When discussing “peering” in Azure, it’s important to clarify the context. Usually, this refers to VNet Peering (connecting virtual networks) or Direct Peering (which can refer to Azure Peering Service for optimized internet or ExpressRoute Direct for high-speed private fiber).
Here is what you need to consider for each to ensure a secure and performant design.
1. VNet Peering (Connecting VNets)
VNet Peering is the primary way to connect two Azure Virtual Networks. They behave as a single network using private IP addresses.
🔑 Key Considerations:
- Address Space Overlap: CRITICAL. You cannot peer VNets if their IP address spaces (CIDR blocks) overlap. Plan your IP schema early; fixing an overlap later requires deleting and recreating the VNet.
- Transitivity: VNet peering is not transitive. If VNet A is peered with VNet B, and VNet B is peered with VNet C, VNet A cannot talk to VNet C.
- Solution: Use a Hub-and-Spoke model with an Azure Firewall/NVA or Azure Virtual WAN for transitive routing.
- Gateway Transit: If VNet A has a VPN/ExpressRoute gateway, you can allow VNet B to use it.
- Check: Enable “Allow gateway transit” on VNet A and “Use remote gateways” on VNet B.
- Cost: Local peering (same region) is cheaper than Global peering (different regions). You are charged for both inbound and outbound data transfer on both sides of the peering.
2. Direct Peering (ExpressRoute Direct & Peering Service)
“Direct Peering” usually refers to ExpressRoute Direct, where you connect your own hardware directly to Microsoft’s edge routers at 10 Gbps or 100 Gbps.
🔑 Key Considerations:
- Physical Connectivity: You are responsible for the “Last Mile” fiber from your data center to the Microsoft Peering Location.
- SKU Selection: * Local: For traffic within the same geopolitical region (cheapest).
- Standard: For traffic within the same continent.
- Premium: Required for global connectivity and more than 10 VNet links.
- Microsoft Peering vs. Private Peering:
- Private Peering: Connects your on-prem network to your Azure VNets (internal traffic).
- Microsoft Peering: Connects your on-prem network to Microsoft 365, Dynamics 365, and Azure Public PaaS services (Storage, SQL) over a private link.
3. Comparison Summary
| Consideration | VNet Peering | Direct Peering (ExpressRoute Direct) |
| Primary Use | Cloud-to-Cloud connectivity. | On-Prem-to-Cloud (High Bandwidth). |
| Medium | Microsoft Global Backbone. | Dedicated Physical Fiber + Backbone. |
| Bandwidth | Limited by VM/Gateway SKU. | Up to 100 Gbps. |
| Complexity | Low (Point-and-click). | High (Requires physical fiber/BGP). |
| Security | Encapsulated in Azure backbone. | Private, dedicated physical path. |
🚦 Common Pitfall: Asymmetric Routing
If you have both a VNet Peering and an ExpressRoute circuit connecting the same two locations, Azure might send traffic out via the peering but receive it back via ExpressRoute.
The Fix: Use User-Defined Routes (UDRs) or BGP weights to ensure the “return” path matches the “outbound” path. Azure will prioritize VNet Peering routes over ExpressRoute routes by default if the address prefixes are the same.
Would you like a specific KQL query to monitor the latency or throughput between your peered networks?
Infra Cloud Solutions 