We have our application and database in different VNETs in different subscription.
Also we have different environments (Pre-Production and Production).
Currently the database for PROD and PRE-PROD is in different subnet but same VNET.
I see we can have peering at VNET level.
We want the peering between the application and database at subnet level so that PRE-PROD application should not be able to connect to PROD database and vice-versa.
2
Answers
From Microsoft documentation:
Azure routes traffic between all subnets within a virtual network, by default. You can create your own routes to override Azure’s default routing.
https://learn.microsoft.com/en-us/azure/virtual-network/tutorial-create-route-table-portal
You would want to look at network segmentation patterns. You can achieve basic microsegmentation by using Network Security Groups in Azure.
Based on your question, I assume you want to allow traffic only from one subnet into another subnet (over a peered network though, but that does not matter much) – and maybe even only allow one database port to be accessed from your application subnet – and lock everything else down.
This approach is described here: https://learn.microsoft.com/en-us/azure/architecture/framework/security/design-network-segmentation
You would want to create one NSG per subnet, make a rule to block all inbound traffic and then allow only traffic that is required. Note that NSG’s are stateful, so you do not need to specify outbound rules for your traffic. Also make sure you apply the rules in the right order from top to bottom. The rule with the lowest id is applied first.