แก้ไข

แชร์ผ่าน


Connect virtual networks with virtual network peering using PowerShell

You can connect virtual networks to each other with virtual network peering. Once virtual networks are peered, resources in both virtual networks are able to communicate with each other, with the same latency and bandwidth as if the resources were in the same virtual network.

In this article, you learn how to:

  • Create two virtual networks

  • Connect two virtual networks with a virtual network peering

  • Deploy a virtual machine (VM) into each virtual network

  • Communicate between VMs

If you don't have an Azure subscription, create a free account before you begin.

Azure Cloud Shell

Azure hosts Azure Cloud Shell, an interactive shell environment that you can use through your browser. You can use either Bash or PowerShell with Cloud Shell to work with Azure services. You can use the Cloud Shell preinstalled commands to run the code in this article, without having to install anything on your local environment.

To start Azure Cloud Shell:

Option Example/Link
Select Try It in the upper-right corner of a code or command block. Selecting Try It doesn't automatically copy the code or command to Cloud Shell. Screenshot that shows an example of Try It for Azure Cloud Shell.
Go to https://shell.azure.com, or select the Launch Cloud Shell button to open Cloud Shell in your browser. Button to launch Azure Cloud Shell.
Select the Cloud Shell button on the menu bar at the upper right in the Azure portal. Screenshot that shows the Cloud Shell button in the Azure portal

To use Azure Cloud Shell:

  1. Start Cloud Shell.

  2. Select the Copy button on a code block (or command block) to copy the code or command.

  3. Paste the code or command into the Cloud Shell session by selecting Ctrl+Shift+V on Windows and Linux, or by selecting Cmd+Shift+V on macOS.

  4. Select Enter to run the code or command.

If you choose to install and use PowerShell locally, this article requires the Azure PowerShell module version 1.0.0 or later. Run Get-Module -ListAvailable Az to find the installed version. If you need to upgrade, see Install Azure PowerShell module. If you are running PowerShell locally, you also need to run Connect-AzAccount to create a connection with Azure.

Create virtual networks

Before creating a virtual network, you have to create a resource group for the virtual network, and all other resources created in this article. Create a resource group with New-AzResourceGroup. The following example creates a resource group named test-rg in the eastus location.

$resourceGroup = @{
    Name = "test-rg"
    Location = "EastUS"
}
New-AzResourceGroup @resourceGroup

Create a virtual network with New-AzVirtualNetwork. The following example creates a virtual network named vnet-1 with the address prefix 10.0.0.0/16.

$vnet1 = @{
    ResourceGroupName = "test-rg"
    Location = "EastUS"
    Name = "vnet-1"
    AddressPrefix = "10.0.0.0/16"
}
$virtualNetwork1 = New-AzVirtualNetwork @vnet1

Create a subnet configuration with Add-AzVirtualNetworkSubnetConfig. The following example creates a subnet configuration with a 10.0.0.0/24 address prefix:

$subConfig = @{
    Name = "subnet-1"
    AddressPrefix = "10.0.0.0/24"
    VirtualNetwork = $virtualNetwork1
}
$subnetConfig = Add-AzVirtualNetworkSubnetConfig @subConfig

Write the subnet configuration to the virtual network with Set-AzVirtualNetwork, which creates the subnet:

$virtualNetwork1 | Set-AzVirtualNetwork

Create a virtual network with a 10.1.0.0/16 address prefix and one subnet:

# Create the virtual network.
$vnet2 = @{
    ResourceGroupName = "test-rg"
    Location = "EastUS"
    Name = "vnet-2"
    AddressPrefix = "10.1.0.0/16"
}
$virtualNetwork2 = New-AzVirtualNetwork @vnet2

# Create the subnet configuration.
$subConfig = @{
    Name = "subnet-1"
    AddressPrefix = "10.1.0.0/24"
    VirtualNetwork = $virtualNetwork2
}
$subnetConfig = Add-AzVirtualNetworkSubnetConfig @subConfig

# Write the subnet configuration to the virtual network.
$virtualNetwork2 | Set-AzVirtualNetwork

Peer virtual networks

Create a peering with Add-AzVirtualNetworkPeering. The following example peers vnet-1 to vnet-2.

$peerConfig1 = @{
    Name = "vnet-1-to-vnet-2"
    VirtualNetwork = $virtualNetwork1
    RemoteVirtualNetworkId = $virtualNetwork2.Id
}
Add-AzVirtualNetworkPeering @peerConfig1

In the output returned after the previous command executes, you see that the PeeringState is Initiated. The peering remains in the Initiated state until you create the peering from vnet-2 to vnet-1. Create a peering from vnet-2 to vnet-1.

