express route with 2 vnets

Question

dears,

i have an on premises datacenter and some iaas vms in one azure tenant. Express route is configured between these 2 locations.

i have a second azure ad tenant and it has some separate resources.

my scenario would be to allow users from the onpremises branch to connect to this second tenant using the express route deployed on the first tenant.
from my findings, it is feasible to at least start and configure peering between 2 different azure ad tenants.

however, the only concern now would be on how to use the expressroute circuit to allow the traffic to pass from my onpremises branch to my second tenant by passing on the first tenant

any ideas would be very helpful

thank you

Answer 1

Hi @eg1995 ,

I would suggest to use Express route Authorization across different tenants. Check the below links for more info

https://learn.microsoft.com/en-us/azure/expressroute/expressroute-faqs#i-have-multiple-azure-subscriptions-associated-to-different-azure-active-directory-tenants-or-enterprise-agreement-enrollments-can-i-connect-virtual-networks-that-are-in-separate-tenants-and-enrollments-to-a-single-expressroute-circuit-not-in-the-same-tenant-or-enrollment

https://learn.microsoft.com/en-us/azure/expressroute/expressroute-howto-linkvnet-arm

If there are any constraints then follow the peering config described in the below article
https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-peering-gateway-transit?toc=/azure/virtual-network/toc.json#to-add-a-peering-and-enable-transit

Sorce from my Azure Watt group

Please "Accept as answer" wherever the information provided helps you to help others in the community.
Thanks & Regards,
Sarat

Answer 2

Hello @eg1995 ,

Apologies for the delay in response.

If you want to access 2 Vnets from your on-premises via a single ExpressRoute circuit, you have the below available options:

1) Configure a Vnet peering between the Hub Vnet (where the ExR gateway is deployed) & the spoke Vnet (2nd Vnet that you would like to access).
Refer : https://learn.microsoft.com/en-us/azure/virtual-network/create-peering-different-subscriptions
https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/hub-spoke?tabs=cli#virtual-network-peering

In this option, the 2nd Vnet will make use of the ExR gateway deployed in the Hub Vnet and hence your traffic will NOT bypass the first tenant Vnet.

2) Connect the 2nd Vnet directly to the ExpressRoute circuit by deploying an ExR gateway and using circuit authorization from the existing ExR circuit.
Refer : https://learn.microsoft.com/en-us/azure/expressroute/expressroute-howto-linkvnet-portal-resource-manager#connect-a-vnet-to-a-circuit---different-subscription

In this option, the traffic will bypass the first tenant Vnet since the 2nd Vnet will have it's own ExR gateway which will connect directly to the ExR circuit and hence will have it's own traffic route.

3) Enroll in ExpressRoute FastPath and virtual network peering feature (preview).
NOTE : We do not advise enabling this preview feature in production subscriptions.

Refer : https://learn.microsoft.com/en-us/azure/expressroute/about-fastpath#public-preview
https://learn.microsoft.com/en-us/azure/expressroute/expressroute-howto-linkvnet-arm#enroll-in-expressroute-fastpath-features-preview

With FastPath and virtual network peering, you can enable ExpressRoute connectivity directly to any VM deployed in a virtual network peered to the one connected to ExpressRoute, bypassing the ExpressRoute virtual network gateway.

Kindly let us know if the above helps or you need further assistance on this issue.

---

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.