Cross-tenant VNET connection with vWAN does not work as expected

Question

Hi All,

We are trying to configure Connect cross-tenant virtual networks to a Virtual WAN hub based on the official guide:

https://learn.microsoft.com/en-us/azure/virtual-wan/cross-tenant-vnet

The connection provisioning succeeds, the peering status changes to "Connected" however communication won't establish. Based on Wireshark troubleshooting, the traffic works in one direction (does not work from remote). We noticed that the "Traffic forwarded from remote virtual network" option is set to Block, even though Allow should be the default. When we try to change this to Allow we receive attached error message that this operation fails. The subscription id which is presented in this error message is not the other tenant we are using in this test. We are using Terraform to configure this connection, but we change the Allow option manually in the GUI.

Any idea what might cause this issue? Thank you

Answer 1

Hi,

You will need to change that option via the terraform script. The reason is when you execuit the script, the script has a service principal which has access to both the tenant and hence the config goes through.

If you do it from the portal, looks like you don't have access to other tenant subscription and hence you are getting that error.

Regards,
Karthik Srinivas

Answer 2

Hello Karthik,

Many thanks for your support.

Normally, we use the "azurerm" provider which currently does not support changing this option. However, the "azapi" provider (which we don't normally use) seems to support it. We tried that one as well as a test and the only difference is that when using the latter, we receive the error message via Terraform not directly on the Azure portal. Hence I don't think it has anything to do with Terraform or how we execute this.

"looks like you don't have access to other tenant subscription and hence you are getting that error"

Assuming that we control both subscription, could you give us a hint how to provide this access/permission via the Azure portal? If we could make it work via the portal, then at least we would know that it's a Terraform issue...

Answer 3

Make sure that the user who is modifying these changes have the permission mentioned here on both subscription: https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-manage-peering#permissions

Answer 4

Hi,

user used for provisioning has access to both subscriptions and we tested it also with contributor and even owner role on both subscriptions, results is the same.
Regards to resource, we are using: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_hub_connection, and azure provider config:

provider "azurerm" {
features {}
auxiliary_tenant_ids = ["xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx"] # <= tennat_id 2 where vNet to be connected to the vHub is deployed

tenant_id => where vHub is deloyed

subscription_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx"
tenant_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx"
client_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx"
client_secret = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx"
}

Regards to azapi provider, seems there is not support for auxiliary_tenant_ids, but we can configure more options:

type = "Microsoft.Network/virtualHubs/hubVirtualNetworkConnections@2022-01-01"
name = format("vnet-con-%s", lookup(each.value, "vnet_name", null))
parent_id = var.virtual_wan_hub_id
body = jsonencode({
properties = {
allowHubToRemoteVnetTransit = true
allowRemoteVnetToUseHubVnetGateways = true
enableInternetSecurity = false
remoteVirtualNetwork = {
id = data.azurerm_virtual_network.this[each.key].id
}
routingConfiguration = {
associatedRouteTable = {
id = "string"
}
propagatedRouteTables = {
ids = [
{
id = "string"
}
]
labels = [
"string"
]
}
vnetRoutes = {
staticRoutes = [
{
addressPrefixes = [
"string"
]
name = "string"
nextHopIpAddress = "string"
}
]
}
}
}
})
}