|
| 1 | +--- |
| 2 | +title: How to configure subnet peering - Preview |
| 3 | +titleSuffix: Azure Virtual Network |
| 4 | +description: Learn how to configure subnet peering for an Azure virtual network. |
| 5 | +author: amit916new |
| 6 | +ms.author: amitmishra |
| 7 | +ms.service: azure-virtual-network |
| 8 | +ms.topic: how-to |
| 9 | +ms.date: 12/03/2024 |
| 10 | + |
| 11 | +#customer intent: As a network administrator, I want to configure subnet peering between two virtual networks in azure |
| 12 | + |
| 13 | +--- |
| 14 | + |
| 15 | +# How to configure subnet peering - Preview |
| 16 | + |
| 17 | + |
| 18 | +<!-- descriptive text here. Search engine optimization crawls the first few sentences. You'll want to make this first area something that will help a customer find this article in Google search.--> |
| 19 | + |
| 20 | +Subnet peering refers to a method of connecting two Virtual Networks (VNets) by linking only the subnet address spaces rather than the entire VNet address spaces. It lets users specify which subnets are supposed to participate in the peering across the local and remote VNet. |
| 21 | + |
| 22 | +It is an added flexibility built on top of VNet peering, where users get an option to choose specific subnets that need to be peered across VNets. User can select or is prompted to enter the list of subnets across the VNets that they want to peer. In contrast, in the case of regular VNet peering, entire address space/subnets across the VNets get peered. |
| 23 | + |
| 24 | +> [!IMPORTANT] |
| 25 | +> Subnet peering is currently in public preview. |
| 26 | +> This preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. |
| 27 | +> For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). |
| 28 | +
|
| 29 | +The following limitations apply during the public preview: |
| 30 | + |
| 31 | +- Subscription whitelisitng: To use this feature, you must have the subscription on which you want to configure subnet peering be whitelisted. |
| 32 | + |
| 33 | +- Availability: The feature is available in all regions, however, it can be configured via TF, PS, API, CLI and ARM only. Portal experience will be made available soon in future. |
| 34 | + |
| 35 | +## Prerequisites |
| 36 | + |
| 37 | +- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F). |
| 38 | + |
| 39 | + |
| 40 | +## Configure subnet peering |
| 41 | + |
| 42 | +<update this for your feature.> |
| 43 | + |
| 44 | +- The how-to article requires version 2.31.0 or later of the Azure CLI. If using Azure Cloud Shell, the latest version is already installed. |
| 45 | + |
| 46 | +- To access the subnet peering preview feature you'll need to register it in your Azure subscription. For more information about registering preview features in your subscription, see [Set up preview features in Azure subscription](/azure/azure-resource-manager/management/preview-features). |
| 47 | + |
| 48 | + - Azure Feature Exposure Control (AFEC) is available through the Microsoft.Features namespace. For this feature, below AFEC flag will need to be registered in your subscription: |
| 49 | + |
| 50 | + - **Microsoft.Features/providers/Microsoft.Network/features/AllowMultiplePeeringLinksBetweenVnets** |
| 51 | + |
| 52 | + - To register the feature, use the following commands: |
| 53 | + |
| 54 | + ```azurecli |
| 55 | + az feature register --namespace Microsoft.Network --name AllowMultiplePeeringLinksBetweenVnets |
| 56 | +
|
| 57 | + az feature show --name AllowMultiplePeeringLinksBetweenVnets --namespace Microsoft.Network --query 'properties.state' -o tsv |
| 58 | +
|
| 59 | +It would show ‘registering’ |
| 60 | +
|
| 61 | +Check again till it shows “Registered” |
| 62 | +
|
| 63 | +Subnet peering allows you to control system routes programmed in the NIC. For instance, you can restrict communication between the VNet and specific subnets. |
| 64 | +
|
| 65 | +In the existing Vnet peering create process, few new optional parameters are introduced. Below is the description/reference of each: |
| 66 | +
|
| 67 | +New Optional Parameters: |
| 68 | +
|
| 69 | +A. |
| 70 | +--peer-complete-vnet |
| 71 | +This parameter would let user exercise and option to select subnet peering. By default the value for this parameter is set to true, which means entire Vnets are peered (all address spaces/subnets). To use subnet peering, this parameter needs to be set to false. |
| 72 | +
|
| 73 | +Accepted values: 0, 1, f, false, n, no, t, true, y, yes |
| 74 | +Default value: True |
| 75 | +
|
| 76 | +B. |
| 77 | + --local-subnet-names |
| 78 | +This parameter lets user enter local subnet names they want to peer with the remote subnets, in case subnet peering is enabled by setting “peer-complete-vnet’ parameter as 0 |
| 79 | +
|
| 80 | +C. |
| 81 | + --remote-subnet-names |
