Azure Subnet Peering

🔶 Introduction

Azure offers powerful networking capabilities to help organizations build scalable, secure, and high-performance architectures. One such feature is Virtual Network (VNet) Peering. While traditional VNet peering connects whole virtual networks, Subnet Peering (sometimes misused as a term) refers to the segregation and secure routing between subnets within or across peered VNets. This article explores the concept of Azure VNet Peering and how subnets interact in peered scenarios.

🔷 1. What is Azure VNet Peering?

Azure VNet Peering enables communication between two VNets as if they are part of the same network. It provides:

  • Low-latency, high-bandwidth connection

  • Private IP communication

  • No need for gateways or public internet

Types of peering:

  • Intra-region peering: Between VNets in the same region

  • Global peering: Between VNets across different Azure regions

💡 Important: Azure does not support direct subnet-to-subnet peering. Subnet communication happens through peered VNets.

🔷 2. Subnet Communication in Peered VNets

When two VNets are peered:

  • All subnets in both VNets can communicate with each other by default (if allowed by NSGs and route tables)

  • You can control subnet-level communication using:

    • Network Security Groups (NSGs)

    • User-Defined Routes (UDRs)

    • Firewall rules (e.g., Azure Firewall or NVA)

🔷 3. Practical Use Case of “Subnet Peering”

Imagine two departments (Dev and Prod) each have a VNet:

  • VNet-Dev with Subnet-Dev

  • VNet-Prod with Subnet-Prod

You peer the VNets and allow only Subnet-Dev to communicate with Subnet-Prod while blocking others.

Steps:

  1. Create VNets and subnets

  2. Configure VNet Peering

  3. Apply NSGs to restrict communication to only specific subnets

  4. Optionally use route tables to redirect traffic through a firewall

🔷 4. Security Considerations

  • By default, VNet peering allows all subnets to talk to each other

  • Always use NSGs and route tables to restrict communication

  • Use Service Tags (like VirtualNetwork) to simplify rules

  • Consider Azure Firewall for centralized policy control

🔷 5. Common Scenarios

ScenarioDescription
Shared ServicesCentralized services (DNS, AD, etc.) accessed via subnet-level control
Hub-Spoke TopologySpokes communicate with the Hub but not with each other
Multi-region DesignPeering VNets across regions with controlled access

🔷 6. Limitations and Best Practices

  • You cannot peer subnets individually—peering is VNet-level

  • Avoid overlapping IP ranges

  • Use BGP with VPN Gateway if advanced routing is needed

  • Use network watcher to monitor traffic flow

Conclusion

While Azure doesn't offer direct subnet peering, using VNet peering with subnet-level control allows you to securely design granular network access patterns. By combining NSGs, route tables, and firewalls, you can simulate subnet peering effectively and securely.

0
Subscribe to my newsletter

Read articles from Mostafa Elkattan directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

Mostafa Elkattan
Mostafa Elkattan

Multi Cloud & AI Architect with 18+ years of experience Cloud Solution Architecture (AWS, Google, Azure), DevOps, Disaster Recovery. Forefront of driving cloud innovation. From architecting scalable infrastructures to optimizing. Providing solutions with a great customer experience.