Introduction Azure VNet peering allows direct connectivity between virtual networks. When peering enters a Failed or Disconnected state, resources in peered VNets cannot communicate, breaking cross-VNet access to databases, APIs, and shared services.
Symptoms - Azure Portal shows peering status as "Failed" or "Disconnected" - Resources in peered VNet unreachable (timeout, connection refused) - Peering shows "Initiated" but never reaches "Connected" - Route propagation from peered VNet not appearing in route tables
Common Causes - Overlapping address spaces between peered VNets - One of the peered VNets was deleted - Subscription containing one VNet was suspended - Route table UDR overriding peered routes - NSG rules blocking peered traffic
Step-by-Step Fix 1. **Check peering status**: ```bash az network vnet peering list --vnet-name vnet-a --resource-group rg-a \ --query "[].{Name:name,PeeringState:peeringState}" ```
- 1.Verify address spaces do not overlap:
- 2.```bash
- 3.az network vnet show --name vnet-a --resource-group rg-a --query addressSpace.addressPrefixes
- 4.az network vnet show --name vnet-b --resource-group rg-b --query addressSpace.addressPrefixes
- 5.
` - 6.If overlap exists, you must delete and recreate peering after fixing address spaces.
- 7.Recreate broken peering:
- 8.```bash
- 9.az network vnet peering delete --name vnet-a-to-vnet-b \
- 10.--vnet-name vnet-a --resource-group rg-a
- 11.az network vnet peering create --name vnet-a-to-vnet-b \
- 12.--vnet-name vnet-a --resource-group rg-a \
- 13.--remote-vnet <vnet-b-resource-id> \
- 14.--allow-vnet-access --allow-forwarded-traffic --allow-gateway-transit
- 15.
` - 16.Test connectivity with Network Watcher:
- 17.```bash
- 18.az network watcher test-connectivity --resource-group rg-a \
- 19.--source-resource vm-a --dest-address <vnet-b-resource-ip> --dest-port 443
- 20.
`