Exercise - Configure virtual network peering connections by using Azure CLI commands

  • 10 minutes

You created virtual networks and ran virtual machines (VMs) within them. However, the virtual networks have no connectivity, and none of these systems can communicate with each other.

To enable communication, you need to create peering connections for the virtual networks. To satisfy your company's requirements, you configure a hub and spoke topology and permit virtual network access when you create the peering connections.

Note

This exercise is optional. If you want to complete this exercise, you'll need to create an Azure subscription before you begin. If you don't have an Azure account or you don't want to create one at this time, you can read through the instructions so you understand the information that's being presented.

Note

Throughout this exercise, replace myResourceGroupName in the examples with the name of an existing resource group, or the name of the resource group that you created for this exercise.

Create virtual network peering connections

Follow these steps to create connections between the virtual networks and to configure the behavior of each connection.

  1. In Cloud Shell, run the following command to create the peering connection between the SalesVNet and MarketingVNet virtual networks. This command also permits virtual network access across this peering connection.

    az network vnet peering create \
    --name SalesVNet-To-MarketingVNet \
    --remote-vnet MarketingVNet \
    --resource-group "myResourceGroupName" \
    --vnet-name SalesVNet \
    --allow-vnet-access

  2. Run the following command to create a reciprocal connection from MarketingVNet to SalesVNet. This step completes the connection between these virtual networks.

    az network vnet peering create \
    --name MarketingVNet-To-SalesVNet \
    --remote-vnet SalesVNet \
    --resource-group "myResourceGroupName" \
    --vnet-name MarketingVNet \
    --allow-vnet-access

Now that you have connections between Sales and Marketing, create connections between Marketing and Research.

  1. In Cloud Shell, run the following command to create the peering connection between the MarketingVNet and ResearchVNet virtual networks:

    az network vnet peering create \
    --name MarketingVNet-To-ResearchVNet \
    --remote-vnet ResearchVNet \
    --resource-group "myResourceGroupName" \
    --vnet-name MarketingVNet \
    --allow-vnet-access

  2. Run the following command to create the reciprocal connection between ResearchVNet and MarketingVNet:

    az network vnet peering create \
    --name ResearchVNet-To-MarketingVNet \
    --remote-vnet MarketingVNet \
    --resource-group "myResourceGroupName" \
    --vnet-name ResearchVNet \
    --allow-vnet-access

Check the virtual network peering connections

Now that the peering connections between the virtual networks are created, make sure the connections work.

  1. In Cloud Shell, run the following command to check the connection between SalesVNet and MarketingVNet:

    az network vnet peering list \
    --resource-group "myResourceGroupName" \
    --vnet-name SalesVNet \
    --query "[].{Name:name, Resource:resourceGroup, PeeringState:peeringState, AllowVnetAccess:allowVirtualNetworkAccess}"\
    --output table

  2. You created only one connection from SalesVNet, so you get only one result. In the PeeringState column, make sure the status is Connected.

  3. Run the following command to check the peering connection between the ResearchVNet and MarketingVNet virtual networks:

    az network vnet peering list \
    --resource-group "myResourceGroupName" \
    --vnet-name ResearchVNet \
    --query "[].{Name:name, Resource:resourceGroup, PeeringState:peeringState, AllowVnetAccess:allowVirtualNetworkAccess}"\
    --output table

  4. Again, you created only one connection from ResearchVNet, so you get only one result. In the PeeringState column, make sure the status is Connected.

  5. Run the following command to check the peering connections for the MarketingVNet virtual network.

    az network vnet peering list \
    --resource-group "myResourceGroupName" \
    --vnet-name MarketingVNet \
    --query "[].{Name:name, Resource:resourceGroup, PeeringState:peeringState, AllowVnetAccess:allowVirtualNetworkAccess}"\
    --output table

    Remember that you created connections from Marketing to Sales and from Marketing to Research, so you should get two connections. In the PeeringState column, make sure the status of both connections is Connected.

Your peering connections between the virtual networks should now look like this diagram:

Diagram of the resulting virtual network peering connections.

Check effective routes

You can further check the peering connection by looking at the routes that apply to the network interfaces of the VMs.

  1. Run the following command to look at the routes that apply to the SalesVM network interface:

    az network nic show-effective-route-table \
    --resource-group "myResourceGroupName" \
    --name SalesVMVMNic \
    --output table

    The output table shows the effective routes for the virtual machine's network interface. For SalesVMVMNic, you should have a route to 10.2.0.0/16 with Next Hop Type of VNetPeering. This network route is for the peering connection from SalesVNet to MarketingVNet.

    Source    State    Address Prefix    Next Hop Type    Next Hop IP
--------  -------  ----------------  ---------------  -------------
Default   Active   10.1.0.0/16       VnetLocal
Default   Active   10.2.0.0/16       VNetPeering
Default   Active   0.0.0.0/0         Internet
Default   Active   10.0.0.0/8        None
Default   Active   100.64.0.0/10     None
Default   Active   192.168.0.0/16    None

  2. Run the following command to look at the routes for MarketingVM:

    az network nic show-effective-route-table \
    --resource-group "myResourceGroupName" \
    --name MarketingVMVMNic \
    --output table

    The output table shows the effective routes for the virtual machine's network interface. For MarketingVMVMNic, you should have a route to 10.1.0.0/16 with a next hop type of VNetPeering and a route to 10.3.0.0/16 with a next hop type of VNetGlobalPeering. These network routes are for the peering connection from MarketingVNet to SalesVNet and from MarketingVNet to ResearchVNet.

    Source    State    Address Prefix    Next Hop Type      Next Hop IP
--------  -------  ----------------  -----------------  -------------
Default   Active   10.2.0.0/16       VnetLocal
Default   Active   10.1.0.0/16       VNetPeering
Default   Active   0.0.0.0/0         Internet
Default   Active   10.0.0.0/8        None
Default   Active   100.64.0.0/10     None
Default   Active   192.168.0.0/16    None
Default   Active   10.3.0.0/16       VNetGlobalPeering

  3. Run the following command to look at the routes for ResearchVM:

    az network nic show-effective-route-table \
    --resource-group "myResourceGroupName" \
    --name ResearchVMVMNic \
    --output table

    The output table shows the effective routes for the virtual machine's network interface. For ResearchVMVMNic, you should have a route to 10.2.0.0/16 with a next hop type of VNetGlobalPeering. This network route is for the peering connection from ResearchVNet to MarketingVNet.

    Source    State    Address Prefix    Next Hop Type      Next Hop IP
--------  -------  ----------------  -----------------  -------------
Default   Active   10.3.0.0/16       VnetLocal
Default   Active   0.0.0.0/0         Internet
Default   Active   10.0.0.0/8        None
Default   Active   100.64.0.0/10     None
Default   Active   192.168.0.0/16    None
Default   Active   10.2.0.0/16       VNetGlobalPeering

Now that your peering connections are configured, let's take a look at how these connections affect the communication between VMs.