For AI agents: a documentation index is available at the root level at /llms.txt and /llms-full.txt. Append /llms.txt to any URL for a page-level index, or .md for the markdown version of any page.
      • AstroFully-managed data operations, powered by Apache Airflow.
      • Astro Private CloudRun Airflow-as-a-service in your environment.
      • Professional ServicesExpert Airflow services for your enterprise's success.
    • Tools
      • Cosmos
      • Orbiter
      • CLI
      • AI SDK
      • Agents
      • Blueprint
      • UpdatesThe State of Airflow 2026See the insights from over 5,800 data practitioners in the full report. Download Now ➔
  • Customers
  • Docs
    • Insights
      • Blog
      • Webinars
      • Resource Library
      • Events
    • Education
      • Academy
      • What is Airflow?
  • Pricing
Get Started Free
    • Overview
        • Connect to data services
          • AWS
          • Azure
            • Access a public Azure endpoint
              • Azure VNet Peering
              • Azure VHub Peering
              • Azure VPN
              • Azure Privatelink
              • Azure Hostname Resolutions
          • GCP
      • Billing
    • Book Office Hours

Product

  • Platform Overview
  • Astro
  • Astro Observe
  • Astro Private Cloud
  • Security & Trust
  • Pricing

Tools & Services

  • Cosmos
  • Docs
  • Professional Services
  • Product Updates

Use Cases

  • AI Ops
  • Data Observability
  • ETL/ELT
  • ML Ops
  • Operational Analytics
  • All Use Cases

Industries

  • Financial Services
  • Gaming
  • Retail
  • Manufacturing
  • Healthcare
  • All Industries

Resources

  • Academy
  • eBooks & Guides
  • Blog
  • Webinars
  • Events
  • The Data Flowcast Podcast
  • All Resources

Airflow

  • What is Airflow
  • Airflow on Astro
  • Airflow 3.0
  • Airflow Upgrades
  • Airflow Use Cases
  • Airflow 2.x End of Life

Company

  • Our Story
  • Customers
  • Newsroom
  • Careers
  • Contact

Support

  • Knowledge Base
  • Status
  • Contact Support
GitHubYouTubeLinkedInx
  • Legal
  • Privacy
  • Terms of Service
  • Consent Preferences

  • Do Not Sell or Share My Personal information
  • Limit the Use Of My Sensitive Personal Information

Apache Airflow®, Airflow, and the Airflow logo are trademarks of the Apache Software Foundation. Copyright © Astronomer 2026. All rights reserved.

LogoLogo
AdministrationNetworkingConnect to data servicesAzureAzure Private Networking Options

Azure Networking: VHub Peering

Edit this page
Built with
This connection option is only available for dedicated Astro clusters.

To set up a private connection between an Astro Virtual Network (VNet) and an Azure VHub, you can create a VHub peering connection. VHub peering ensures private and secure connectivity, reduces network transit costs, and attaches the Astro environment to a centralized managed network.

  1. Retrieve the following information from the target Azure environment that you want to connect with:

    • Azure Tenant ID and Subscription ID.
    • VHub name.
    • Resource Group name.
    • Optional. Firewall IP address if you use any on the VHub side.

  2. Prepare a astro-vhub-peering-creator-role.json JSON file with the following permissions. Replace {customer-subscription-id} with your value:

    1{
    2    "Name": "Astro VHub Peering Contributor",
    3    "IsCustom": true,
    4    "Description": "Can create VNET peering with Astro.",
    5    "Actions": [
    6        "Microsoft.Resources/subscriptions/resourceGroups/read",
    7        "Microsoft.Resources/subscriptions/read",
    8        "Microsoft.Network/virtualHubs/hubVirtualNetworkConnections/write",
    9        "Microsoft.Network/virtualHubs/read",
    10        "Microsoft.Network/virtualWans/virtualHubs/read",
    11        "Microsoft.Network/virtualHubs/hubVirtualNetworkConnections/read"
    12    ],
    13    "NotActions": [
    14
    15    ],
    16    "AssignableScopes": [
    17      "/subscriptions/{customer-subscription-id}"
    18    ]
    19}

  3. Run the following Azure CLI commands to give Astronomer Support temporary permissions to establish a VHub peering connection:

    1# Add Astronomer Service Principal
    2az ad sp create --id a67e6057-7138-4f78-bbaf-fd9db7b8aab0
    3
    4# Create a Custom role with permissions prepared in previous step
    5az role definition create --role-definition ~/astro-vhub-peering-creator-role.json
    6
    7# Assign Custom role to the Astronomer Service Principal ({customer-subscription-id} has to be replaced with your value)
    8az role assignment create \
    9--assignee a67e6057-7138-4f78-bbaf-fd9db7b8aab0 \
    10--role "Astro VHub Peering Contributor" \
    11--scope "/subscriptions/{customer-subscription-id}"
    12
    13# Verify an assignment
    14az role assignment list --assignee a67e6057-7138-4f78-bbaf-fd9db7b8aab0 --all -o table

  4. Contact Astronomer support to tell them that you granted them permissions to the Astronomer Service Principal. In addition, provide the following details in your request:

    • Astro Cluster ID
    • Azure Tenant ID and Subscription ID with a VHub
    • Resource group name
    • VHub name and preferable name for the peering
    • (Optional) Firewall IP address if you use any on the VHub side.

After receiving your request, Astronomer support creates a VHub peering connection to Astro VNet. No other actions are required from you. Astronomer support will notify you when the connection is ready to use.

When the network connection is confirmed, you can delete the temporary roles you created using the following command. Replace {customer-subscription-id} with your value:

1az role assignment delete --assignee a67e6057-7138-4f78-bbaf-fd9db7b8aab0 --role "Astro VHub Peering Contributor" --scope "/subscriptions/{customer-subscription-id}"