Cross-Region VNet Peering and VM Communication & how I overcome this challenge at work.

"My personal experience and challenges while at work. I had this project at work I was asked to create two separate Virtual Networks in different regions and create virtual machines in each Virtual Network and my challenge was to get the Virtual Machines in both Virtual Networks to communicate. How do I establish secured, scalable communication with these VMs?."

To enable secure and scalable communication between virtual machines (VMs) in two separate Virtual Networks (VNets) across different regions in Azure, you have a few options:

Solution 1: VNet Peering (Recommended for Low Latency & Simplicity)

• Create VNet Peering
• Update Network Security Groups (NSG)
• DNS Resolution
• Testing Connectivity

Solution 2: VPN Gateway (For Cross-Region Communication with Encryption)

• Deploy a Virtual Network Gateway in Each VNet
• Establish a VPN Connection
• Update NSGs & Route Tables

Solution 3: Azure Virtual WAN (For Large-Scale Scenarios)

• If you need multiple VNets across regions, Azure Virtual WAN can manage the connectivity dynamically with automated routing.

Which One to Choose?

• VNet Peering → Best for low-latency, simple connections.
• VPN Gateway → Better for encrypted traffic between regions.
• Azure Virtual WAN → Scalable and best for large environments.

Solution: VNet Peering

Step-by-Step Guide

This method enables secure, low-latency communication between VMs in different VNets across regions.

Step 1: Create Two Virtual Networks (VNets)

• Go to Azure Portal → Search for Virtual Networks.
• Click + Create to create the first VNet:
• Name: VNet1 Region: Choose a region (e.g., East US) Address Space: 10.0.0.0/16Subnet: Create a subnet (e.g., 10.0.1.0/24)Click Review + Create, then Create.
• Repeat the same process for the second VNet:
• Name: VNet2 Region: Choose a different region (e.g., West US) Address Space: 10.1.0.0/16 Subnet: Create a subnet (e.g., 10.1.1.0/24)Click Review + Create, then Create.

Step 2: Create Virtual Machines in Each VNet

• Go to Azure Portal → Search for Virtual Machines.
• Click + Create VM, then configure: VM Name: VM1 Region: Same as VNet1 VNet: Select VNet1 Subnet: Choose 10.0.1.0/24Choose a Windows/Linux image, configure credentials, then Create.
• Repeat the same for VM2, ensuring: Region: Same as VNet2 VNet: Select VNet2 Subnet: Choose 10.1.1.0/24 Configure VM settings and create.

Step 3: Set Up VNet Peering

• Go to Azure Portal → Search for Virtual Networks.
• Click on VNet1 → Go to Peerings (left panel).
• Click + Add Peering: Peering Name: VNet1-to-VNet2 Peer VNet: Select VNet2 Enable: ? Allow Virtual Network Access ? Allow Forwarded Traffic ? Allow Gateway Transit (only if using VPN later)Click OK.
• Repeat the process for VNet2:Peering Name: VNet2-to-VNet1Select VNet1 as the peer. Enable same settings. Click OK.

Step 4: Configure Network Security Groups (NSG)

• Go to Azure Portal → Search for Network Security Groups.
• Select the NSG attached to VNet1.
• Under Inbound Rules, click + Add Rule: Source: Virtual Network Destination: Virtual Network Protocol: Any Action: Allow Priority: 100Click Add.
• Repeat for NSG in VNet2 with the same rule.

Step 5: Test Connectivity

• Connect to VM1 via RDP (Windows) or SSH (Linux).
• Run a ping test to VM2:

ping 10.1.1.4 (Replace with VM2's private IP)

• If ping is blocked (common for Windows), try: Test-NetConnection -ComputerName 10.1.1.4 -Port 3389 (for RDP)

Success! Now both VMs in different VNets and regions can communicate.

Here are the Optional Steps!

• Use Azure Private DNS for hostname resolution.
• Deploy VPN Gateway for additional security.

Solution: VNet-to-VNet VPN Gateway Step-by-Step guide...

This solution establishes secure, encrypted connectivity between virtual networks in different regions using an IPsec/IKE VPN tunnel.

Step 1: Create Two Virtual Networks

If you already have VNets (VNet1 and VNet2), you can skip this step.

