You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/virtual-network/virtual-network-manage-peering.md
+16-14Lines changed: 16 additions & 14 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -55,23 +55,25 @@ Before creating a peering, familiarize yourself with the [requirements and const
55
55
56
56
| Settings | Description |
57
57
| -------- | ----------- |
58
-
|**This virtual network**||
58
+
|**Remote virtual network summary**||
59
59
| Peering link name | The name of the peering from the local virtual network. The name must be unique within the virtual network. |
60
-
| Allow 'vnet-1' to access 'vnet-2' | By **default**, this option is selected. </br></br> - To enable communication between the two virtual networks through the default `VirtualNetwork` flow, select **Allow 'vnet-1' to access 'vnet-2' (default)**. This allows resources connected to either virtual network to communicate with each other over the Azure private network. The **VirtualNetwork** service tag for network security groups includes the virtual network and peered virtual network when this setting is selected. To learn more about service tags, see [Azure service tags](./service-tags-overview.md). |
61
-
| Allow 'vnet-1' to receive forwarded traffic from 'vnet-2' | This option **isn't selected by default.** </br></br> -To allow forwarded traffic from the peered virtual network, select **Allow 'vnet-1' to receive forwarded traffic from 'vnet-2'**. This setting can be selected if you want to allow traffic that doesn't originate from **vnet-2** to reach **vnet-1**. For example, if **vnet-2** has an NVA that receives traffic from outside of **vnet-2** that gets forwards to **vnet-1**, you can select this setting to allow that traffic to reach **vnet-1** from **vnet-2**. While enabling this capability allows the forwarded traffic through the peering, it doesn't create any user-defined routes or network virtual appliances. User-defined routes and network virtual appliances are created separately. Learn about [user-defined routes](virtual-networks-udr-overview.md#user-defined). </br></br> **NOTE:** *Not selecting the **Allow 'vnet-1' to receive forwarded traffic from 'vnet-2'** setting only changes the definition of the **VirtualNetwork** service tag. It *doesn't* fully prevent traffic flow across the peer connection, as explained in this setting description.* |
62
-
| Allow gateway in 'vnet-1' to forward traffic to 'vnet-2' | This option **isn't selected by default**. </br></br> - Select **Allow gateway in 'vnet-1' to forward traffic to 'vnet-2'** if you want **vnet-2** to receive traffic from **vnet-1**'s gateway/Route Server. **vnet-1** must contain a gateway in order for this option to be enabled. |
63
-
| Enable 'vnet-1' to use 'vnet-2' remote gateway | This option **isn't selected by default.** </br></br> - Select **Enable 'vnet-1' to use 'vnet-2' remote gateway** if you want **vnet-1** to use **vnet-2**'s gateway or Route Server. **vnet-1** can only use a remote gateway or Route Server from one peering connection. **vnet-2** has to have a gateway or Route Server in order for you to select this option. For example, the virtual network you're peering with has a VPN gateway that enables communication to an on-premises network. Selecting this setting allows traffic from this virtual network to flow through the VPN gateway in the peered virtual network. </br></br> You can also select this option, if you want this virtual network to use the remote Route Server to exchange routes, see [Azure Route Server](../route-server/overview.md). </br></br> **NOTE:** *You can't use remote gateways if you already have a gateway configured in your virtual network. To learn more about using a gateway for transit, see [Configure a VPN gateway for transit in a virtual network peering](../vpn-gateway/vpn-gateway-peering-gateway-transit.md)*.|
64
-
|**Remote virtual network**||
65
-
| Peering link name | The name of the peering from the remote virtual network. The name must be unique within the virtual network. |
66
60
| Virtual network deployment model | Select which deployment model the virtual network you want to peer with was deployed through. |
67
61
| I know my resource ID | If you have read access to the virtual network you want to peer with, leave this checkbox unchecked. If you don't have read access to the virtual network or subscription you want to peer with, select this checkbox. |
68
-
| Resource ID | This field appears when you check **I know my resource ID** checkbox. The resource ID you enter must be for a virtual network that exists in the same, or [supported different](#requirements-and-constraints) Azure [region](https://azure.microsoft.com/regions) as this virtual network. </br></br> The full resource ID looks similar to `/subscriptions/<Id>/resourceGroups/<resource-group-name>/providers/Microsoft.Network/virtualNetworks/<virtual-network-name>`. </br></br> You can get the resource ID for a virtual network by viewing the properties for a virtual network. To learn how to view the properties for a virtual network, see [Manage virtual networks](manage-virtual-network.yml#view-virtual-networks-and-settings). User permissions must be assigned if the subscription is associated to a different Microsoft Entra tenant than the subscription with the virtual network you're peering. Add a user from each tenant as a [guest user](../active-directory/external-identities/add-users-administrator.md#add-guest-users-to-the-directory) in the opposite tenant.
