Tutorial: Connect virtual networks with virtual network peering using the Azure portal

You can connect virtual networks to each other with virtual network peering. These virtual networks can be in the same region or different regions (also known as global virtual network peering). Once virtual networks are peered, resources in both virtual networks can communicate with each other over a low-latency, high-bandwidth connection using Microsoft backbone network.

Diagram of Azure resources created in tutorial.

In this tutorial, you learn how to:

  • Create virtual networks
  • Connect two virtual networks with a virtual network peering
  • Deploy a virtual machine (VM) into each virtual network
  • Communicate between VMs

Prerequisites

Sign in to Azure

Sign in to the Azure portal.

Create a virtual network and an Azure Bastion host

The following procedure creates a virtual network with a resource subnet, an Azure Bastion subnet, and a Bastion host:

  1. In the portal, search for and select Virtual networks.

  2. On the Virtual networks page, select + Create.

  3. On the Basics tab of Create virtual network, enter or select the following information:

    Setting Value
    Project details
    Subscription Select your subscription.
    Resource group Select Create new.
    Enter test-rg for the name.
    Select OK.
    Instance details
    Name Enter vnet-1.
    Region Select East US 2.

    Screenshot of the Basics tab for creating a virtual network in the Azure portal.

  4. Select Next to proceed to the Security tab.

  5. In the Azure Bastion section, select Enable Bastion.

    Bastion uses your browser to connect to VMs in your virtual network over Secure Shell (SSH) or Remote Desktop Protocol (RDP) by using their private IP addresses. The VMs don't need public IP addresses, client software, or special configuration. For more information, see What is Azure Bastion?.

    Note

    Hourly pricing starts from the moment that Bastion is deployed, regardless of outbound data usage. For more information, see Pricing and SKUs. If you're deploying Bastion as part of a tutorial or test, we recommend that you delete this resource after you finish using it.

  6. In Azure Bastion, enter or select the following information:

    Setting Value
    Azure Bastion host name Enter bastion.
    Azure Bastion public IP address Select Create a public IP address.
    Enter public-ip-bastion in Name.
    Select OK.

    Screenshot of options for enabling an Azure Bastion host as part of creating a virtual network in the Azure portal.

  7. Select Next to proceed to the IP Addresses tab.

  8. In the address space box in Subnets, select the default subnet.

  9. In Edit subnet, enter or select the following information:

    Setting Value
    Subnet details
    Subnet template Leave the default of Default.
    Name Enter subnet-1.
    Starting address Leave the default of 10.0.0.0.
    Subnet size Leave the default of /24 (256 addresses).

    Screenshot of configuration details for a subnet.

  10. Select Save.

  11. Select Review + create at the bottom of the window. When validation passes, select Create.

Repeat the previous steps to create a second virtual network with the following values:

Note

The second virtual network can be in the same region as the first virtual network or in a different region. You can skip the Security tab and the Bastion deployment for the second virtual network. After the network peer, you can connect to both virtual machines with the same Bastion deployment.

Setting Value
Name vnet-2
Address space 10.1.0.0/16
Resource group test-rg
Subnet name subnet-1
Subnet address range 10.1.0.0/24

Create virtual network peer

Use the following steps to create a two way network peer between vnet1 and vnet2.

  1. In the search box at the top of the portal, enter Virtual network. Select Virtual networks in the search results.

  2. Select vnet-1.

  3. In Settings select Peerings.

  4. Select + Add.

  5. Enter or select the following information in Add peering:

    Setting Value
    This virtual network
    Peering link name Enter vnet-1-to-vnet-2.
    Allow 'vnet-1' to access 'vnet-2' Leave the default of selected.
    Allow 'vnet-1' to receive forwarded traffic from 'vnet-2' Select the checkbox.
    Allow gateway in 'vnet-1' to forward traffic to 'vnet-2' Leave the default of cleared.
    Enable 'vnet-1' to use 'vnet-2' remote gateway Leave the default of cleared.
    Remote virtual network
    Peering link name Enter vnet-2-to-vnet-1.
    Virtual network deployment model Leave the default of Resource Manager.
    Subscription Select your subscription.
    Virtual network Select vnet-2.
    Allow 'vnet-2' to access 'vnet-1' Leave the default of selected.
    Allow 'vnet-2' to receive forwarded traffic from 'vnet-1' Select the checkbox.
    Allow gateway in 'vnet-2' to forward traffic to 'vnet-1' Leave the default of cleared.
    Enable 'vnet-2' to use 'vnet-1's' remote gateway Leave the default of cleared.

    Screenshot of Add peering in the Azure portal.

  6. Select Add.

Create virtual machines

Create a virtual machine in each virtual network to test the communication between them.

Create test virtual machine

The following procedure creates a test virtual machine (VM) named vm-1 in the virtual network.

