question

eg1995-5273 avatar image
0 Votes"
eg1995-5273 asked GitaraniSharmaMSFT-4262 edited

express route with 2 vnets

dears,

i have an on premises datacenter and some iaas vms in one azure tenant. Express route is configured between these 2 locations.

i have a second azure ad tenant and it has some separate resources.

my scenario would be to allow users from the onpremises branch to connect to this second tenant using the express route deployed on the first tenant.
from my findings, it is feasible to at least start and configure peering between 2 different azure ad tenants.

however, the only concern now would be on how to use the expressroute circuit to allow the traffic to pass from my onpremises branch to my second tenant by passing on the first tenant

any ideas would be very helpful

thank you

azure-virtual-networkazure-expressroute
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

sbairu avatar image
0 Votes"
sbairu answered sbairu edited

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

GitaraniSharmaMSFT-4262 avatar image
0 Votes"
GitaraniSharmaMSFT-4262 answered GitaraniSharmaMSFT-4262 edited

Hello @eg1995-5273 ,

Apologies for the delay in response.

If you want to access 2 Vnets from your on-premises via a single ExpressRoute circuit, you have the below available options:

1) Configure a Vnet peering between the Hub Vnet (where the ExR gateway is deployed) & the spoke Vnet (2nd Vnet that you would like to access).
Refer : https://docs.microsoft.com/en-us/azure/virtual-network/create-peering-different-subscriptions
https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/hub-spoke?tabs=cli#virtual-network-peering

In this option, the 2nd Vnet will make use of the ExR gateway deployed in the Hub Vnet and hence your traffic will NOT bypass the first tenant Vnet.

2) Connect the 2nd Vnet directly to the ExpressRoute circuit by deploying an ExR gateway and using circuit authorization from the existing ExR circuit.
Refer : https://docs.microsoft.com/en-us/azure/expressroute/expressroute-howto-linkvnet-portal-resource-manager#connect-a-vnet-to-a-circuit---different-subscription

In this option, the traffic will bypass the first tenant Vnet since the 2nd Vnet will have it's own ExR gateway which will connect directly to the ExR circuit and hence will have it's own traffic route.

3) Enroll in ExpressRoute FastPath and virtual network peering feature (preview).
NOTE : We do not advise enabling this preview feature in production subscriptions.
Refer : https://docs.microsoft.com/en-us/azure/expressroute/about-fastpath#public-preview
https://docs.microsoft.com/en-us/azure/expressroute/expressroute-howto-linkvnet-arm#enroll-in-expressroute-fastpath-features-preview

With FastPath and virtual network peering, you can enable ExpressRoute connectivity directly to any VM deployed in a virtual network peered to the one connected to ExpressRoute, bypassing the ExpressRoute virtual network gateway.

Kindly let us know if the above helps or you need further assistance on this issue.


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.