• Go to Azure Portal → Search for Virtual Networks.
• Click + Create to create VNet1:Name: VNet1 Region: (e.g., East US) Address Space: 10.0.0.0/16 Subnet: 10.0.1.0/24 Click Next: Security, then Create.
• Repeat the process for VNet2:Region: (e.g., West US) Address Space: 10.1.0.0/16 Subnet: 10.1.1.0/24 Click Create.

Step 2: Create a Gateway Subnet in Each VNet

Azure VPN Gateways require a dedicated gateway subnet.

• Go to VNet1 → Click Subnets.
• Click + Gateway Subnet: Subnet Address Range: 10.0.255.0/27Click Save.
• Repeat the process for VNet2:Subnet Address Range: 10.1.255.0/27Click Save.

Step 3: Create VPN Gateways for Both VNets

• Go to Azure Portal → Search for Virtual Network Gateways.
• Click + Create → Fill in the details:
• Repeat the same process for VNet2:

? Wait 30-45 minutes for both gateways to be deployed.

Step 4: Obtain Public IP Addresses of the VPN Gateways

• Go to Virtual Network Gateway → Select VNet1-Gateway.
• Copy the Public IP Address.
• Repeat the same for VNet2-Gateway.

Note, You will use these IPs in the next step.

Step 5: Configure VNet-to-VNet Connection

• Go to Virtual Network Gateways → Select VNet1-Gateway.
• Click Connections → + Add Connection.
• Configure:
• Repeat the process for VNet2-Gateway:

? Wait 10-15 minutes for the connection to establish.

Step 6: Configure Network Security Groups (NSGs)

• Go to Azure Portal → Network Security Groups (NSG).
• Select NSG for VNet1 → Click Inbound Security Rules → + Add Rule: Source: VirtualNetwork Destination: VirtualNetwork Protocol: Any Action: Allow Click Save.
• Repeat for NSG of VNet2.

Step 7: Verify Connectivity

• Go to VMs and note the private IPs of both VMs (VM1 in VNet1, VM2 in VNet2).
• Connect to VM1 via RDP (Windows) or SSH (Linux).
• Run a ping test to VM2's private IP: ping 10.1.1.4
• If ping is blocked (common for Windows), use: Test-NetConnection -ComputerName 10.1.1.4 -Port 3389 (for RDP)

Success! Both VMs in separate VNets and regions are securely connected via VPN!

Next Steps

• If you need scalable multi-region networking, consider Azure Virtual WAN.
• Enable Private DNS for hostname resolution.

Again, Below is an automated approach using Azure CLI and Terraform to set up VNet-to-VNet VPN Gateway in Azure.

Option 1: Automating with Azure CLI

You can run these commands in Azure Cloud Shell or your local terminal with the Azure CLI installed.

Step 1: Set Up Environment Variables

Modify these values based on your setup using bash:

# Define variables

RESOURCE_GROUP="MyResourceGroup"

LOCATION1="EastUS"

LOCATION2="WestUS"

VNET1_NAME="VNet1"

VNET2_NAME="VNet2"

VNET1_PREFIX="10.0.0.0/16"

VNET2_PREFIX="10.1.0.0/16"

SUBNET1_PREFIX="10.0.1.0/24"

SUBNET2_PREFIX="10.1.1.0/24"

GATEWAY_SUBNET1="10.0.255.0/27"

GATEWAY_SUBNET2="10.1.255.0/27"

VPNGW1="VNet1-Gateway"

VPNGW2="VNet2-Gateway"

VPNGW_SKU="VpnGw1"

SHARED_KEY="MySecretKey123"

Step 2: Create Resource Group

az group create --name $RESOURCE_GROUP --location $LOCATION1

Step 3: Create VNets & Subnets

az network vnet create --name $VNET1_NAME --resource-group $RESOURCE_GROUP --location $LOCATION1 --address-prefix $VNET1_PREFIX

az network vnet subnet create --resource-group $RESOURCE_GROUP --vnet-name $VNET1_NAME --name GatewaySubnet --address-prefix $GATEWAY_SUBNET1

az network vnet create --name $VNET2_NAME --resource-group $RESOURCE_GROUP --location $LOCATION2 --address-prefix $VNET2_PREFIX

az network vnet subnet create --resource-group $RESOURCE_GROUP --vnet-name $VNET2_NAME --name GatewaySubnet --address-prefix $GATEWAY_SUBNET2

Step 4: Create VPN Gateways

# Public IPs

az network public-ip create --name "$VPNGW1-PIP" --resource-group $RESOURCE_GROUP --allocation-method Dynamic

az network public-ip create --name "$VPNGW2-PIP" --resource-group $RESOURCE_GROUP --allocation-method Dynamic

