffic to 'vnet-1'	Leave the default of cleared.
   Enable 'vnet-2' to use 'vnet-1's' remote gateway or route server	Leave the default of cleared.
   Local virtual network peering summary
   Peering link name	Enter vnet-1-to-vnet-2.
   Local virtual network peering settings
   Allow 'vnet-1' to access 'vnet-2'	Leave the default of selected.
   Allow 'vnet-1' to receive forwarded traffic from 'vnet-2'	Select the checkbox.
   Allow gateway or route server in 'vnet-1' to forward traffic to 'vnet-2'	Leave the default of cleared.
   Enable 'vnet-1' to use 'vnet-2's' remote gateway or route server	Leave the default of cleared.

   

6. Select Add.

PowerShell

Peer virtual networks

Create a peering with Add-AzVirtualNetworkPeering. The following example peers vnet-1 to vnet-2.

Azure PowerShell

$peerConfig1 = @{
    Name = "vnet-1-to-vnet-2"
    VirtualNetwork = $virtualNetwork1
    RemoteVirtualNetworkId = $virtualNetwork2.Id
}
Add-AzVirtualNetworkPeering @peerConfig1

In the output returned after the previous command executes, you see that the PeeringState is Initiated. The peering remains in the Initiated state until you create the peering from vnet-2 to vnet-1. Create a peering from vnet-2 to vnet-1.

Azure PowerShell

$peerConfig2 = @{
    Name = "vnet-2-to-vnet-1"
    VirtualNetwork = $virtualNetwork2
    RemoteVirtualNetworkId = $virtualNetwork1.Id
}
Add-AzVirtualNetworkPeering @peerConfig2

In the output returned after the previous command executes, you see that the PeeringState is Connected. Azure also changed the peering state of the vnet-1-to-vnet-2 peering to Connected. Confirm that the peering state for the vnet-1-to-vnet-2 peering changed to Connected with Get-AzVirtualNetworkPeering.

Azure PowerShell

$peeringState = @{
    ResourceGroupName = "test-rg"
    VirtualNetworkName = "vnet-1"
}
Get-AzVirtualNetworkPeering @peeringState | Select PeeringState

Resources in one virtual network can't communicate with resources in the other virtual network until the PeeringState for the peerings in both virtual networks is Connected.

CLI

Peer virtual networks

Peerings are established between virtual network IDs. Obtain the ID of each virtual network with az network vnet show and store the ID in a variable.

Azure CLI

# Get the id for vnet-1.
vNet1Id=$(az network vnet show \
  --resource-group test-rg \
  --name vnet-1 \
  --query id --out tsv)

# Get the id for vnet-2.
vNet2Id=$(az network vnet show \
  --resource-group test-rg \
  --name vnet-2 \
  --query id \
  --out tsv)

Create a peering from vnet-1 to vnet-2 with az network vnet peering create. If the --allow-vnet-access parameter isn't specified, a peering is established, but no communication can flow through it.

Azure CLI

az network vnet peering create \
  --name vnet-1-to-vnet-2 \
  --resource-group test-rg \
  --vnet-name vnet-1 \
  --remote-vnet $vNet2Id \
  --allow-vnet-access

In the output returned after the previous command executes, you see that the peeringState is Initiated. The peering remains in the Initiated state until you create the peering from vnet-2 to vnet-1. Create a peering from vnet-2 to vnet-1.

Azure CLI

az network vnet peering create \
  --name vnet-2-to-vnet-1 \
  --resource-group test-rg \
  --vnet-name vnet-2 \
  --remote-vnet $vNet1Id \
  --allow-vnet-access

In the output returned after the previous command executes, you see that the peeringState is Connected. Azure also changed the peering state of the vnet-1-to-vnet-2 peering to Connected. Confirm that the peering state for the vnet-1-to-vnet-2 peering changed to Connected with az network vnet peering show.

Azure CLI

az network vnet peering show \
  --name vnet-1-to-vnet-2 \
  --resource-group test-rg \
  --vnet-name vnet-1 \
  --query peeringState

Resources in one virtual network can't communicate with resources in the other virtual network until the peeringState for the peerings in both virtual networks is Connected.

