1. Vet Peering Concepts
All right, in this video and this section of the course, we’re going to talk about a couple of different ways to implement Vet to Vet connectivity. So we’ve seen previously that inside of a Vet, within subnet or several subnets in the same Vet, there is no real issue in terms of connectivity. You actually specifically have to block connectivity. We haven’t talked about security yet, but we have seen that within a subnet it two devices can communicate with each other unless there’s something blocking it, and even in two different subnets. But that’s not true when you have multiple VNETs. So if we were to create a second virtual network and deploy a device into the subnet there, it would not be able to connect to our virtual machines by default. And we would then have to set up what’s called peering between the two networks in order for them to recognize each other.
Now there’s another way to do this besides peering, and that’s using a network gateway. There are pros and cons tousling a network gateway versus peering. And so in this video, we’re going to talk about the two and then in subsequent videos we’ll demonstrate how to set them both up. So let’s talk about the two concepts here’s Virtual Network peering is basically a direct connection between two virtual networks that are either in the same region or there’s a concept called global peering which goes across Azure regions. Now these are effectively direct connections and all the traffic travels over Microsoft’s private backbone. And so you’re using a very high speed infrastructure. The traffic never gets exposed to the public Internet and you’re basically just transferring data between the two networks. Now, this is not free. Sending data between two VNETs in the same region even has a cost. So when we go look at diagram, this is between two different regions.
But imagine these were both in East US. You’re paying for the outbound and you’re paying for the inbound. So you basically need toad these two numbers together. It’s two cent per gigabyte to send data between virtual networks in the same region. That could add up, right? And if you’re talking about networks in different regions, well then there’s this zoning concept where you’ve got sort of North American, Western European regions, you’ve got some of the farther out regions and you’ve got South America and South Africa and things like that. You’ve got even the Farthest regions. So for instance, if you took data that was leaving East US two at 3.5 cents per gigabyte and arriving to Japan, that is a total of 12.5 cents per gigabyte to send data from the US. To Japan. That’s an example of that. So that’s the concept of peering and it’s private, it’s fast uses the Microsoft backbone.
Now we can use the VPN gateway. We’ve seen earlier in this course that VPN gateway can be used for connecting to your site to site VPN your point to site VPN and even Express Route? Well, the same concept of VPN gateways can be connected. And what that does is it has encrypted traffic between them and it works over the public Internet. You’ll have a VPN gateway on one subnet, another VPN gateway on another network, and you’ll connect them both within Azure, it’s encrypted, it’s a bit slower, and the pricing is completely different because you’re paying for the VPN gateways have a charge. But the way it’s charged is different because remember, you’re paying for the gateway. There’s a price of $25, $100, $300 a month for the gateway.
There’s performance limits and then we’re going down. Luckily, data inbound is free. So if you’re sending data from the eastern United States into Japan, you’re not paying for the data going into Japan because that would be counted by the free. But you are paying for data leaving a region that’s a normal Microsoft data transfer rate, right? So we can see there the pricing is different. You’re going to have to determine what is the best pricing perspective for you. But you do get some advantages. Maybe you already have a virtual network gateway.
Maybe those networks that you ‘retrying to connect already exist. And so now you can just add an additional tunnel and you’re not incurring the additional hardware charge. So that’s some of the decisions you have to make deciding between Vet Peering and VPN gateways. Peering is fast. High bandwidth on the private network gateways are slower bandwidth, but they do have that encryption possible. Maybe you already have VPN gateways and maybe the pricing will be more favorable to you. And finally you can set up, if you’ve got a VPN gateway you’re using Express Route or site to site VPN. You can actually have these networks peered with otherness or peered with your Hub and spoke effectively. And you’re using the network gateway to do some of these connections. And so that is a side by side Peering and Gate gateway coexistence, which is also possible.
2. Demo: Create a Peering Relationship Between Two Networks
We have our existing Virtual Network that we’ve been working with a Z 700 Course, and I’m going to create another Virtual Network. So I go to create a resource type Virtual Network and then I’m going to say create. I can create this in the same resource group. There’s no harm in that. And I’m going to call this a Z 700 Course two. Now, this would be another Vet in the same region because of the West US is what we’re using for the existing one. Now, we can see here that it is already choosing ten 10.Now we added 100 10 to the other space. And so this 16 is probably too many addresses, so we can make it a 24 address. Again, the subnet is called Default. I’m going to give it a name front and Two. And we’re only going to take up again one quarter of the address range and leave the rest, like I can say, review and create. So we’re creating a second subnet in the same region with a different address space not overlapping to the other one. And the subnet that is just a fraction. I should point out that it shouldn’t let me create an address that already overlaps.
Actually, it would let me, but it’s just warning me that if I created this, I’m basically not going Tobe able to pair it with the other one. So it lets you, but it warns you the subnet front and Two. Somehow that got disconnected. Ten 100:26, add, review, and create and create. So now we’re going to create a second Virtual Network. Now, it’s actually pretty straightforward. Once we’ve got this second Vet going again, we can fairly easily say that resources attached to one Virtual Network cannot communicate to resources that are on another Virtual Network.
And so I could create another Virtual Machine and we could prove that the other Virtual Machine wouldn’t have connectivity at all. So take that as given. What we want to do is we want to create a pairing. So this is a pairing, two networks in the same region. So I go into peering’s. I say add. I have to give it a name. So I’m going to call this Vet one two. Net two? It’s actually going to add two links, right? So from one to two. And then we’re going to add two to one. So traffic to remote virtual network. So are we allowing traffic to go from Vet One to Vet Two? We say allow by default. Are we allowing traffic to be forwarded? So if there’s a Vet Three that sends traffic to Vet One, could it come to Vet Two? We’re going to let the defaults. Now this right now we don’t have this network gateway peering thing going on. So that is the first link. Second link is the opposite. It’s two to one, and it’s a Resource Manager model. We choose the other network that’s AZ 700 course.
And do we allow traffic to travel the other way. We’ll leave this and now it’s going to create two network peering. One from two to one and one from one to two. So that was super simple to do. And now if there was a resource on two, it can talk to the resource on one by its IPad dress or hey, we could associate the private DNS zone to this network and then they can refer to each other by name so it all ties together. So creating peering is actually quite simple and like I said, there’s a lot of benefits. You are being charged for the traffic in a very unique way. Basically double charged for it.But it’s fast. It is on Microsoft private network. Microsoft does recommend if you have sensitive data to do your own encryption. That’s why the network gateway could do encryption in the device. But yeah, we just set up peering between two networks.