Azure Subnet Peering
Mostafa Elkattan
🔶 Introduction
Azure offers powerful networking capabilities to help organizations build scalable, secure, and high-performance architectures. One such feature is Virtual Network (VNet) Peering. While traditional VNet peering connects whole virtual networks, Subnet Peering (sometimes misused as a term) refers to the segregation and secure routing between subnets within or across peered VNets. This article explores the concept of Azure VNet Peering and how subnets interact in peered scenarios.
🔷 1. What is Azure VNet Peering?
Azure VNet Peering enables communication between two VNets as if they are part of the same network. It provides:
Low-latency, high-bandwidth connection
Private IP communication
No need for gateways or public internet
Types of peering:
Intra-region peering: Between VNets in the same region
Global peering: Between VNets across different Azure regions
💡 Important: Azure does not support direct subnet-to-subnet peering. Subnet communication happens through peered VNets.
🔷 2. Subnet Communication in Peered VNets
When two VNets are peered:
All subnets in both VNets can communicate with each other by default (if allowed by NSGs and route tables)
You can control subnet-level communication using:
Network Security Groups (NSGs)
User-Defined Routes (UDRs)
Firewall rules (e.g., Azure Firewall or NVA)
🔷 3. Practical Use Case of “Subnet Peering”
Imagine two departments (Dev and Prod) each have a VNet:
VNet-DevwithSubnet-DevVNet-ProdwithSubnet-Prod
You peer the VNets and allow only Subnet-Dev to communicate with Subnet-Prod while blocking others.
Steps:
Create VNets and subnets
Configure VNet Peering
Apply NSGs to restrict communication to only specific subnets
Optionally use route tables to redirect traffic through a firewall
🔷 4. Security Considerations
By default, VNet peering allows all subnets to talk to each other
Always use NSGs and route tables to restrict communication
Use Service Tags (like
VirtualNetwork) to simplify rulesConsider Azure Firewall for centralized policy control
🔷 5. Common Scenarios
| Scenario | Description |
| Shared Services | Centralized services (DNS, AD, etc.) accessed via subnet-level control |
| Hub-Spoke Topology | Spokes communicate with the Hub but not with each other |
| Multi-region Design | Peering VNets across regions with controlled access |
🔷 6. Limitations and Best Practices
You cannot peer subnets individually—peering is VNet-level
Avoid overlapping IP ranges
Use BGP with VPN Gateway if advanced routing is needed
Use network watcher to monitor traffic flow
✅ Conclusion
While Azure doesn't offer direct subnet peering, using VNet peering with subnet-level control allows you to securely design granular network access patterns. By combining NSGs, route tables, and firewalls, you can simulate subnet peering effectively and securely.
Subscribe to my newsletter
Read articles from Mostafa Elkattan directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
Mostafa Elkattan
Mostafa Elkattan
Multi Cloud & AI Architect with 18+ years of experience Cloud Solution Architecture (AWS, Google, Azure), DevOps, Disaster Recovery. Forefront of driving cloud innovation. From architecting scalable infrastructures to optimizing. Providing solutions with a great customer experience.