1. Introduction to VNET Peering
It’s important that we understand how Azure implements the key across virtual networks. By default, a machine that is on one Virtual Network cannot communicate with a machine or database on any other Virtual Network. Especially if we’re dealing with storage accounts or Azure SQL database that don’t exist on virtual networks. That doesn’t apply because those are public services that require a key to access. But if you’ve associated your storage account to a private endpoint on a Virtual Network, then you will find Virtual Machine on another network cannot communicate with it. But that doesn’t stop the communication. We can actually set up what is called a peering relationship between the two. So if we go into one of the virtual networks and we go into peering, then we’ll be able to add the connect between those two networks.
So I’m going to say add. We do have to give the name of the peering connection from the one network to the other. And then we’re going to also name it the other back. So let’s call this new test one to two. Now, we’re using the Resource Manager model. Of course, we wanted to connect to networks that were across subscriptions. Then we could use the Resource ID model and this will allow us to connect with the Virtual Network that we don’t have access to or a subscription.
We’re going to connect this name here using our subscription. We’re going to connect to test two. So we are working on new test one and we want to connect new test two. Now, we do also have to create a name for the reverse connection. So this is called new test two to one. Now this is get to configure whether we allow traffic in both directions or we only want the traffic in one direction. So allow Virtual Network access from one to two enabled. Allow Virtual Network access from one also enabled. If I was to disable this, then all the devices on one connected devices on two but two would not be able to route traffic to one. Now there’s also the concept of forwarded traffic. Now forwarded traffic basically traffic that comes from another source that it wants to get to new test. So let’s say there’s another peering relationship between new test two and new test three. But traffic from three can get to one and then of course, the other way around as well to peer traffic that comes from other networks. To get to two. We also have this concept of a gateway transit. So if we want to set up a network gateway, then this will allow us to go across the VPN if we want to connect into the corporate network or express route.
So that’s it. We’ve set up a two way communication between new test one and new test two. We’ve enabled it in both directions. Right now we’re not allowing traffic from other locations. And so I can say okay. And so now it’s doing a dual deployment here. It’s deploying the peering relationship on the one side and also the peering relationship on the other. So that’s it. It basically set this up. We can see that the peerings now exist. If we were to go over to the new test two network into peerings we can see that that deploy exceeded as well. Now, setting up this peering is not the only determinant of whether these two networks can communicate. We’re also going to be dealing with things like network security groups which block traffic, certain types of traffic from traveling over the network and also firewalls and other settings that are basically going to shape traffic or user to find routes and other things. So just simply setting up these two networks allows them to understand the IP address range of the other network actually exists and how to get traffic there. But you still have security settings that could get in the way of stopping traffic from traveling or at least determining what kind of traffic can go over that network.
2. Configure Global Peering
So right now we have two virtual networks that are set up to talk to each other of hearing relationship. So new test one and new test two can communicate with each other and coincidentally they’re both in the same region. But what happens when we have a virtual network halfway around the world in Japan? Can we set up a peering relationship with Japan? So I’m going to go going to new test three which is in Japan. And I’m going to go down to peerings and I’m going to add a peering. Now we’re going to set this up to three to one. So we’re going to connect new test three to new test one. And I’m going to select the virtual network.
We can see new test one available drop down and this is going to be called new test one to three because it’s on the other end of the connection. For now we’re going to leave the default settings. So we’ll allow two Atrix and we won’t have forwarded traffic. I’m going to click OK again the deployment made into new test three and a new test one. Now new test two is not affected. Also important to notice nothing on the network is brought down that there’s no disruption the existing systems. We’re able to open up the communication but we’re not actually reflecting the VMs or anything like that. Okay, so now we have very easily connection between Japan and East US two.
So between three and one. Now notice three can talk to one and two can talk to one, but two cannot talk to three. Now what can we do? We can obviously set up a pairing relationship between three and two. So that’s one of the options is to make this into a triangle effectively where every virtual network has two peers. The other option we have is to set up a chaining relationship. So we already have three talking to one and looking to two. So why couldn’t three talk to two by traveling to go over one? Well, it certainly could when we were setting up our peering.