Create virtual machines

Test the communication between the virtual machines by creating a virtual machine in each virtual network. The virtual machines can communicate with each other over the virtual network peering.

Portal

Create test virtual machine

The following procedure creates a test virtual machine (VM) named vm-1 in the virtual network.

1. In the portal, search for and select Virtual machines.

2. In Virtual machines, select + Create, then Azure virtual machine.

3. On the Basics tab of Create a virtual machine, enter or select the following information:

   Setting	Value
   Project details
   Subscription	Select your subscription.
   Resource group	Select test-rg.
   Instance details
   Virtual machine name	Enter vm-1.
   Region	Select East US 2.
   Availability options	Select No infrastructure redundancy required.
   Security type	Leave the default of Standard.
   Image	Select Ubuntu Server 22.04 LTS - x64 Gen2.
   VM architecture	Leave the default of x64.
   Size	Select a size.
   Administrator account
   Authentication type	Select Password.
   Username	Enter azureuser.
   Password	Enter a password.
   Confirm password	Reenter the password.
   Inbound port rules
   Public inbound ports	Select None.

4. Select the Networking tab at the top of the page.

5. Enter or select the following information in the Networking tab:

   Setting	Value
   Network interface
   Virtual network	Select vnet-1.
   Subnet	Select subnet-1 (10.0.0.0/24).
   Public IP	Select None.
   NIC network security group	Select Advanced.
   Configure network security group	Select Create new. Enter nsg-1 for the name. Leave the rest at the defaults and select OK.

6. Leave the rest of the settings at the defaults and select Review + create.

7. Review the settings and select Create.

Note

Virtual machines in a virtual network with a bastion host don't need public IP addresses. Bastion provides the public IP, and the VMs use private IPs to communicate within the network. You can remove the public IPs from any VMs in bastion hosted virtual networks. For more information, see Dissociate a public IP address from an Azure VM.

Note

Azure provides a default outbound access IP for VMs that either aren't assigned a public IP address or are in the backend pool of an internal basic Azure load balancer. The default outbound access IP mechanism provides an outbound IP address that isn't configurable.

The default outbound access IP is disabled when one of the following events happens:

• A public IP address is assigned to the VM.
• The VM is placed in the backend pool of a standard load balancer, with or without outbound rules.
• An Azure NAT Gateway resource is assigned to the subnet of the VM.

VMs that you create by using virtual machine scale sets in flexible orchestration mode don't have default outbound access.

For more information about outbound connections in Azure, see Default outbound access in Azure and Use Source Network Address Translation (SNAT) for outbound connections.

Repeat the previous steps to create a second virtual machine in the second virtual network with the following values:

Setting	Value
Virtual machine name	vm-2
Region	East US 2 or same region as vnet-2.
Virtual network	Select vnet-2.
Subnet	Select subnet-1 (10.1.0.0/24).
Public IP	None
Network security group name	nsg-2

PowerShell

Create the first virtual machine

Create a VM with New-AzVM. The following example creates a VM named vm-1 in the vnet-1 virtual network. When prompted, enter the username and password for the virtual machine.

Azure PowerShell

# Create a credential object
$cred = Get-Credential

# Define the VM parameters
$vmParams = @{
    ResourceGroupName = "test-rg"
    Location = "EastUS2"
    Name = "vm-1"
    ImageName = "Canonical:ubuntu-24_04-lts:server-gen1:latest"
    Size = "Standard_DS1_v2"
    Credential = $cred
    VirtualNetworkName = "vnet-1"
    SubnetName = "subnet-1"
    PublicIpAddressName = $null  # No public IP address
}

# Create the VM
New-AzVM @vmParams

Create the second VM

Azure PowerShell

# Create a credential object
$cred = Get-Credential

# Define the VM parameters
$vmParams = @{
    ResourceGroupName = "test-rg"
    Location = "EastUS2"
    Name = "vm-2"
    ImageName = "Canonical:ubuntu-24_04-lts:server-gen1:latest"
    Size = "Standard_DS1_v2"
    Credential = $cred
    VirtualNetworkName = "vnet-2"
    SubnetName = "subnet-1"
    PublicIpAddressName = $null  # No public IP address
}

# Create the VM
New-AzVM @vmParams

CLI

Create the first VM

Create a VM with az vm create. The following example creates a VM named vm-1 in the vnet-1 virtual network. If SSH keys don't already exist in a default key location, the command creates them. The --no-wait option creates the VM in the background, so you can continue to the next step.

