Architect's Insight: Why use Global VNet Peering instead of a VPN? Speed. VNet peering uses Microsoft's dedicated fiber backbone, offering lower latency and higher bandwidth than a VPN tunnel over the public internet. In this lab, we will simulate a multinational corporate network by connecting New York (East US) to Hong Kong (East Asia).
1. Setup: Resource Group Strategy
We start by creating a central resource container. While you can peer VNets in different resource groups, for this lab we will keep them together for easy cleanup.
- Resource Group Name:
Global-Network-RG - Region: East US
2. Creating Multi-Region Virtual Networks
10.0.0.0/16 with another 10.0.0.0/16 network.
2.1 VNet A (The US Hub)
- Name:
EastUS-Vnet - Region: East US
- Address Space:
10.0.0.0/16 - Subnet:
default(10.0.1.0/24)
2.2 VNet B (The Asia Branch)
- Name:
EastAsia-Vnet - Region: East Asia
- Address Space:
192.168.0.0/16(Distinct IP range) - Subnet:
default(192.168.1.0/24)
3. Establishing the Peering Link
Peering is a two-way street. You must link A to B, and B to A. Azure's portal now handles both directions in a single wizard.
- Link Name:
US-to-Asia-Link - Traffic to Remote: Allow (Default)
- Traffic forwarded from Remote: Allow (Default)
- Gateway Transit: None (We are not using a VPN Gateway here)
4. Deploying Test Virtual Machines
We deploy standard Windows Server VMs to verify the connection. Note that we are using Gen2 VMs for faster boot times.
| Feature | VM 1 (Source) | VM 2 (Destination) |
|---|---|---|
| Name | VM-US |
VM-Asia |
| Region | East US | East Asia |
| Private IP | 10.0.1.4 | 192.168.1.4 |
5. The "Hidden" Step: Firewall Configuration
Most tutorials fail here. By default, Windows Server has its OS Firewall turned ON, which blocks ICMP (Ping) requests. Even if your Azure Peering is perfect, the Ping will timeout.
The Fix:
- RDP into both VMs.
- Open PowerShell as Administrator.
- Run this command to allow Ping packets:
New-NetFirewallRule –DisplayName "Allow ICMPv4-In" –Protocol ICMPv4
(Alternatively, for a quick lab test, you can turn off the Windows Firewall entirely, but never do that in production.)
6. Validation & Cost Analysis
The Ping Test
Now that the firewall is open, go to VM-US and run:
C:\> ping 192.168.1.4If you see Reply from 192.168.1.4: bytes=32 time=240ms, congratulations! You are routing traffic halfway across the world privately.
Cost Warning (Real World)
Peering is not free. In Azure, Global Peering (across regions) charges for both Inbound and Outbound data transfer.
- Inbound Data: ~$0.035 per GB
- Outbound Data: ~$0.035 per GB
Always calculate your data volume before using Global Peering for high-traffic applications.