I’m going to go into new test one and into peerings. Let’s look at one to two. We actually did not allow forwarded traffic. So if we initiate a setting, this would be allowed traffic from two to one. In actual fact, we want traffic from one to two. So I guess I go into peerings. So enable forwarded traffic from one two. So any traffic from three that wants to travel to two, we can enable this in this section. Now we also do need to enable it in the reverse as well in order for you to talk to three. So I’m going to save that and we’re going to go back into one into peerings and we’re going to enable traffic to travel from I guess it’s from one to three. So we have to be very careful here with this the wording so allow for traffic from one to three. I can enable that. And now we have traffic traveling from two to three and from three to two with one in the middle. And that’s a chaining relationship. So also probably important to talk about the pricing, because although creating these virtual networks is free, so I created three virtual networks all for free, and every subscription is allowed up to 50 virtual networks in total, then we do have pricing for peering.
So just having the two East US two regions virtual networks connected to each other, that is one cent per gigabyte of traffic. That’s not that cheap, actually, because storage two cent per gigabyte for a whole month. And we’re talking about data being one cent per gigabyte in a case. So when you set up stuff in terms of peering, you’re actually introducing bandwidth charges. Also important to notice, it charges on both ends. So to use traffic from VNet One to VNet Two, VNet One incurs, $0. 01 from the outbound, and VNet Two incurs one cent on the inbound. So it’s actually two cent for a single burst of traffic from one network to another. Now we’re talking about global. So now we’re outside of the region, then pricing is different, and it’s also based on zones. So if we scroll down to the bottom, we can there’s a Frequently Asked Questions and it asks, what is the different zones? So we were dealing with East US two, and that was in zone one, and we were talking about Japan, and that’s in zone two.
So what we’re talking about is data that’s traveling between zone one and zone two. So if we scroll back up, we can see under global VNet peering that we have a data transfer coming into the United States at 0. 5 cents per gigabyte and traveling outbound at Japan. So we’re looking at something like 12. 5 cents in order for data to travel across those two zones. So it says if data is being transferred from zone one to zone two, which is our exact scenario, then you’re occurring outbound from zone one and inbound into two. So it’s about twelve cents a gigabyte, which is way more than the interregion pricing. So that’s something important to keep in mind when you’re talking about transferring data across a peering relationship. And that’s just the reality of it, I guess.
3. Azure-to-Azure Virtual Network Gateway
Now when it comes to allowing devices on these Virtual Network talk to each other, we’ve already seen how to set up a peering relationship. But there’s also a second do this that is using network gateways. So if we go into one of these virtual networks and we go into subnets, we can actually see that by default we only have the one subnet. We’ll talk in another part of this course about how to create other subnets for purposes. But there’s also this thing called a gateway subnet in which we can install a network gateway. Network gateway set up site to site VPNs between tubes. Now, normally this would be used as a VPN between your office and Azure. And so you can set up a VPN device, a physical device on premises, to connect to this network gateway and allow people on your network to talk to Azure and vice versa.
But we can use these same network gateways to set up effective site to site connection between two VNETs. We’re going to go and create a gateway subnet. Now actually, before we do that, we should note that I have intentionally left space on the VNet for these extra addresses. So the entire VNet is a 27, which has 32 IP addresses, but the subnet is a 28, which is only 16 addresses. And as you see, five of them are reserved. And so there’s only eleven. So we do have half of the address space available. So I’m going to create a gateway subnet. It’s given a name that we have no control over, and it’s automatically going to take the remaining eleven addresses for itself. We’re not going to set up any security, anything like that. We’re going to leave it as the default. So it’s going to create a second subnet called gateway subnet on this thing.
Now, in order to use this, we’re going to have to add a network gateway to this as a device. So I’m going to go back up to the resource group, say add, I’m going to type net gateway, and we can see Virtual Network gateway as a device. Now we have to give it a name. So VNet gateway is a good name. Now it is important to where we’re going to place it. We want this Virtual Network gateway to be east to us two, because that’s where our Virtual Network is. And then we’ll put one in Japan and we can set up those two. This is a VPN device. We’ll leave the defaults on that. And which Virtual Network are we going to add this to? We only have the network gateway on new test one right now.
Okay, so it’s already picked up the gateway address range. If I chosen new test two, then it would have created me that address range for me out. It’s smarter. Now, network does require a public IP. So call this new gateway one, new Gate One. I’m going to leave all these other defaults set, save, review and create and create. Now, while that’s doing, I’m going to switch over to the pricing screen. Now, as you’d expect, virtual networks are not free. And so we’re looking at basically getting a device like I think we chose the gateway one do, and so it is nineteen cents per hour. That does add up to about $140 a month in this sort of skew.