Azure CLI

az vm create \
    --resource-group test-rg \
    --name vm-1 \
    --image Ubuntu2204 \
    --vnet-name vnet-1 \
    --subnet subnet-1 \
    --admin-username azureuser \
    --authentication-type password \
    --no-wait

Create the second VM

Create a VM in the vnet-2 virtual network.

Azure CLI

az vm create \
    --resource-group test-rg \
    --name vm-2 \
    --image Ubuntu2204 \
    --vnet-name vnet-2 \
    --subnet subnet-1 \
    --admin-username azureuser \
    --authentication-type password

The VM takes a few minutes to create.

Wait for the virtual machines to be created before continuing with the next steps.

Connect to a virtual machine

Use ping to test the communication between the virtual machines. Sign-in to the Azure portal to complete the following steps.

1. In the portal, search for and select Virtual machines.

2. On the Virtual machines page, select vm-1.

3. In the Overview of vm-1, select Connect.

4. In the Connect to virtual machine page, select the Bastion tab.

5. Select Use Bastion.

6. Enter the username and password you created when you created the VM, and then select Connect.

Communicate between VMs

1. At the bash prompt for vm-1, enter ping -c 4 10.1.0.4.

   You get a reply similar to the following message:

   Output

   azureuser@vm-1:~$ ping -c 4 10.1.0.4
   PING 10.1.0.4 (10.1.0.4) 56(84) bytes of data.
   64 bytes from 10.1.0.4: icmp_seq=1 ttl=64 time=2.29 ms
   64 bytes from 10.1.0.4: icmp_seq=2 ttl=64 time=1.06 ms
   64 bytes from 10.1.0.4: icmp_seq=3 ttl=64 time=1.30 ms
   64 bytes from 10.1.0.4: icmp_seq=4 ttl=64 time=0.998 ms
   
   --- 10.1.0.4 ping statistics ---
   4 packets transmitted, 4 received, 0% packet loss, time 3004ms
   rtt min/avg/max/mdev = 0.998/1.411/2.292/0.520 ms
   

2. Close the Bastion connection to vm-1.

3. Repeat the steps in Connect to a virtual machine to connect to vm-2.

4. At the bash prompt for vm-2, enter ping -c 4 10.0.0.4.

   You get a reply similar to the following message:

   Output

   azureuser@vm-2:~$ ping -c 4 10.0.0.4
   PING 10.0.0.4 (10.0.0.4) 56(84) bytes of data.
   64 bytes from 10.0.0.4: icmp_seq=1 ttl=64 time=1.81 ms
   64 bytes from 10.0.0.4: icmp_seq=2 ttl=64 time=3.35 ms
   64 bytes from 10.0.0.4: icmp_seq=3 ttl=64 time=0.811 ms
   64 bytes from 10.0.0.4: icmp_seq=4 ttl=64 time=1.28 ms
   

5. Close the Bastion connection to vm-2.

Portal

When you finish using the resources that you created, you can delete the resource group and all its resources.

1. In the Azure portal, search for and select Resource groups.

2. On the Resource groups page, select the test-rg resource group.

3. On the test-rg page, select Delete resource group.

4. Enter test-rg in Enter resource group name to confirm deletion, and then select Delete.

PowerShell

When no longer needed, use Remove-AzResourcegroup to remove the resource group and all of the resources it contains.

Azure PowerShell

$rgParams = @{
    Name = "test-rg"
}
Remove-AzResourceGroup @rgParams -Force

CLI

When no longer needed, use az group delete to remove the resource group and all of the resources it contains.

Azure CLI

az group delete \
    --name test-rg \
    --yes \
    --no-wait

Next steps

In this tutorial, you:

• Created virtual network peering between two virtual networks.

• Tested the communication between two virtual machines over the virtual network peering with ping.

To learn more about a virtual network peering:

Virtual network peering