![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(41.6, 6%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAE%3C/text%3E%3C/svg%3E)
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,776 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(291.2, 38%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMP%3C/text%3E%3C/svg%3E)
One way to enable communication between Subscription Z (spoke) and Subscription X (in the third-party tenant A) is to leverage a hub-and-spoke network topology with Azure Firewall acting as the central traffic inspection point in the hub.
- Set up VNet Peering between Hub (Sub Y) and Spoke (Sub Z)
- Peer the hub VNet in Subscription Y (Tenant B) with the spoke VNet in Subscription Z (Tenant B).
- Ensure proper route propagation by configuring the spoke’s route tables to point to the hub's Azure Firewall (via a User Defined Route or UDR).
- Allow all necessary traffic from spoke to hub through the firewall rules.
- Set up VNet Peering between Hub (Sub Y) and Third-Party VNet (Sub X)
- Create VNet peering between the hub VNet (Sub Y in Tenant B) and the VNet in the third-party tenant (Sub X in Tenant A).
- This will allow traffic to flow between the two VNets. Ensure the correct permissions are granted, such as the "Network Contributor" role on the VNets being peered.
- On Tenant A’s side, configure the necessary route tables and ensure they allow traffic to the hub network in Sub Y.
- Configure User Defined Routes (UDR) for Cross-Communication
- In the spoke VNet (Sub Z), add UDRs with the next hop set to the Azure Firewall in the hub VNet.
- In the third-party VNet (Sub X), add UDRs directing traffic to the hub VNet (Sub Y), also with the next hop being the Azure Firewall.
- Enable Azure Firewall to Route Traffic Between VNets
- Since the Azure Firewall supports traffic inspection and forwarding between peered VNets, configure network rules and NAT rules to allow and route traffic between Sub X (tenant A) and Sub Z (tenant B).
- For example, create firewall policies that allow:
- Sub X ↔ Sub Z traffic.
- Sub Z ↔ Hub VNet communication.
Note that this is just one way to accomplish your objective. In general, this should work with any other method that can be used to provide transitivity between two non-directly peered VNets in a single-tenant scenario, including:
- Azure VPN Gateway
- You can set up a VPN Gateway in the hub network to enable communication between on-premises networks or VNets across different tenants.
- VNet-to-VNet (V2V) connections can be used between:
- Sub X (Tenant A) <-> Hub (Tenant B)
- Hub (Tenant B) <-> Spoke (Sub Z)
- All traffic will flow through the hub, using VPN Gateway as the transit point.
- Azure Route Server
- Azure Route Server allows you to dynamically exchange routes between the hub VNet and connected VNets or network appliances.
- This method works if you have network virtual appliances (NVAs) (such as routers or firewalls) deployed in the hub, allowing automatic route exchange to facilitate transitivity.
- Example: You can connect Tenant A’s VNet to the hub, and the Route Server will manage routing to other connected VNets (like Sub Z).
If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.
hth
Marcin