VNet-to-VNet Connections
As well as connecting an on-premises network to an Azure VNet by using a VPN, you can also use a VPN to connect two or more Azure VNets. Such connections are termed VNet-to-VNet VPNs. The connected VNets can be in different regions and even in different Azure subscriptions.
Comparing Site-to-Site and VNet-to-VNet VPNs
Functionally and conceptually, a VNet-to-VNet connection is the same as a Site-to-Site connection except that both ends of the connection are VNets. VMs and cloud service components in each VNet can communicate as if they were on the same VNet. However, the configuration of a VNet can be a confusing process because you must complete similar tasks at both ends of the connection.
To understand the configuration, first consider a Site-to-Site VPN. You must configure:
- An IP addressing scheme in the VNet.
- The range of IP addresses that are available on the local, on-premises subnet.
- A gateway in the local subnet.
- A virtual gateway in the VNet.
Because the virtual gateway is configured with the IP addresses in the VNet and the IP addresses in the local network, it can route packets from Azure to the local network.
Now consider a VNet-to-VNet VPN that connects a VNet in the West US region to a VNet in the North Europe region. You must configure:
- An IP addressing scheme in the West US VNet.
- An IP addressing scheme in the North Europe VNet.
- A virtual gateway in the West US VNet.
- A virtual gateway in the North Europe VNet.
When you configure the virtual gateway in West US, the IP address range that you provide for the “Local Network” is actually the range for North Europe VNet. Similarly for the virtual gateway in North Europe, the IP address range that you provide for the “Local Network” is actually the range for West US VNet. This can confuse administrators because neither “Local Network” is in fact an on-premises network.
Mai Ali's Technical Blog 