Today I received a question if it was possible to do a cross subscription peering… with one big catch; that it was between the subscription of a service provider and their customer(s). So let’s see what is possible?
Update : Oct 2018
At Ignite 2018 it was announced that peering will also be able to work cross tenants.
Public Preview Announcement
When we take a look at the announcement, we see the following statement ;
Note that you can peer virtual networks that exist in two different subscriptions as long as a privileged user of both subscriptions authorizes the peering and the subscriptions are associated with the same Active Directory tenant.
Now the from this we can already see that it is possible to doe cross subscription peering. As a requirement, we need a user that is authorized on both subscriptions AND that the subscriptions are associated with the same AAD tenant.
The latter caused a bit of confusion on the requestor part, where the statement was made if a B2B invite would solve this issue. The answer to this is “no”. The B2B invite lies on the authorized user part, and is not related to the tenant of the subscription!
Let’s try it out?!?
Let’s play “doubting thomas” and try it out. 😉 We’ll kick off by creating three virtual networks ;
- VNET001-TA-S1 : linked to tenant “A” & subscription “1”
- VNET02-TA-S2 : linked to tenant “A” & subscription “2”
- VNET003-TB-S3 : linked to tenant “B” & subscription “3”
Now that this has been set up… Let’s start of in tenant “A” ;
And let’s create a peerings from VNET001-TA-S1 ;
First we’ll try peering to the same tenant (“A”) ;
To make it a bit more challenging, we’ll be working with the resource IDs. How to find those? The easiest thing is to browse to “resources.azure.com” and locate the resource ;
Now that we’ve find the resource ID, let’s use it ;
Wait for it…
That went smooth! Now let’s do the same for VNET003-TB-S3. So we’ll locate the resource ID ;
And add it, just like we did before ;
And now we are greeted with an error message stating that this is not possible!
Peerings is possible between subscriptions that are linked to the same AAD tenant. Yet again this stresses the importance of a sound identity management strategy. Though does this mean that you can’t link the VNETS? Nope, you can still link them! Though you’ll be needing a VPN or ExpressRoute connection to achieve this. But who knows… Cloud evolved fast! It might change in the (distant) future. 😉