Azure VNet peering causes high latency between regions for real-time analytics

Cloud Platforms Microsoft Azure
, , , , , , ,
1

We’ve set up VNet peering between our East US and West Europe regions to support our real-time analytics pipeline, but we’re experiencing unexpectedly high latency that’s impacting our SLAs.

Our architecture: Application servers in East US VNet need to query Azure SQL Database in West Europe VNet. VNet peering is configured and working, but query response times are 250-350ms when we expected around 100-120ms based on inter-region latency specs.

Test results from East US VM:


Test-NetConnection sqlserver-westeu.database.windows.net
PingSucceeded: True
PingReplyDetails: RoundtripTime: 285ms

The VNet peering status shows “Connected” in both directions. Is this expected latency for multi-region VNet peering, or are we missing some configuration that could optimize the routing? Our analytics queries need to complete in under 150ms to meet requirements.

2

Also consider whether you really need real-time queries across regions. For analytics workloads, you might get better performance with data replication using Azure Data Factory or SQL Data Sync to keep a read replica in East US. This would reduce your query latency to single-digit milliseconds instead of fighting cross-region physics.

3

Yes, that’s your problem! The 0.0.0.0/0 UDR is overriding the VNet peering routes. You need to add a more specific route for the West Europe VNet address space that uses “Virtual Network Peering” as the next hop type instead of “Virtual Appliance”. This way, inter-VNet traffic goes direct via peering, while internet traffic still goes through your firewall. Make sure the more specific route has higher priority.

4

Here’s a comprehensive solution addressing VNet peering optimization, latency reduction, and multi-region architecture:

1. VNet Peering Route Optimization:

Your UDR configuration is forcing traffic through Azure Firewall, bypassing the direct peering path. Fix this by creating specific routes:

In East US Route Table:


Route 1: West Europe VNet Traffic (Higher Priority)
Address Prefix: 10.2.0.0/16 (West Europe VNet CIDR)
Next Hop Type: Virtual Network Peering
Next Hop: westeurope-vnet-peer

Route 2: Internet Traffic (Lower Priority)
Address Prefix: 0.0.0.0/0
Next Hop Type: Virtual Appliance
Next Hop: 10.1.0.4 (Azure Firewall IP)

Azure evaluates routes by longest prefix match, so the /16 route will take precedence over /0 for West Europe traffic.

2. Latency Validation and Measurement:

After route changes, measure latency components separately:

Network latency test:


# TCP latency (should be ~100-110ms)
Test-NetConnection -ComputerName 10.2.1.5 -Port 1433

# Application latency test
Invoke-Sqlcmd -Query "SELECT 1" -ServerInstance sqlserver

Expected latency breakdown:

  • ICMP ping: 95-105ms (baseline network)
  • TCP handshake: 105-120ms (network + connection setup)
  • SQL query: 120-150ms (network + query execution)

3. Multi-Region Architecture Optimization:

For real-time analytics with <150ms requirements, implement these patterns:

Option A - Active Geo-Replication (Best for read-heavy):

  • Configure SQL Database active geo-replication to East US
  • Read queries hit local replica: <10ms latency
  • Writes still go to West Europe: 250-300ms (acceptable for analytics)
  • Cost: Additional database replica

Option B - Caching Layer (Best for repeated queries):

  • Deploy Azure Cache for Redis in East US
  • Cache query results with 5-15 minute TTL
  • Cache hits: <5ms, cache misses: 250ms
  • Cost: Redis instance ($)

Option C - Azure Front Door + Traffic Manager:

  • Deploy SQL read replicas in both regions
  • Route queries to nearest region automatically
  • Failover capability included
  • Cost: Front Door + replica

4. VNet Peering Performance Tuning:

Enable Azure Accelerated Networking: On both East US and West Europe VMs:


az vm update --resource-group myRG --name myVM \
  --set networkProfile.networkInterfaces[0].enableAcceleratedNetworking=true

This reduces latency by 20-30% through SR-IOV.

Optimize SQL Connection Pooling: In your application connection string:


Server=sqlserver-westeu.database.windows.net;
Database=analytics;
Connection Timeout=30;
Min Pool Size=10;
Max Pool Size=100;
MultipleActiveResultSets=true;

5. Monitoring and Validation:

Set up Network Watcher:

  • Enable Connection Monitor between regions
  • Track latency trends over time
  • Alert on latency >150ms

Application Insights:

  • Track end-to-end query duration
  • Identify slow queries vs network issues
  • Correlate latency with query complexity

6. Security Considerations:

Maintaining security while optimizing routes:

  • Keep Azure Firewall for internet egress
  • Use NSG rules for inter-VNet traffic control
  • Enable VNet peering traffic logs for audit
  • Consider Private Link for SQL Database instead of public endpoint

Recommended Solution: Implement route optimization (immediate fix) + active geo-replication (long-term solution). This gives you:

  • Direct peering path: 100-120ms for writes
  • Local reads: <10ms from East US replica
  • Maintained security: Firewall still protects internet traffic
  • Scalability: Can add more read replicas as needed

The route fix alone should bring your latency down to 120-150ms range, meeting your SLA. Adding geo-replication provides the best experience for read-heavy analytics workloads.

5

Found something interesting! We have a UDR on the East US subnet that routes all traffic (0.0.0.0/0) to an Azure Firewall for security scanning. I think this might be forcing our VNet peering traffic through the firewall instead of taking the direct peered connection. Would removing this UDR or creating a more specific route help? We still need firewall protection for internet-bound traffic though.

6

The latency you’re seeing is actually within expected range for cross-region traffic between East US and West Europe. Physical distance adds ~90-110ms baseline latency, and VNet peering adds minimal overhead (usually 5-10ms). Your 285ms includes the database query processing time, not just network latency. Have you measured pure network latency without the database query?

7

Good point - I ran pure ICMP ping tests and TCP connection tests separately. Pure ping shows 95-105ms, but TCP connection establishment to SQL port 1433 takes 180-220ms. That’s a huge difference! Could this be related to how VNet peering routes traffic or some security group inspection overhead? We have NSGs on both VNets but they’re configured to allow all traffic between the peered networks.

8

TCP handshake taking 180-220ms for ~100ms network latency is definitely abnormal. That’s nearly 2x what it should be. Check if you have any forced tunneling or user-defined routes (UDRs) that might be routing traffic through a firewall or NVA instead of taking the direct peered path. Also verify that your SQL Database isn’t configured with connection throttling or has firewall rules that add processing time.