69
-
| Subscription | Select the [subscription](../azure-glossary-cloud-terminology.md#subscription) of the virtual network you want to peer with. One or more subscriptions are listed, depending on how many subscriptions your account has read access to. If you checked the **I know my resource ID** checkbox, this setting isn't available. |
70
-
| Virtual network | Select the virtual network you want to peer with. You can select a virtual network created through either Azure deployment model. If you want to select a virtual network in a different region, you must select a virtual network in a [supported region](#cross-region). You must have read access to the virtual network for it to be visible in the list. If a virtual network is listed, but grayed out, it may be because the address space for the virtual network overlaps with the address space for this virtual network. If virtual network address spaces overlap, they can't be peered. If you checked the **I know my resource ID** checkbox, this setting isn't available. |
71
-
| Allow 'vnet-2' to access 'vnet-1' | By **default**, this option is selected. </br></br> - Select **Allow 'vnet-2' to access 'vnet-1'** if you want to enable communication between the two virtual networks through the default `VirtualNetwork` flow. Enabling communication between virtual networks allows resources that are connected to either virtual network to communicate with each other over the Azure private network. The **VirtualNetwork** service tag for network security groups encompasses the virtual network and peered virtual network when this setting is set to **Selected**. To learn more about service tags, see [Azure service tags](./service-tags-overview.md). |
72
-
| Allow 'vnet-2' to receive forwarded traffic from 'vnet-1' | This option **isn't selected by default**. </br></br> -To allow forwarded traffic from the peered virtual network, select **Allow 'vnet-2' to receive forwarded traffic from 'vnet-1'**. This setting can be selected if you want to allow traffic that doesn't originate from **vnet-1** to reach **vnet-2**. For example, if **vnet-1** has an NVA that receives traffic from outside of **vnet-1** that gets forwards to **vnet-2**, you can select this setting to allow that traffic to reach **vnet-2** from **vnet-1**. While enabling this capability allows the forwarded traffic through the peering, it doesn't create any user-defined routes or network virtual appliances. User-defined routes and network virtual appliances are created separately. Learn about [user-defined routes](virtual-networks-udr-overview.md#user-defined). </br></br> **NOTE:** *Not selecting the **Allow 'vnet-1' to receive forwarded traffic from 'vnet-2'** setting only changes the definition of the **VirtualNetwork** service tag. It *doesn't* fully prevent traffic flow across the peer connection, as explained in this setting description.* |
73
-
| Allow gateway in 'vnet-2' to forward traffic to 'vnet-1' | This option **isn't selected by default**. </br></br> - Select **Allow gateway in 'vnet-2' to forward traffic to 'vnet-1'** if you want **vnet-1** to receive traffic from **vnet-2**'s gateway/Route Server. **vnet-2** must contain a gateway in order for this option to be enabled. |
74
-
| Enable 'vnet-2' to use 'vnet-1's' remote gateway | This option **isn't selected by default.** </br></br> - Select **Enable 'vnet-2' to use 'vnet-1' remote gateway** if you want **vnet-2** to use **vnet-1**'s gateway or Route Server. **vnet-2** can only use a remote gateway or Route Server from one peering connection. **vnet-1** has to have a gateway or Route Server in order for you to select this option. For example, the virtual network you're peering with has a VPN gateway that enables communication to an on-premises network. Selecting this setting allows traffic from this virtual network to flow through the VPN gateway in the peered virtual network. </br></br> You can also select this option, if you want this virtual network to use the remote Route Server to exchange routes, see [Azure Route Server](../route-server/overview.md). </br></br> This scenario requires implementing user-defined routes that specify the virtual network gateway as the next hop type. Learn about [user-defined routes](virtual-networks-udr-overview.md#user-defined). You can only specify a VPN gateway as a next hop type in a user-defined route, you can't specify an ExpressRoute gateway as the next hop type in a user-defined route. </br></br> **NOTE:** *You can't use remote gateways if you already have a gateway configured in your virtual network. To learn more about using a gateway for transit, see [Configure a VPN gateway for transit in a virtual network peering](../vpn-gateway/vpn-gateway-peering-gateway-transit.md)*. |
62
+
| Resource ID | This field appears when you check **I know my resource ID** checkbox. The resource ID you enter must be for a virtual network that exists in the same, or [supported different](#requirements-and-constraints) Azure [region](https://azure.microsoft.com/regions) as this virtual network. </br></br> The full resource ID looks similar to `/subscriptions/<Id>/resourceGroups/<resource-group-name>/providers/Microsoft.Network/virtualNetworks/<virtual-network-name>`. </br></br> You can get the resource ID for a virtual network by viewing the properties for a virtual network. To learn how to view the properties for a virtual network, see [Manage virtual networks](manage-virtual-network.yml#view-virtual-networks-and-settings). User permissions must be assigned if the subscription is associated to a different Microsoft Entra tenant than the subscription with the virtual network you're peering. Add a user from each tenant as a [guest user](../active-directory/external-identities/add-users-administrator.md#add-guest-users-to-the-directory) in the opposite tenant. |