  1. In the portal, search for and select Virtual machines.

  2. In Virtual machines, select + Create, then Azure virtual machine.

  3. On the Basics tab of Create a virtual machine, enter or select the following information:

    Setting Value
    Project details
    Subscription Select your subscription.
    Resource group Select test-rg.
    Instance details
    Virtual machine name Enter vm-1.
    Region Select East US 2.
    Availability options Select No infrastructure redundancy required.
    Security type Leave the default of Standard.
    Image Select Ubuntu Server 22.04 LTS - x64 Gen2.
    VM architecture Leave the default of x64.
    Size Select a size.
    Administrator account
    Authentication type Select Password.
    Username Enter azureuser.
    Password Enter a password.
    Confirm password Reenter the password.
    Inbound port rules
    Public inbound ports Select None.
  4. Select the Networking tab at the top of the page.

  5. Enter or select the following information in the Networking tab:

    Setting Value
    Network interface
    Virtual network Select vnet-1.
    Subnet Select subnet-1 (10.0.0.0/24).
    Public IP Select None.
    NIC network security group Select Advanced.
    Configure network security group Select Create new.
    Enter nsg-1 for the name.
    Leave the rest at the defaults and select OK.
  6. Leave the rest of the settings at the defaults and select Review + create.

  7. Review the settings and select Create.

Note

Virtual machines in a virtual network with a bastion host don't need public IP addresses. Bastion provides the public IP, and the VMs use private IPs to communicate within the network. You can remove the public IPs from any VMs in bastion hosted virtual networks. For more information, see Dissociate a public IP address from an Azure VM.

Note

Azure provides a default outbound access IP for VMs that either aren't assigned a public IP address or are in the backend pool of an internal basic Azure load balancer. The default outbound access IP mechanism provides an outbound IP address that isn't configurable.

The default outbound access IP is disabled when one of the following events happens:

  • A public IP address is assigned to the VM.
  • The VM is placed in the backend pool of a standard load balancer, with or without outbound rules.
  • An Azure Virtual Network NAT gateway resource is assigned to the subnet of the VM.

VMs that you create by using virtual machine scale sets in flexible orchestration mode don't have default outbound access.

For more information about outbound connections in Azure, see Default outbound access in Azure and Use Source Network Address Translation (SNAT) for outbound connections.

Repeat the previous steps to create a second virtual machine in the second virtual network with the following values:

Setting Value
Virtual machine name vm-2
Region East US 2 or same region as vnet-2.
Virtual network Select vnet-2.
Subnet Select subnet-1 (10.1.0.0/24).
Public IP None
Network security group name nsg-2

Wait for the virtual machines to be created before continuing with the next steps.

Connect to a virtual machine

Use ping to test the communication between the virtual machines.

  1. In the portal, search for and select Virtual machines.

  2. On the Virtual machines page, select vm-1.

  3. In the Overview of vm-1, select Connect.

  4. In the Connect to virtual machine page, select the Bastion tab.

  5. Select Use Bastion.

  6. Enter the username and password you created when you created the VM, and then select Connect.

Communicate between VMs

  1. At the bash prompt for vm-1, enter ping -c 4 vm-2.

    You get a reply similar to the following message:

    azureuser@vm-1:~$ ping -c 4 vm-2
    PING vm-2.3bnkevn3313ujpr5l1kqop4n4d.cx.internal.cloudapp.net (10.1.0.4) 56(84) bytes of data.
    64 bytes from vm-2.internal.cloudapp.net (10.1.0.4): icmp_seq=1 ttl=64 time=1.83 ms
    64 bytes from vm-2.internal.cloudapp.net (10.1.0.4): icmp_seq=2 ttl=64 time=0.987 ms
    64 bytes from vm-2.internal.cloudapp.net (10.1.0.4): icmp_seq=3 ttl=64 time=0.864 ms
    64 bytes from vm-2.internal.cloudapp.net (10.1.0.4): icmp_seq=4 ttl=64 time=0.890 ms
    
  2. Close the Bastion connection to vm-1.

  3. Repeat the steps in Connect to a virtual machine to connect to vm-2.

  4. At the bash prompt for vm-2, enter ping -c 4 vm-1.

    You get a reply similar to the following message:

    azureuser@vm-2:~$ ping -c 4 vm-1
    PING vm-1.3bnkevn3313ujpr5l1kqop4n4d.cx.internal.cloudapp.net (10.0.0.4) 56(84) bytes of data.
    64 bytes from vm-1.internal.cloudapp.net (10.0.0.4): icmp_seq=1 ttl=64 time=0.695 ms
    64 bytes from vm-1.internal.cloudapp.net (10.0.0.4): icmp_seq=2 ttl=64 time=0.896 ms
    64 bytes from vm-1.internal.cloudapp.net (10.0.0.4): icmp_seq=3 ttl=64 time=3.43 ms
    64 bytes from vm-1.internal.cloudapp.net (10.0.0.4): icmp_seq=4 ttl=64 time=0.780 ms
    
  5. Close the Bastion connection to vm-2.

Clean up resources

When you finish using the resources that you created, you can delete the resource group and all its resources:

  1. In the Azure portal, search for and select Resource groups.

  2. On the Resource groups page, select the test-rg resource group.

  3. On the test-rg page, select Delete resource group.

  4. Enter test-rg in Enter resource group name to confirm deletion, and then select Delete.

Next steps

In this tutorial, you:

  • Created virtual network peering between two virtual networks.

  • Tested the communication between two virtual machines over the virtual network peering with ping.

To learn more about a virtual network peering: