How to Set Up Windows Server 2016 Virtual Network Peering
Virtual network peering allows two separate virtual networks within a Windows Server 2016 SDN environment to communicate with each other as if they were a single network, without the need to route traffic through a gateway or external device. This is analogous to VNet peering in Azure and enables efficient east-west traffic flows within the datacenter fabric while maintaining administrative separation between tenant networks.
This tutorial covers how to configure virtual network peering between two tenant virtual networks managed by the Windows Server 2016 SDN Network Controller, including the required REST API calls, routing considerations, and verification steps.
Use Cases for Virtual Network Peering
Virtual network peering is useful in many scenarios. You might need to allow two business units with separate virtual networks to share a common service such as a database or a monitoring system. Alternatively, you may want to connect a production virtual network to a shared services network that provides DNS, Active Directory, or logging infrastructure without merging them into a single network. Peering provides the connectivity while preserving the independent lifecycle management of each virtual network.
Prerequisites
You need a running Windows Server 2016 SDN deployment with the Network Controller operational and at least two virtual networks already created. The virtual networks should have non-overlapping address prefixes if you want full bidirectional routing between them. Confirm the Network Controller is responding:
$uri = "https://nc.contoso.com"
Invoke-WebRequest -Uri "$uri/networking/v1/virtualNetworks" -UseDefaultCredentialsStep 1 — Review Existing Virtual Networks
Before configuring peering, confirm the resource IDs and address spaces of the two virtual networks you want to peer:
Invoke-RestMethod `
-Uri "https://nc.contoso.com/networking/v1/virtualNetworks" `
-Method Get `
-UseDefaultCredentials | ConvertTo-Json -Depth 5Note the resourceRef paths for both virtual networks, for example /virtualNetworks/Tenant1VNet and /virtualNetworks/Tenant2VNet.
Step 2 — Create a Peering from Tenant1 to Tenant2
Virtual network peering is configured as a peering resource on each virtual network. First, add the peering configuration on Tenant1VNet pointing to Tenant2VNet:
$headers = @{ "Content-Type" = "application/json" }
$peering1Body = @{
properties = @{
remoteVirtualNetwork = @{
resourceRef = "/virtualNetworks/Tenant2VNet"
}
allowVirtualNetworkAccess = $true
allowForwardedTraffic = $false
allowGatewayTransit = $false
useRemoteGateways = $false
}
} | ConvertTo-Json -Depth 5
Invoke-RestMethod `
-Uri "https://nc.contoso.com/networking/v1/virtualNetworks/Tenant1VNet/virtualNetworkPeerings/Peer-T1-to-T2" `
-Method Put `
-Body $peering1Body `
-Headers $headers `
-UseDefaultCredentialsStep 3 — Create the Reciprocal Peering from Tenant2 to Tenant1
Virtual network peering in Windows Server 2016 SDN requires a peering resource on both virtual networks for traffic to flow bidirectionally. Add the reverse peering on Tenant2VNet:
$peering2Body = @{
properties = @{
remoteVirtualNetwork = @{
resourceRef = "/virtualNetworks/Tenant1VNet"
}
allowVirtualNetworkAccess = $true
allowForwardedTraffic = $false
allowGatewayTransit = $false
useRemoteGateways = $false
}
} | ConvertTo-Json -Depth 5
Invoke-RestMethod `
-Uri "https://nc.contoso.com/networking/v1/virtualNetworks/Tenant2VNet/virtualNetworkPeerings/Peer-T2-to-T1" `
-Method Put `
-Body $peering2Body `
-Headers $headers `
-UseDefaultCredentialsStep 4 — Verify Peering Status
Check the peering state on both virtual networks to confirm both sides are connected:
Invoke-RestMethod `
-Uri "https://nc.contoso.com/networking/v1/virtualNetworks/Tenant1VNet/virtualNetworkPeerings" `
-Method Get `
-UseDefaultCredentials | ConvertTo-Json -Depth 5Both peering resources should show a peeringState of Connected. If either shows Initiated, the other side has not yet been configured.
Step 5 — Test Connectivity Between Peered Networks
From a VM in Tenant1VNet, test connectivity to a VM in Tenant2VNet using its CA-space IP address:
Test-NetConnection -ComputerName 192.168.2.10 -Port 80If the firewall policies on both VMs permit the traffic, the connection should succeed. If it fails, check that the Access Control Lists (ACLs) applied to the virtual network interfaces do not block cross-network traffic.
Step 6 — Enable Gateway Transit (Optional)
If you want one of the peered virtual networks to use the other network’s connected gateway for external access, enable gateway transit on the peering that has the gateway and set useRemoteGateways on the peering without the gateway:
$peeringUpdate = @{
properties = @{
remoteVirtualNetwork = @{ resourceRef = "/virtualNetworks/Tenant2VNet" }
allowVirtualNetworkAccess = $true
allowGatewayTransit = $true
useRemoteGateways = $false
}
} | ConvertTo-Json -Depth 5
Invoke-RestMethod `
-Uri "https://nc.contoso.com/networking/v1/virtualNetworks/Tenant1VNet/virtualNetworkPeerings/Peer-T1-to-T2" `
-Method Put `
-Body $peeringUpdate `
-Headers $headers `
-UseDefaultCredentialsStep 7 — Remove a Peering
To remove a peering, delete the peering resource from both virtual networks. Traffic will immediately cease flowing between them once the deletion is processed:
Invoke-RestMethod `
-Uri "https://nc.contoso.com/networking/v1/virtualNetworks/Tenant1VNet/virtualNetworkPeerings/Peer-T1-to-T2" `
-Method Delete `
-UseDefaultCredentialsConclusion
Virtual network peering in Windows Server 2016 SDN provides a straightforward and efficient mechanism for enabling connectivity between separate tenant virtual networks while maintaining administrative boundaries and independent policy control. By configuring reciprocal peering resources through the Network Controller API, you enable east-west traffic flows within the datacenter fabric without routing traffic through external gateways, reducing latency and simplifying the network architecture.
