This module is designed to manage Azure Virtual Network (VNet) peerings between two VNets. It allows fine-grained control over peering settings such as traffic forwarding, gateway transit, and network access, providing secure and scalable network connectivity across VNets.
- VNet Peering Management: Creates and manages peering connections between Azure virtual networks.
- Access Control: Supports configuration of virtual network access, forwarded traffic, and gateway transit.
- IPv6 Peering: Optionally enables IPv6 peering for dual-stack scenarios.
- Complete Network Peering: Allows peering of all subnets and networks across the virtual networks.
This example demonstrates how to configure a peering between two virtual networks:
resource "azurerm_resource_group" "vnetrg" {
name = "rg-vnet-example"
location = "germanywestcentral"
}
module "vnet-a" {
source = "CloudAstro/virtual-network/azurerm"
name = "vnet-a"
location = azurerm_resource_group.vnetrg.location
resource_group_name = azurerm_resource_group.vnetrg.name
address_space = ["10.10.0.0/24"]
subnet = {
snet_1 = {
name = "subnet-a-1"
address_prefixes = ["10.10.0.0/25"]
}
snet_2 = {
name = "subnet-a-2"
address_prefixes = ["10.10.0.128/25"]
}
}
}
module "vnet-b" {
source = "CloudAstro/virtual-network/azurerm"
name = "vnet-b"
location = azurerm_resource_group.vnetrg.location
resource_group_name = azurerm_resource_group.vnetrg.name
address_space = ["10.11.0.0/24"]
subnet = {
snet_1 = {
name = "subnet-b-1"
address_prefixes = ["10.11.0.0/25"]
}
snet_2 = {
name = "subnet-b-2"
address_prefixes = ["10.11.0.128/25"]
}
}
}
# In case you receive this error during apply:
# SubscriptionNotRegisteredForFeature: Subscription 00000000-0000-0000-0000-000000000000
# is not registered for feature Microsoft.Network/AllowMultiplePeeringLinksBetweenVnets
# required to carry out the requested operation.
#
# Please run the following CLI commands to register the feature:
# az feature register --namespace Microsoft.Network --name AllowMultiplePeeringLinksBetweenVnets
# az provider register --namespace Microsoft.Network
module "vnet-peering-a-to-b" {
source = "../../"
name = "vnet-a-to-vnet-b"
resource_group_name = azurerm_resource_group.vnetrg.name
virtual_network_name = module.vnet-a.virtual_network.name
remote_virtual_network_id = module.vnet-b.virtual_network.id
peer_complete_virtual_networks_enabled = false
local_subnet_names = ["subnet-a-1"]
remote_subnet_names = ["subnet-b-1"]
allow_virtual_network_access = true
allow_forwarded_traffic = false
allow_gateway_transit = false
use_remote_gateways = false
}
module "vnet-peering-b-to-a" {
source = "../../"
providers = {
azurerm = azurerm.peer
}
name = "vnet-b-to-vnet-a"
resource_group_name = azurerm_resource_group.vnetrg.name
virtual_network_name = module.vnet-b.virtual_network.name
remote_virtual_network_id = module.vnet-a.virtual_network.id
peer_complete_virtual_networks_enabled = false
local_subnet_names = ["subnet-b-1"]
remote_subnet_names = ["subnet-a-1"]
allow_virtual_network_access = true
allow_forwarded_traffic = false
allow_gateway_transit = false
use_remote_gateways = false
}| Name | Version |
|---|---|
| terraform | ~> 1.9.0 |
| azurerm | >= 4.0.0 |
| Name | Version |
|---|---|
| azurerm | >= 4.0.0 |
| Name | Type |
|---|---|
| azurerm_virtual_network_peering.vnet_peering | resource |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| name | * name - (Required) The name of the virtual network peering. Changing this forces a new resource to be created.Example input: name = vpeering-to-dev |
string |
n/a | yes |
| remote_virtual_network_id | * remote_virtual_network_id - (Required) The full Azure resource ID of the remote virtual network. Changing this forces a new resource to be created.Example input: remote_virtual_network_id = azurerm_virtual_network.vnet-b.id |
string |
n/a | yes |
| resource_group_name | * resource_group_name - (Required) The name of the resource group in which to create the virtual network peering. Changing this forces a new resource to be created.Example input: resource_group_name = rg-vnet-hub |
string |
n/a | yes |
| virtual_network_name | * virtual_network_name - (Required) The name of the virtual network. Changing this forces a new resource to be created.Example input: virtual_network_name = vnet-hub |
string |
n/a | yes |
| allow_forwarded_traffic | * allow_forwarded_traffic - (Optional) Controls if forwarded traffic from VMs in the remote virtual network is allowed. Defaults to false.Example input: allow_forwarded_traffic = false |
bool |
false |
no |
| allow_gateway_transit | * allow_gateway_transit - (Optional) Controls gatewayLinks can be used in the remote virtual network’s link to the local virtual network. Defaults to false.Example input: allow_gateway_transit = false |
