Share via

MultiTenant VNet Peering using (ASO) and Managed Identity

Gupta, Varun 25 Reputation points
2025-01-30T21:19:20.99+00:00

Question:

  1. How can I set up virtual network (VNet) peering between Tenant A and Tenant B using Azure Service Operator (ASO) and ASO using Managed Identity (via workload identity) ?
  2. How can we do vnet link to ER Circuit running on different tenant using Azure Service Operator (ASO) and ASO using Managed Identity (via workload identity) ?

https://azure.github.io/azure-service-operator/guide/authentication/credential-format/#azure-workload-identity

Seemslike:
https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/managed-identities-faq#can-i-use-a-managed-identity-to-access-a-resource-in-a-different-directorytenant

Managed identities don't currently support cross-directory scenarios.

Problem:
The client has permission to perform action 'Microsoft.Network/virtualNetworks/peer/action' on scope '/subscriptions/a2xx32/resourceGroups/rg-A/providers/Microsoft.Network/virtualNetworks/vnet-A/virtualNetworkPeerings/peering-AB', however the current tenant '84xx7c' is not authorized to access linked subscription '2cxx08

Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,628 questions
Azure ExpressRoute
Azure ExpressRoute
An Azure service that provides private connections between Azure datacenters and infrastructure, either on premises or in a colocation environment.
411 questions
Microsoft Entra Private Access
Microsoft Entra Private Access
Microsoft Entra Private Access provides secure and deep identity-aware, Zero Trust network access to all private apps and resources.
79 questions
Accepted answer
  1. Sina Salam 17,176 Reputation points
    2025-01-31T14:02:07.1733333+00:00

    Hello Gupta, Varun,

    Welcome to the Microsoft Q&A and thank you for posting your questions here.

    I understand that your request is about Multitenant VNet Peering using (ASO) and Managed Identity.

    Regarding your questions and observations, managed Identity is not suitable for cross-tenant authentication, necessitating the use of an alternative method like workload identity with a federated service principal. ASO authentication with workload identity must be explicitly configured using a service principal from the other tenant. The solution should be scalable and automated, avoiding the manual addition of guest users. Additionally, security considerations, such as key rotation for service principal credentials, must be addressed.

    The below is my best practice steps on how you can set up Cross-Tenant VNet Peering using ASO and workload Identity:

    Step 1: Enable Cross-Tenant Access in Azure AD

    • In Tenant A (VNet A owner):
      • Go to Microsoft Entra ID (Azure AD) > External Identities > Cross-Tenant Access Settings.
      • Add Tenant B and allow inbound/outbound B2B collaboration for necessary permissions.
    • In **Tenant B (VNet B owner):
      • Similarly, allow cross-tenant collaboration with Tenant A.

    Step 2: Create a Service Principal in Tenant A

    • Create a service principal in Tenant A and grant it Microsoft.Network/virtualNetworks/peer/action permission on VNet A.
    • Assign Contributor or Network Contributor roles at the appropriate scope (Subscription, Resource Group, or VNet).

    Step 3: Configure ASO with Workload Identity in Tenant B

    • In Tenant B, use Azure Workload Identity (AKS-managed identity) for ASO authentication.
    • Add federated credentials for ASO-managed identity to assume the service principal from Tenant A.
    • Use ASO Custom Resource Definitions (CRDs) to establish peering.

    Step 4: Deploy ASO Configuration in Tenant B

    Define VNet peering CRDs in ASO YAML to reference the service principal in Tenant A. It should look similar to the below: 

    apiVersion: network.azure.com/v1api20220201
kind: VirtualNetworkPeering
metadata:
  name: peering-ab
spec:
  location: eastus
  owner:
    name: vnet-a
    resourceGroup: rg-A
    subscriptionId: a2xx32
  remoteVirtualNetwork:
    name: vnet-b
    resourceGroup: rg-B
    subscriptionId: 2cxx08
  allowForwardedTraffic: true
  allowVirtualNetworkAccess: true
  allowGatewayTransit: false

    Secondly, about linking a VNet to an ExpressRoute Circuit in a Different Tenant Using ASO, you can follow these steps:

    Step 1: Configure Cross-Tenant Identity Permissions

    • Follow the same Azure AD B2B steps as above to allow authentication between Tenant A (ExpressRoute Owner) and Tenant B (VNet Owner).

    Step 2: Grant Permissions for ExpressRoute Linking**

    • In Tenant A (ExpressRoute Owner):
    • Assign Microsoft.Network/expressRouteCircuits/join/action to the federated service principal in Tenant B.

    Step 3: Configure ASO Workload Identity in Tenant B

    • Use the same ASO-managed identity setup from VNet Peering.

    Step 4: Deploy ASO Configuration for ExpressRoute using YAML similar to the below example:

    apiVersion: network.azure.com/v1api20220201
kind: ExpressRouteCircuitAuthorization
metadata:
  name: er-link
spec:
  location: eastus
  owner:
    name: er-circuit
    resourceGroup: rg-ER
    subscriptionId: a2xx32
  peer:
    name: vnet-b
    resourceGroup: rg-B
    subscriptionId: 2cxx08

    I hope this is helpful! Do not hesitate to let me know if you have any other questions.

    Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.