VNET Peering with ExpressRoute

Question

Hi, I have some questions.

1. Can I do a VNET peering between Tenants' VNET?
2. I have one Tenant-A with VNET-A which has already an ExpressRoute connection towards my on-premise DC. Then, I also have another Tenant-B with VNET-B and I plan to link them together because my objective is my VNET-B can reach the on-premise DC transiting through VNET-A. With this be possible?

Thank you so much for the help. I am very new in Azure.

Answer 1

Hi @FXE ,

yes, it's possible to create a vNet Peering between different Azure Tenants/Azure Subscriptions.

Please take a look here and you will find the requirements and a detailed description of the required steps: Create a virtual network peering - Resource Manager, different subscriptions and Microsoft Entra tenants

---

(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards

Andreas Baumgarten

Answer 2

Hello FXE,

Thanks for posting your question in the Microsoft Q&A forum.

Yes, you can establish VNet peering between VNets in different Azure tenants, and you can also enable connectivity from VNet-B to your on-premises datacenter through VNet-A.

An ExpressRoute circuit can be shared across multiple VNets, even if those VNets are in different subscriptions or tenants. This is done by creating ExpressRoute authorizations and using them to connect additional VNets to the same circuit

A common architecture is to have a "hub" VNet connected to ExpressRoute, and "spoke" VNets peered to the hub. In this model, spoke VNets can transit through the hub to reach on-premises resources via ExpressRoute

---

Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful

Answer 3

Hello FXE

I understand that you're trying to grasp VNet peering and its compatibility with ExpressRoute across different Azure tenants. Here's a breakdown:

Yes, you can create a VNet peering between VNets in different Azure tenants, allowing a connection between Tenant-A's VNet-A and Tenant-B's VNet-B.

Document: Create a virtual network peering - Resource Manager, different subscriptions and Microsoft Entra tenants

You can use your existing ExpressRoute connection. If VNet-A in Tenant-A has an ExpressRoute connection to your on-premises data center, VNet-B in Tenant-B can access that connection by peering with VNet-A, forming a "hub-and-spoke" architecture where VNet-A is the hub.

To set this up, you need to:

• Create a VNet peering between VNet-A and VNet-B.
• Ensure the ExpressRoute setup allows connectivity across both VNets, which may involve sharing the circuit through ExpressRoute authorizations.

To separate the duty of managing the network belonging to each tenant, add the user from each tenant as a guest in the opposite tenant and assign them the Network Contributor role to the virtual network. This procedure applies if the virtual networks are in different subscriptions and Active Directory tenants.

To establish a network peering when you don't intend to separate the duty of managing the network belonging to each tenant, add the user from tenant A as a guest in the opposite tenant. Then, assign them the Network Contributor role to initiate and connect the network peering from each subscription. With these permissions, the user is able to establish the network peering from each subscription.

Each user must accept the guest user invitation from the opposite Microsoft Entra tenant.

Check the below public document: https://learn.microsoft.com/en-us/entra/external-id/add-users-administrator?toc=%2Fazure%2Fvirtual-network%2Ftoc.json#add-guest-users-to-the-directory

---

Hope the above answer helps! Please let us know do you have any further queries. Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.