| 82 | +This parameter would let user enter remote subnet names they want to peer with the remote subnets in case subnet peering is enabled by setting “peer-complete-vnet’ parameter as 0 |
| 83 | +
|
| 84 | +D. |
| 85 | +--is-ipv6-only-peering |
| 86 | +This parameter would let user exercise an option to select subnet peering with only IPv6 peering functionality. By default, the value for this parameter is set to false, which means peering would be done over IPv4 addresses by default. If set to true, peering would be done over IPv6 in case of dual stack subnets |
| 87 | +
|
| 88 | +Accepted values: 0, 1, f, false, n, no, t, true, y, yes |
| 89 | +
|
| 90 | +```azurecli |
| 91 | +az network vnet peering create --name |
| 92 | + --remote-vnet |
| 93 | + --resource-group |
| 94 | + --vnet-name |
| 95 | + [--allow-forwarded-traffic {0, 1, f, false, n, no, t, true, y, yes}] |
| 96 | + [--allow-gateway-transit {0, 1, f, false, n, no, t, true, y, yes}] |
| 97 | + [--allow-vnet-access {0, 1, f, false, n, no, t, true, y, yes}] |
| 98 | + [--no-wait {0, 1, f, false, n, no, t, true, y, yes}] |
| 99 | + [--use-remote-gateways {0, 1, f, false, n, no, t, true, y, yes}] |
| 100 | + [--peer-complete-vnet {0, 1(default), f, false, n, no, t, true, y, yes}] |
| 101 | + [--is-ipv6-only-peering {0(default), 1, f, false, n, no, t, true, y, yes}] |
| 102 | + [--local-subnet-names] |
| 103 | + [--remote-subnet-names] |
| 104 | +
|
| 105 | +``` |
| 106 | + |
| 107 | +1. Use [az group create](/cli/azure/group#az_group_create) to create a resource group named **test-rg** in the **eastus2** location. |
| 108 | + |
| 109 | + ```azurecli |
| 110 | + az group create \ |
| 111 | + --name test-rg \ |
| 112 | + --location eastus2 |
| 113 | + ``` |
| 114 | +
|
| 115 | +1. Use [az network vnet create](/cli/azure/network/vnet#az_network_vnet_create) to create two virtual networks vnet-1 and vnet-2. |
| 116 | +
|
| 117 | + ```azurecli |
| 118 | + az network vnet create \ |
| 119 | + --name vnet-1 \ |
| 120 | + --resource-group test-rg \ |
| 121 | + --location eastus2 \ |
| 122 | + --address-prefix 10.0.0.0/16 && \ |
| 123 | + az network vnet create \ |
| 124 | + --name vnet-2 \ |
| 125 | + --resource-group test-rg \ |
| 126 | + --location eastus2 \ |
| 127 | + --address-prefix 10.1.0.0/16 |
| 128 | + ``` |
| 129 | +
|
| 130 | +1. Use [az network vnet subnet create](/cli/azure/network/vnet/subnet#az_network_vnet_subnet_create) to create a subnet with multiple prefixes. |
| 131 | +
|
| 132 | + ```azurecli |
| 133 | + az network vnet subnet create \ |
| 134 | + --name subnet-1 \ |
| 135 | + --resource-group test-rg \ |
| 136 | + --vnet-name vnet-1 \ |
| 137 | + --address-prefix 10.0.1.0/24 && \ |
| 138 | + az network vnet subnet create \ |
| 139 | + --name subnet-2 \ |
| 140 | + --resource-group test-rg \ |
| 141 | + --vnet-name vnet-1 \ |
| 142 | + --address-prefix 10.0.2.0/24 && \ |
| 143 | + az network vnet subnet create \ |
| 144 | + --name subnet-3 \ |
| 145 | + --resource-group test-rg \ |
| 146 | + --vnet-name vnet-2 \ |
| 147 | + --address-prefix 10.1.1.0/24 && \ |
| 148 | + az network vnet subnet create \ |
| 149 | + --name subnet-4 \ |
| 150 | + --resource-group test-rg \ |
| 151 | + --vnet-name vnet-2 \ |
| 152 | + --address-prefix 10.1.2.0/24 |
| 153 | + ``` |
| 154 | +
|
| 155 | +1. After creating the required subnets, let's say we want to connect only subnet-1 from vnet-1 and subnet-3 from vnet-2, instead of peering the entire vnet. For this we use the optional parameters described above to achieve this. |
| 156 | +
|
| 157 | +For this we run the vnet peering create command with the optional parameters. |
| 158 | +
|
| 159 | +```azurecli |
| 160 | +az network vnet peering create -n vnet-1_to_vnet-2 |
| 161 | + -g test-rg |
| 162 | + -o none |
| 163 | + --allow-forwarded-traffic |
| 164 | + --allow-gateway-transit |
| 165 | + --allow-vnet-access |
| 166 | + --peer-complete-vnet fasle |
| 167 | + --local-subnet-names subnet-1 |
| 168 | + --remote-subnet-names subnet-3 |
| 169 | +
|
| 170 | +``` |
| 171 | +## Next steps |
| 172 | + |
| 173 | +Subnet peering helps you have better conservation of IPv4 space, by letting you re-use address spaces across subnets that need not be peered. It also prevents unnecessary exposure of entire VNet address space through gatways to On-prem environments. With IPv6 only peering, you can further configure peering pver IPv6 only for dual-stack subnets or IPv6 only subnets. Explore these capabilities and let us know if you have feedback and suggestions here. Your feedback on the overall feature would help us make Azure netowrking more powerful and enabling! |
| 174 | + |
| 175 | +To learn more about subnet peering, see [Virtual network peering](/azure/virtual-network/virtual-network-peering-overview.md). |
0 commit comments