I need to create independent groups of 2-3 VMs. In each group there must be a network with a fixed, private CIDR (e.g. 192.168.1.0/24), which is used for inter-VM communication. The important thing is, that the CIDR cannot be changed and need to be the same in each of the VM groups.
In order to achieve that, I created a dedicated VNet with every VM group which contains the mentioned subnet. Everything works fine as long as it runs isolated. Now, I have a seperate, private VNet that must be accessible by the VM groups as well as it contains some shared services. However, due to the overlapping network address ranges of the VM group VNets I cannot peer more than one group VNet with the shared services VNet as I would usually do this in a Hub-Spoke topology.
On other cloud platforms (VMware, OpenStack) this setup is not problematic as, for instance, I can connect each VM to multiple networks (as in VNet) at the same time. Unfortunately, from my understanding this cannot be done in Azure as each VM can only be connected to multiple networks as long as those belong to the same VNet (please correct me if I'm wrong with that).
What other options do I have to connect the VMs to the shared services? The traffic must be internal (no routing through public networks) and due to the expected number of VM groups (100+) I aim for a lightweight solution (establishing a VPN for each VM group seems to introduce a lot of overhead in terms of complexity and possibly reduced network performance).
A NAT-based solution would do but it seemed to me NAT gateways are only working with public IP adresses.
I really hope I'm just overseeing a simple approach here but right now I am stucked with the virtual networking restrictions in Azure.