Enable Communication between two Virtual Networks

Question

Enable Communication between two Virtual Networks

Manoj Chauhan 20

Hi Team,

We are planning to have two virtual networks and we need to enable communication between the same. we tried to enable VNET Peering but it is not helping.

Regards.

Ganesh Patapati 9,005 Reputation points Microsoft External Staff Moderator

2025-08-25T14:34:18.8866667+00:00
Hello Manoj Chauhan

What specific errors or issues are you encountering when trying to communicate between the VMs? Can you please share screenshot with u.

Are there any firewall settings or NSGs applied to the virtual networks or VMs?

Have you confirmed that the IP address spaces for both virtual networks are non-overlapping?

Meantime,

Peering must be configured in both directions. That means you need to create a peering from VNet1 to VNet2 and another from VNet2 to VNet1. Each peering should have:

Allow virtual network access enabled.

Allow forwarded traffic enabled if you’re using routing or gateways.

Use remote gateway and Allow gateway transit configured correctly if using VPN gateways.

Virtual network peering has a few requirements and constraints:

Peered virtual networks must:

Have non-overlapping IP address spaces

Be managed by the same Network Controller

Once you peer a virtual network with another virtual network, you cannot add or delete address ranges in the address space.

NOTE: If you need to add address ranges:

Remove the peering.

Add the address space.

Add the peering again.

Double-check that you've set up the peering links properly and that they are in a 'Connected' state. Make sure both virtual networks are in the same Azure region if you're using default peering.

You can also refer to the following documentation:

Refer: Virtual network peering

Refer: How to Configure virtual network peering

Refer: How to Connect virtual networks with virtual network peering

I hope this was helpful!

If the above is unclear or you are unsure about something, please add a comment below.
Ganesh Patapati 9,005 Reputation points Microsoft External Staff Moderator

2025-08-26T12:40:08.7133333+00:00

Hello Manoj Chauhan

We haven't heard back from you regarding our last response and wanted to check if you had the opportunity to review our previous post.

Please let us know if you have any questions or concerns. We are happy to assist you.
Manoj Chauhan 20 Reputation points

2025-08-28T04:36:48.0066667+00:00

Hi Ganesh,

Thanks for your prompt response.

I see that the peering is enabled from both directions and both show a connected status. Let me explain the scenario :

We have deployed AVD and a virtual firewall which is working fine. Now the problem is that the virtual firewall we were using, is EOL and has to be upgraded with a newer version. The address space we are using here is 172.20.0.0/16 and the networks are 172.20.0.0/24 - 172.20.6.0/24. While deploying the new firewall we have to create a new address space as it cannot be used in the existing one, here we have chosen the address space 172.21.0.0/16 and the firewall interfaces are auto configured with 172.21.0.0/24 and 172.21.1.0/24 ip addresses for LAN and WAN. Now the challenge here is that when i am trying to ping 172.21.1.4 from the servers in 172.20.4.0 and so on, i am unable to do so. I wanted this because once we decommission the old firewall, we want the entire traffic from 172.20.0.0/24 network to be forwarded to the 172.22.0.0. I am expecting that this can be done using a route table.

Can you please review the above situation and advise ?

Regards,

Manoj.
Ganesh Patapati 9,005 Reputation points Microsoft External Staff Moderator

2025-08-28T13:48:01.2433333+00:00

Hello Manoj Chauhan

Thanks for the reply!

I have Initiated a private message with you. Kindly provide the necessary details in the private chat.

1 answer

Your answer

Ganesh Patapati 9,005 Reputation points Microsoft External Staff Moderator

2025-08-25T14:34:18.8866667+00:00

Hello Manoj Chauhan

What specific errors or issues are you encountering when trying to communicate between the VMs? Can you please share screenshot with u.

Are there any firewall settings or NSGs applied to the virtual networks or VMs?

Have you confirmed that the IP address spaces for both virtual networks are non-overlapping?

Meantime,

Peering must be configured in both directions. That means you need to create a peering from VNet1 to VNet2 and another from VNet2 to VNet1. Each peering should have:

Allow virtual network access enabled.

Allow forwarded traffic enabled if you’re using routing or gateways.

Use remote gateway and Allow gateway transit configured correctly if using VPN gateways.

Virtual network peering has a few requirements and constraints:

Peered virtual networks must:

Have non-overlapping IP address spaces

Be managed by the same Network Controller

Once you peer a virtual network with another virtual network, you cannot add or delete address ranges in the address space.

NOTE: If you need to add address ranges:

Remove the peering.

Add the address space.

Add the peering again.

Double-check that you've set up the peering links properly and that they are in a 'Connected' state. Make sure both virtual networks are in the same Azure region if you're using default peering.

You can also refer to the following documentation:

Refer: Virtual network peering

Refer: How to Configure virtual network peering

Refer: How to Connect virtual networks with virtual network peering

I hope this was helpful!

