Cross-tenant VNET connection with vWAN does not work as expected

snadhazi_ng 106 Reputation points
2022-11-03T14:57:53.207+00:00

Hi All,

We are trying to configure Connect cross-tenant virtual networks to a Virtual WAN hub based on the official guide:

https://learn.microsoft.com/en-us/azure/virtual-wan/cross-tenant-vnet

The connection provisioning succeeds, the peering status changes to "Connected" however communication won't establish. Based on Wireshark troubleshooting, the traffic works in one direction (does not work from remote). We noticed that the "Traffic forwarded from remote virtual network" option is set to Block, even though Allow should be the default. When we try to change this to Allow we receive attached error message that this operation fails. The subscription id which is presented in this error message is not the other tenant we are using in this test. We are using Terraform to configure this connection, but we change the Allow option manually in the GUI.

Any idea what might cause this issue? Thank you

Azure Virtual WAN
Azure Virtual WAN
An Azure virtual networking service that provides optimized and automated branch-to-branch connectivity.
199 questions
Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,278 questions
0 comments No comments
{count} vote

4 answers

Sort by: Most helpful
  1. msrini-MSFT 9,271 Reputation points Microsoft Employee
    2022-11-03T17:32:43.247+00:00

    Hi,

    You will need to change that option via the terraform script. The reason is when you execuit the script, the script has a service principal which has access to both the tenant and hence the config goes through.

    If you do it from the portal, looks like you don't have access to other tenant subscription and hence you are getting that error.

    Regards,
    Karthik Srinivas

    0 comments No comments

  2. snadhazi_ng 106 Reputation points
    2022-11-03T18:59:01.06+00:00

    Hello Karthik,

    Many thanks for your support.

    Normally, we use the "azurerm" provider which currently does not support changing this option. However, the "azapi" provider (which we don't normally use) seems to support it. We tried that one as well as a test and the only difference is that when using the latter, we receive the error message via Terraform not directly on the Azure portal. Hence I don't think it has anything to do with Terraform or how we execute this.

    "looks like you don't have access to other tenant subscription and hence you are getting that error"

    Assuming that we control both subscription, could you give us a hint how to provide this access/permission via the Azure portal? If we could make it work via the portal, then at least we would know that it's a Terraform issue...

    0 comments No comments

  3. msrini-MSFT 9,271 Reputation points Microsoft Employee
    2022-11-04T03:56:21.683+00:00

    Make sure that the user who is modifying these changes have the permission mentioned here on both subscription: https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-manage-peering#permissions

    0 comments No comments

  4. Marek Tarnoci 1 Reputation point
    2022-11-04T08:49:45.73+00:00

    Hi,

    user used for provisioning has access to both subscriptions and we tested it also with contributor and even owner role on both subscriptions, results is the same.
    Regards to resource, we are using: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_hub_connection, and azure provider config:

    provider "azurerm" {
    features {}
    auxiliary_tenant_ids = ["xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx"] # <= tennat_id 2 where vNet to be connected to the vHub is deployed

    tenant_id => where vHub is deloyed

    subscription_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx"
    tenant_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx"
    client_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx"
    client_secret = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx"
    }

    Regards to azapi provider, seems there is not support for auxiliary_tenant_ids, but we can configure more options:

    type = "Microsoft.Network/virtualHubs/hubVirtualNetworkConnections@2022-01-01"
    name = format("vnet-con-%s", lookup(each.value, "vnet_name", null))
    parent_id = var.virtual_wan_hub_id
    body = jsonencode({
    properties = {
    allowHubToRemoteVnetTransit = true
    allowRemoteVnetToUseHubVnetGateways = true
    enableInternetSecurity = false
    remoteVirtualNetwork = {
    id = data.azurerm_virtual_network.this[each.key].id
    }
    routingConfiguration = {
    associatedRouteTable = {
    id = "string"
    }
    propagatedRouteTables = {
    ids = [
    {
    id = "string"
    }
    ]
    labels = [
    "string"
    ]
    }
    vnetRoutes = {
    staticRoutes = [
    {
    addressPrefixes = [
    "string"
    ]
    name = "string"
    nextHopIpAddress = "string"
    }
    ]
    }
    }
    }
    })
    }

    0 comments No comments