bool |
false |
no |
| allow_virtual_network_access | * allow_virtual_network_access - (Optional) Controls if the traffic from the local virtual network can reach the remote virtual network. Defaults to true.Example input: allow_virtual_network_access = true |
bool |
true |
no |
| local_subnet_names | * local_subnet_names - (Optional) A list of local Subnet names that are Subnet peered with remote Virtual Network.Example input: local_subnet_names = ["subnet1", "subnet2"] |
list(string) |
null |
no |
| only_ipv6_peering_enabled | * only_ipv6_peering_enabled - (Optional) Specifies whether only IPv6 address space is peered for Subnet peering. Changing this forces a new resource to be created.Example input: only_ipv6_peering_enabled = false |
bool |
null |
no |
| peer_complete_virtual_networks_enabled | * peer_complete_virtual_networks_enabled - (Optional) Specifies whether complete Virtual Network address space is peered. Defaults to true. Changing this forces a new resource to be created.Example input: peer_complete_virtual_networks_enabled = true |
bool |
true |
no |
| remote_subnet_names | * remote_subnet_names - (Optional) A list of remote Subnet names from remote Virtual Network that are Subnet peered.Example input: remote_subnet_names = ["subnet1", "subnet2"] |
list(string) |
null |
no |
| timeouts | The timeouts block allows you to specify timeouts for certain actions:* create - (Defaults to 30 minutes) Used when creating the Virtual Network Peering.* update - (Defaults to 30 minutes) Used when updating the Virtual Network Peering.* read - (Defaults to 5 minutes) Used when retrieving the Virtual Network Peering.* delete - (Defaults to 30 minutes) Used when deleting the Virtual Network Peering.## NoteVirtual Network peerings cannot be created, updated or deleted concurrently. |
object({ |
null |
no |
| triggers | * triggers - (Optional) A mapping of key values pairs that can be used to sync network routes from the remote virtual network to the local virtual network. See the trigger example for an example on how to set it up.Example input: triggers = { |
map(string) |
null |
no |
| use_remote_gateways | * use_remote_gateways - (Optional) Controls if remote gateways can be used on the local virtual network. If the flag is set to true, and allow_gateway_transit on the remote peering is also true, virtual network will use gateways of remote virtual network for transit. Only one peering can have this flag set to true. This flag cannot be set if virtual network already has a gateway. Defaults to false.-> Note: use_remote_gateways must be set to false if using Global Virtual Network Peerings.Example input: use_remote_gateways = false |
bool |
false |
no |
| Name | Description |
|---|---|
| peering | * name - (Required) The name of this virtual network peering.* virtual_network_id - (Required) The resource ID of the virtual network. In addition to the Arguments listed above - the following Attributes are exported:* id - The ID of the virtual network peering.* allow_forwarded_traffic - Controls if forwarded traffic from VMs in the remote virtual network is allowed.* allow_gateway_transit - Controls gatewayLinks can be used in the remote virtual network’s link to the local virtual network.* allow_virtual_network_access - Controls if the traffic from the local virtual network can reach the remote virtual network.* only_ipv6_peering_enabled - Specifies whether only IPv6 address space is peered for Subnet peering.* peer_complete_virtual_networks_enabled - Specifies whether complete Virtual Network address space is peered.* remote_virtual_network_id - The full Azure resource ID of the remote virtual network.* use_remote_gateways - Controls if remote gateways can be used on the local virtual network.Example output: output "name" { |
No modules.
This module provides a flexible way to manage Azure Virtual Network peerings, enabling secure connectivity between VNets across subscriptions or regions. It supports advanced configuration options such as traffic forwarding, gateway transit, and IPv6 peering, making it suitable for both simple and complex network topologies.
- Terraform AzureRM Virtual Network Peering Resource
- Azure Virtual Network Peering Overview
- Azure Virtual Network Documentation
- Terraform AzureRM Provider
- Ensure both VNets are in the same or compatible regions if required.
- Peering links are non-transitive — peered VNets cannot automatically reach other peered VNets.
- Gateway transit and use of remote gateways must be planned carefully to avoid conflicts.
- Review Azure subscription limits for the number of allowed peerings per VNet.
This module is released under the Apache 2.0 License. See the LICENSE file for full details.