Now, we get a dedicated set in with and we get up to 30 site to site tunnels that we can which will allow us to connect to other virtual networks or set up to our on premises. Now, the pricing for traffic is different and it’s actually cheaper to do this network gateway connection that is peering. But as you see, we’re paying for the device itself. We’ll be paying this is on both ends, but you do get free inbound. So you’re not paying on both sides, you’re only paying on one, and you’re paying the regional for outbound traffic. So if you have a lot of traffic going from East US two in Pan, you’re getting free inbound traffic in Japan and you’re only paying the 3. 5 cents per gigabyte, which is the low end price of traffic from East US two.
And so compared to the 12. 5 cents we were looking at for peering, 3. 5 cents is a lot cheaper. Now, you’re going to have to do the math and see if having paying $100 for a gateway on both ends times two is cheaper than what you’re actually in for the data transfer bandwidth. So there’s going to be a mathematiculation to see if this is a money saving method for you. Now, while we’re waiting, I actually deployed the Virtual Network gateway to the Japan network as well. And so we are in the process. Now. It doesn’t take a little while. So the Virtual Network gateway been deploying now to East US two for more than five minutes. And so it’s going to take five to ten minutes for this network gateway to get started and we’ll pause the video and come back when it is set up.
4. Adding a Network Gateway Connection
So it took 22 minutes to get a virtual network gate deployed into East US two, and 32 minutes to get that deployed into Japan. So now that those deployments are complete, we can take a look at them. So I’m going to go back up to the resource group level. Now, before I get into the gateways themselves, let’s look at the networks. So remember, we added the gateway subnet to those two networks, new test one and new test three. In my case, if we go into connected devices, we can see that the network gateway successfully connected to the gateway subnet in this network, go back up to the resource level, and I’m going to go into that gateway.
What we’re interested in is Nexions. Okay? Now there are no current connections. Now we could set up a point to site VPN or a site to site VPN, but in this case, we’re going to set up a Venet connection. So under connections, I’m going to say add. We do have to give it a name. I’m going to call this Talking to Japan. It is a net to VNet configuration as opposed to site to site or express route. So that is one of the VNet gateway configurations here. Now we know that the first gateway is the one that we’re in, which is the VNet gateway. The other gateway is the Japan gate. And we can choose this from the list here. So now we’re signaling that we want to connect these two gateway. We do have to create a shared key that both gates are going to have to be set up with in order to have this communication.
Now, if we have physical device, we could grab the key from that, but this is a VNet to VNet, so we do have to give it the password effectively. Now it’s not hidden in any way. So I’m going to put my shared key, going to leave all the rest of the defaults. We know what subscription we’re in, resource group we’re in. We know where this gateway has already been created. So I’m going to say, okay, we’ll give that a moment to get created. So it’s been about ten minutes since I created this connection and we can see that it’s in a state. If I go into it, we can click into it.
We can see a section and it’s connecting the new test one and new test three networks based on the two gateways. Remember, this is in East US two and this one’s in Japan. And so we can go into the log and we can actually see that there are activities going on. 13 minutes ago I started this connection and now we’re into some other stuff. So we can actually look at the deployment as it’s going. Now it’s exceeded. So now we have, as we were clicking around, two virtual networks that are connected over a network gateway. So remember, we’ve got peering that can be local or global with one pricing structure. Or we’ve got this network gateway which can also be local or global.
Now, the advantage of a network gateway over the other option in terms of peering is that network gateways are actually symbol. So if you have a lot of traffic being sent, you can actually get up to a higher if we go into the configuration, we can see that gateway one, but we can go into gateway two and a gateway three if we wish. We could also set up an active to active configuration which would allow even redundancy in case so that this thing would even be higher availability. Gateways have sort of an enterprise greater than not saying that peering is unreliable in any way either. So we can also set up a configuration where you have your corporate network using a site to site VPN to get into Azure using a gateway and then being able to then further connect onto other networks there through a peering relationship. Now, we did set up a gateway on both ends, but that’s not even required in a peers and ship. Remember when we were looking at the peering? I go into this one and into peering. We basically could have enabled a network. We can enable new test two to use the VPN device on new test one or the gateway device or new test one. And so this concept of remote gateways is a way of having one VPN device and then having remote gateways that are using that to communicate onto the corporate network. So lots of settings will need to set up peering between different networks.