$peerConfig2 = @{
    Name = "vnet-2-to-vnet-1"
    VirtualNetwork = $virtualNetwork2
    RemoteVirtualNetworkId = $virtualNetwork1.Id
}
Add-AzVirtualNetworkPeering @peerConfig2

In the output returned after the previous command executes, you see that the PeeringState is Connected. Azure also changed the peering state of the vnet-1-to-vnet-2 peering to Connected. Confirm that the peering state for the vnet-1-to-vnet-2 peering changed to Connected with Get-AzVirtualNetworkPeering.

$peeringState = @{
    ResourceGroupName = "test-rg"
    VirtualNetworkName = "vnet-1"
}
Get-AzVirtualNetworkPeering @peeringState | Select PeeringState

Resources in one virtual network cannot communicate with resources in the other virtual network until the PeeringState for the peerings in both virtual networks is Connected.

Create virtual machines

Create a VM in each virtual network so that you can communicate between them in a later step.

Create the first VM

Create a VM with New-AzVM. The following example creates a VM named vm-1 in the vnet-1 virtual network. The -AsJob option creates the VM in the background, so you can continue to the next step. When prompted, enter the user name and password for the virtual machine.

$vm1 = @{
    ResourceGroupName = "test-rg"
    Location = "EastUS"
    VirtualNetworkName = "vnet-1"
    SubnetName = "subnet-1"
    ImageName = "Win2019Datacenter"
    Name = "vm-1"
}
New-AzVm @vm1 -AsJob

Create the second VM

$vm2 = @{
    ResourceGroupName = "test-rg"
    Location = "EastUS"
    VirtualNetworkName = "vnet-2"
    SubnetName = "subnet-1"
    ImageName = "Win2019Datacenter"
    Name = "vm-2"
}
New-AzVm @vm2

The VM takes a few minutes to create. Don't continue with the later steps until Azure creates vm-2 and returns output to PowerShell.

Note

Azure provides a default outbound access IP for VMs that either aren't assigned a public IP address or are in the backend pool of an internal basic Azure load balancer. The default outbound access IP mechanism provides an outbound IP address that isn't configurable.

The default outbound access IP is disabled when one of the following events happens:

  • A public IP address is assigned to the VM.
  • The VM is placed in the backend pool of a standard load balancer, with or without outbound rules.
  • An Azure NAT Gateway resource is assigned to the subnet of the VM.

VMs that you create by using virtual machine scale sets in flexible orchestration mode don't have default outbound access.

For more information about outbound connections in Azure, see Default outbound access in Azure and Use Source Network Address Translation (SNAT) for outbound connections.

Communicate between VMs

You can connect to a VM's public IP address from the internet. Use Get-AzPublicIpAddress to return the public IP address of a VM. The following example returns the public IP address of the vm-1 VM:

$ipAddress = @{
    ResourceGroupName = "test-rg"
    Name = "vm-1"
}
Get-AzPublicIpAddress @ipAddress | Select IpAddress

Use the following command to create a remote desktop session with the vm-1 VM from your local computer. Replace <publicIpAddress> with the IP address returned from the previous command.

mstsc /v:<publicIpAddress>

A Remote Desktop Protocol (.rdp) file is created and opened. Enter the user name and password (you may need to select More choices, then Use a different account, to specify the credentials you entered when you created the VM), and then click OK. You may receive a certificate warning during the sign-in process. Click Yes or Continue to proceed with the connection.

On vm-1, enable the Internet Control Message Protocol (ICMP) through the Windows Firewall so you can ping this VM from vm-2 in a later step, using PowerShell:

New-NetFirewallRule –DisplayName "Allow ICMPv4-In" –Protocol ICMPv4

Though ping is used to communicate between VMs in this article, allowing ICMP through the Windows Firewall for production deployments is not recommended.

To connect to vm-2, enter the following command from a command prompt on vm-1:

mstsc /v:10.1.0.4

You enabled ping on vm-1. You can now ping vm-1 by IP address from a command prompt on vm-2.

ping 10.0.0.4

You receive four replies. Disconnect your RDP sessions to both vm-1 and vm-2.

Clean up resources

When no longer needed, use Remove-AzResourcegroup to remove the resource group and all of the resources it contains.

Remove-AzResourceGroup -Name test-rg -Force

Next steps

In this article, you learned how to connect two networks in the same Azure region, with virtual network peering. You can also peer virtual networks in different supported regions and in different Azure subscriptions, as well as create hub and spoke network designs with peering. To learn more about virtual network peering, see Virtual network peering overview and Manage virtual network peerings.

You can connect your own computer to a virtual network through a VPN, and interact with resources in a virtual network, or in peered virtual networks. For reusable scripts to complete many of the tasks covered in the virtual network articles, see script samples.