Is virtual network peering across azure tenants possible?
Question
I'm trying to use the new Azure Virtual Network public preview of the peering feature to join two networks I have on two different subscriptions, ie different tenants. Is this possible, I've not seen anything to say otherwise, but when I try to peer them in PowerShell I get the following error.
The client has permission to perform action 'Microsoft.Network/virtualNetworks/peer/action' on scope '/subscriptions/{Guid2}/resourceGroups/Default-Sydney/providers /Microsoft.Network/virtualNetworks/SYDVN/virtualNetworkPeerings/LinkToSYDVN', however the linked subscription '{Guid1}' is not in current tenant '{Guid3}'.
Full error and command
PS C:\Windows\system32> Add-AzureRmVirtualNetworkPeering -name LinkToSYDVN -VirtualNetwork $SYDVN -RemoteVirtualNetworkId "/subscriptions/{Guid1}/resourceGroups/Default-Sydney/providers/Microsoft.Network/virtualNetworks/SYDVN1" -BlockVirtualNetworkAccess
WARNING: The output object type of this cmdlet will be modified in a future release.
Add-AzureRmVirtualNetworkPeering : The client has permission to perform action 'Microsoft.Network/virtualNetworks/peer/action' on scope '/s
ubscriptions/{Guid2}/resourceGroups/Default-Sydney/providers/Microsoft.Network/virtualNetworks/SYDVN/virtualNe
tworkPeerings/LinkToSYDVN', however the linked subscription '{Guid1}' is not in current tenant
'{Guid3}'.
StatusCode: 403
ReasonPhrase: Forbidden
OperationID : '{Guid4}'
At line:1 char:1
+ Add-AzureRmVirtualNetworkPeering -name LinkToSYDVN -VirtualNetwork $S ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : CloseError: (:) [Add-AzureRmVirtualNetworkPeering], NetworkCloudException
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.Network.AddAzureVirtualNetworkPeeringCommand
Any help will be much appreciated.
UPDATE
From a MS tech Loydon
" VNet peering relies on ARM RBAC for authorization. However, ARM RBAC does not support cross tenant linked access checks. So Both subscriptions must belong to the same Azure Active Directory tenant. Therefore currently VNet peering is limited to customer's subscriptions in the same Azure Active Directory domain. This gives them the same Tenant stamp which allows the peering to occur. We offer No support for linking VNETs across subscriptions in different AAD tenants. "
3 answers
solution1
2 2018-10-09 17:10:46
This is now supported; from the Azure virtual network peering documentation, requirements section :
The virtual networks can be in the same, or different subscriptions. When you peer virtual networks in different subscriptions, both subscriptions can be associated to the same or different Azure Active Directory tenant.
You cannot use the portal.
solution2
2 2019-10-10 21:21:08
We have enabled this. VNet Peering and Global VNet Peering is supported across Azure active directory tenants.
https://docs.microsoft.com/en-us/azure/virtual-network/create-peering-different-subscriptions#portal
https://azure.microsoft.com/en-us/updates/cross-aad-vnet-peering/
solution3
1 ACCPTED 2016-08-18 17:43:21
VNet peering across different tenants is now supported: https://azure.microsoft.com/en-us/updates/cross-aad-vnet-peering/
-- Anavi [MSFT]
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.