# Create VPN Gateways

az network vnet-gateway create --name $VPNGW1 --resource-group $RESOURCE_GROUP --location $LOCATION1 \

--vnet $VNET1_NAME --public-ip-address "$VPNGW1-PIP" --gateway-type Vpn --vpn-type RouteBased --sku $VPNGW_SKU

az network vnet-gateway create --name $VPNGW2 --resource-group $RESOURCE_GROUP --location $LOCATION2 \

--vnet $VNET2_NAME --public-ip-address "$VPNGW2-PIP" --gateway-type Vpn --vpn-type RouteBased --sku $VPNGW_SKU

? Wait 30-45 minutes for gateways to be created.

Step 5: Retrieve Public IPs

GW1_IP=$(az network public-ip show --name "$VPNGW1-PIP" --resource-group $RESOURCE_GROUP --query "ipAddress" --output tsv)

GW2_IP=$(az network public-ip show --name "$VPNGW2-PIP" --resource-group $RESOURCE_GROUP --query "ipAddress" --output tsv)

Step 6: Create VPN Connections

az network vpn-connection create --name "VNet1-to-VNet2" --resource-group $RESOURCE_GROUP \

--vnet-gateway1 $VPNGW1 --vnet-gateway2 $VPNGW2 --shared-key $SHARED_KEY

az network vpn-connection create --name "VNet2-to-VNet1" --resource-group $RESOURCE_GROUP \

--vnet-gateway1 $VPNGW2 --vnet-gateway2 $VPNGW1 --shared-key $SHARED_KEY

Completed! The VPN connection is now established.

Option 2: Automating with Terraform

If you prefer Infrastructure as Code, here’s a Terraform script:

Step 1: Create a Terraform File (vpn.tf)

provider "azurerm" {

features {}

}

resource "azurerm_resource_group" "rg" {

name = "MyResourceGroup"

location = "East US"

}

resource "azurerm_virtual_network" "vnet1" {

name = "VNet1"

location = azurerm_resource_group.rg.location

resource_group_name = azurerm_resource_group.rg.name

address_space = ["10.0.0.0/16"]

}

resource "azurerm_virtual_network" "vnet2" {

name = "VNet2"

location = "West US"

resource_group_name = azurerm_resource_group.rg.name

address_space = ["10.1.0.0/16"]

}

resource "azurerm_subnet" "gw_subnet1" {

name = "GatewaySubnet"

resource_group_name = azurerm_resource_group.rg.name

virtual_network_name = azurerm_virtual_network.vnet1.name

address_prefixes = ["10.0.255.0/27"]

}

resource "azurerm_subnet" "gw_subnet2" {

name = "GatewaySubnet"

resource_group_name = azurerm_resource_group.rg.name

virtual_network_name = azurerm_virtual_network.vnet2.name

address_prefixes = ["10.1.255.0/27"]

}

resource "azurerm_public_ip" "pip1" {

name = "vpn1-pip"

resource_group_name = azurerm_resource_group.rg.name

location = azurerm_resource_group.rg.location

allocation_method = "Dynamic"

}

resource "azurerm_public_ip" "pip2" {

name = "vpn2-pip"

resource_group_name = azurerm_resource_group.rg.name

location = "West US"

allocation_method = "Dynamic"

}

resource "azurerm_virtual_network_gateway" "gateway1" {

name = "VNet1-Gateway"

location = azurerm_resource_group.rg.location

resource_group_name = azurerm_resource_group.rg.name

type = "Vpn"

vpn_type = "RouteBased"

active_active = false

enable_bgp = false

sku = "VpnGw1"

ip_configuration {

public_ip_address_id = azurerm_public_ip.pip1.id

private_ip_address_allocation = "Dynamic"

subnet_id = azurerm_subnet.gw_subnet1.id

}

}

resource "azurerm_virtual_network_gateway" "gateway2" {

name = "VNet2-Gateway"

location = "West US"

resource_group_name = azurerm_resource_group.rg.name

type = "Vpn"

vpn_type = "RouteBased"

active_active = false

enable_bgp = false

sku = "VpnGw1"

ip_configuration {

public_ip_address_id = azurerm_public_ip.pip2.id

private_ip_address_allocation = "Dynamic"

subnet_id = azurerm_subnet.gw_subnet2.id

}

}

resource "azurerm_virtual_network_gateway_connection" "vpn_connection" {

name = "VNet-to-VNet"

location = azurerm_resource_group.rg.location

resource_group_name = azurerm_resource_group.rg.name

type = "Vnet2Vnet"

virtual_network_gateway_id = azurerm_virtual_network_gateway.gateway1.id

peer_virtual_network_gateway_id = azurerm_virtual_network_gateway.gateway2.id

shared_key = "MySecretKey123"

}

Step 2: Deploy Using Terraform

terraform init

terraform apply -auto-approve

Success! Terraform will create and manage the VPN Gateway automatically.