If the above is unclear or you are unsure about something, please add a comment below.
Ganesh Patapati 9,005 Reputation points Microsoft External Staff Moderator

2025-08-26T12:40:08.7133333+00:00

Hello Manoj Chauhan

We haven't heard back from you regarding our last response and wanted to check if you had the opportunity to review our previous post.

Please let us know if you have any questions or concerns. We are happy to assist you.
Manoj Chauhan 20 Reputation points

2025-08-28T04:36:48.0066667+00:00

Hi Ganesh,

Thanks for your prompt response.

I see that the peering is enabled from both directions and both show a connected status. Let me explain the scenario :

We have deployed AVD and a virtual firewall which is working fine. Now the problem is that the virtual firewall we were using, is EOL and has to be upgraded with a newer version. The address space we are using here is 172.20.0.0/16 and the networks are 172.20.0.0/24 - 172.20.6.0/24. While deploying the new firewall we have to create a new address space as it cannot be used in the existing one, here we have chosen the address space 172.21.0.0/16 and the firewall interfaces are auto configured with 172.21.0.0/24 and 172.21.1.0/24 ip addresses for LAN and WAN. Now the challenge here is that when i am trying to ping 172.21.1.4 from the servers in 172.20.4.0 and so on, i am unable to do so. I wanted this because once we decommission the old firewall, we want the entire traffic from 172.20.0.0/24 network to be forwarded to the 172.22.0.0. I am expecting that this can be done using a route table.

Can you please review the above situation and advise ?

Regards,

Manoj.
Ganesh Patapati 9,005 Reputation points Microsoft External Staff Moderator

2025-08-28T13:48:01.2433333+00:00

Hello Manoj Chauhan

Thanks for the reply!

I have Initiated a private message with you. Kindly provide the necessary details in the private chat.

Answer 1

Hi, quick checklist to make two VNets talk (and why peering “does nothing” when one item is off): 1) No overlapping ranges: confirm the two VNets/subnets don’t overlap (e.g., 10.0.0.0/16 and 10.1.0.0/16). 2) Two peering links, “Connected”: VNetA→VNetB and VNetB→VNetA must both exist; in each link keep Allow virtual network access = On (default). 3) NSGs: on both subnets/NICs allow the needed traffic (e.g., TCP 22/3389/443); outbound is usually allowed, inbound often blocked—fix that or use an ASG rule. 4) UDRs/Firewalls: if you added route tables, make sure there’s no 0.0.0.0/0 (or specific remote VNet prefix) sending traffic to a dead next hop; if using Azure Firewall/NVA, enable IP forwarding on it and add correct UDRs both ways. 5) Windows/Linux host firewall: allow inbound on the ports you test (ICMP ping often fails by design, test with Test-NetConnection <IP> -Port 3389 or nc -zv <IP> 22). 6) DNS: peering doesn’t give name resolution; either use IPs or set a common DNS (Azure DNS Private Resolver, custom DNS, or host files) so vmA.corp.local resolves to the remote VNet’s private IP. 7) Gateway transit (only if needed): if you want VNetB to use VNetA’s VPN/ER gateway, on the peering set Allow gateway transit on the gateway VNet and Use remote gateway on the other; don’t enable “Use remote gateway” on both sides. 8) Effective routes view: on a VM NIC → Effective routes/Effective security rules to see exactly what’s blocking. If you still get nowhere: verify peering status is Connected, try from a fresh test VM in each VNet with no NSG, and you’ll know if the issue is NSG/UDR/DNS, not peering. If you require encryption or have overlapping ranges, skip peering and use VNet-to-VNet VPN instead.

Manoj Chauhan 20 Reputation points

2025-08-28T04:37:25.5566667+00:00

Hi Michele Ariis,

Thanks for your prompt response.

I see that the peering is enabled from both directions and both show a connected status. Let me explain the scenario :

We have deployed AVD and a virtual firewall which is working fine. Now the problem is that the virtual firewall we were using, is EOL and has to be upgraded with a newer version. The address space we are using here is 172.20.0.0/16 and the networks are 172.20.0.0/24 - 172.20.6.0/24. While deploying the new firewall we have to create a new address space as it cannot be used in the existing one, here we have chosen the address space 172.21.0.0/16 and the firewall interfaces are auto configured with 172.21.0.0/24 and 172.21.1.0/24 ip addresses for LAN and WAN. Now the challenge here is that when i am trying to ping 172.21.1.4 from the servers in 172.20.4.0 and so on, i am unable to do so. I wanted this because once we decommission the old firewall, we want the entire traffic from 172.20.0.0/24 network to be forwarded to the 172.22.0.0. I am expecting that this can be done using a route table.

Can you please review the above situation and advise ?

Regards,

Manoj.

Share via

Enable Communication between two Virtual Networks

1 answer

Your answer