63
+
| Subscription | Select the [subscription](../azure-glossary-cloud-terminology.md#subscription) of the virtual network you want to peer with. One or more subscriptions are listed, depending on how many subscriptions your account has read access to. |
64
+
| Virtual network | Select the remote virtual network. |
65
+
|**Remote virtual network peering settings**||
66
+
| Allow the peered virtual network to access 'vnet-1' | By **default**, this option is selected. </br></br> - Select this option to allow traffic from the peered virtual network to 'vnet-1'. This setting enables communication between hub and spoke in hub-spoke network topology and allows a VM in the peered virtual network to communicate with a VM in 'vnet-1'. The **VirtualNetwork** service tag for network security groups includes the virtual network and peered virtual network when this setting is selected. To learn more about service tags, see [Azure service tags](./service-tags-overview.md). |
67
+
| Allow the peered virtual network to receive forwarded traffic from 'vnet-1` | This option **isn't selected by default.** </br></br> - Enabling this option will allow the peered virtual network to receive traffic from virtual networks peered to 'vnet-1'. For example, if vnet-2 has an NVA that receives traffic from outside of vnet-2 that forwards to vnet-1, you can select this setting to allow that traffic to reach vnet-1 from vnet-2. While enabling this capability allows the forwarded traffic through the peering, it doesn't create any user-defined routes or network virtual appliances. User-defined routes and network virtual appliances are created separately. |
68
+
| Allow gateway or route server in the peered virtual network to forward traffic to 'vnet-1' | This option **isn't selected by default**. </br></br> - Enabling this setting will allow 'vnet-1' to receive traffic from the peered virtual networks' gateway or route server. In order for this option to be enabled, the peered virtual network must contain a gateway or route server. |
69
+
| Enable the peered virtual network to use 'vnet-1's' remote gateway or route server | This option **isn't selected by default.** </br></br> - This option can be enabled only if 'vnet-1' has a remote gateway or route server and 'vnet-1' enables "Allow gateway in 'vnet-1' to forward traffic to the peered virtual network". This option can be enabled in only one of the peered virtual networks' peerings. </br></br> You can also select this option, if you want this virtual network to use the remote Route Server to exchange routes, see [Azure Route Server](../route-server/overview.md). </br></br> **NOTE:***You can't use remote gateways if you already have a gateway configured in your virtual network. To learn more about using a gateway for transit, see [Configure a VPN gateway for transit in a virtual network peering](../vpn-gateway/vpn-gateway-peering-gateway-transit.md)*.|
70
+
|**Local virtual network summary**||
71
+
| Peering link name | The name of the peering from the remote virtual network. The name must be unique within the virtual network. |
72
+
|**Local virtual network peering settings**|
73
+
| Allow 'vnet-1' to access the peered virtual network | By **default**, this option is selected. </br></br> - Select this option to allow traffic from 'vnet-1' to the peered virtual network. This setting enables communication between hub and spoke in hub-spoke network topology and allows a VM in 'vnet-1' to communicate with a VM in the peered virtual network. |
74
+
| Allow 'vnet-1' to receive forwarded traffic from the peered virtual network | This option **isn't selected by default.** </br></br> - Enabling this option will allow 'vnet-1' to receive traffic from virtual networks peered to the peered virtual network. For example, if vnet-2 has an NVA that receives traffic from outside of vnet-2 that gets forwards to vnet-1, you can select this setting to allow that traffic to reach vnet-1 from vnet-2. While enabling this capability allows the forwarded traffic through the peering, it doesn't create any user-defined routes or network virtual appliances. User-defined routes and network virtual appliances are created separately. |
75
+
| Allow gateway or route server in 'vnet-1' to forward traffic to the peered virtual network | This option **isn't selected by default**. </br></br> - Enabling this setting will allow the peered virtual network to receive traffic from 'vnet-1's' gateway or route server. In order for this option to be enabled, 'vnet-1' must contain a gateway or route server. |
76
+
| Enable 'vnet-1' to use the peered virtual networks' remote gateway or route server | This option **isn't selected by default.** </br></br> - This option can be enabled only if the peered virtual network has a remote gateway or route server and the peered virtual network enables "Allow gateway in the peered virtual network to forward traffic to 'vnet-1'". This option can be enabled in only one of 'vnet-1's' peerings. |
75
77
76
78
:::image type="content" source="./media/virtual-network-manage-peering/add-peering.png" alt-text="Screenshot of peering configuration page.":::
0 commit comments