Which One Should You Use?

• Azure CLI: Best for quick deployments.
• Terraform: Best for repeatable Infrastructure as Code (IaC).

Extend with BGP Routing

Why BGP?

• Allows automatic route updates instead of manual static routes.
• Required for highly available VPN and multi-region networking.
• Supports ExpressRoute & Azure Virtual WAN integration.

?? Steps to Enable BGP Routing

To enable BGP, each VPN gateway needs:

• ASN (Autonomous System Number)
• BGP Peer IP (Inside Address)

Step 1: Modify Terraform for BGP

Modify the existing Terraform file (vpn.tf) to include BGP settings:

resource "azurerm_virtual_network_gateway" "gateway1" {

name = "VNet1-Gateway"

location = azurerm_resource_group.rg.location

resource_group_name = azurerm_resource_group.rg.name

type = "Vpn"

vpn_type = "RouteBased"

active_active = false

enable_bgp = true # Enable BGP

sku = "VpnGw2" # Must be VpnGw2 or higher for BGP

bgp_settings {

asn = 65010 # Unique ASN for VNet1

peering_addresses {

ip_configuration_name = "default"

ip_address = "10.0.255.254" # Inside BGP IP

}

}

ip_configuration {

public_ip_address_id = azurerm_public_ip.pip1.id

private_ip_address_allocation = "Dynamic"

subnet_id = azurerm_subnet.gw_subnet1.id

}

}

resource "azurerm_virtual_network_gateway" "gateway2" {

name = "VNet2-Gateway"

location = "West US"

resource_group_name = azurerm_resource_group.rg.name

type = "Vpn"

vpn_type = "RouteBased"

active_active = false

enable_bgp = true # Enable BGP

sku = "VpnGw2"

bgp_settings {

asn = 65020 # Unique ASN for VNet2

peering_addresses {

ip_configuration_name = "default"

ip_address = "10.1.255.254" # Inside BGP IP

}

}

ip_configuration {

public_ip_address_id = azurerm_public_ip.pip2.id

private_ip_address_allocation = "Dynamic"

subnet_id = azurerm_subnet.gw_subnet2.id

}

}

Step 2: Update Terraform

terraform apply -auto-approve

Success! BGP will now handle route updates dynamically.

Extend with Azure Monitor

Why Azure Monitor?

• Tracks VPN connection health, bandwidth, and latency.
• Detects VPN outages and alerts administrators.
• Provides logs and metrics for troubleshooting.

?? Steps to Enable Azure Monitor for VPN Gateway

Step 1: Enable Azure Monitor Diagnostics for VPN Gateway

Run this Azure CLI command to send logs to Log Analytics:

az monitor diagnostic-settings create \

--name "VPNDiagnostics" \

--resource-group MyResourceGroup \

--resource "/subscriptions/{subscriptionID}/resourceGroups/MyResourceGroup/providers/Microsoft.Network/virtualNetworkGateways/VNet1-Gateway" \

--logs '[{"category": "GatewayDiagnosticLog", "enabled": true},{"category": "TunnelDiagnosticLog", "enabled": true}]' \

--metrics '[{"category": "AllMetrics", "enabled": true}]' \

--workspace /subscriptions/{subscriptionID}/resourceGroups/MyResourceGroup/providers/Microsoft.OperationalInsights/workspaces/MyLogAnalyticsWorkspace

Step 2: Create an Alert for VPN Downtime

• Go to Azure Portal → Monitor → Alerts.
• Click + Create Alert Rule.
• Select Virtual Network Gateway (VNet1-Gateway).
• Choose Signal Name → VPN Connection Health.
• Set Condition → Less than 1 (to trigger on failure).
• Configure Email/Teams Notifications.
• Click Create.

Completed! Now, you will receive alerts if the VPN connection drops.