Cross Tenant Network integration over Azure VWAN in same Azure region

Gopinath Rethinam 20

I have Two azure tenants in same azure region. In both the tenants I have a dedicated Azure VWAN with one hub in it. I am trying to connect this two hubs across tenant so resources under both hub's spoke can talk to each other. We found that Azure Virtual WAN doesn’t support direct cross tenant integration, in that case we are looking for a right solution to achieve this integration. Below are the options we are thinking, kindly give a detailed guidance to enable one of these solutions.

Option A(Preferred) : VM-A have to connect with VM-B over direct VWAN integration across tenant.

User's image

Option B: VM-A have to connect with VM-B over direct VWAN integration across tenant through VPN.

User's image

Option C: VM-A have to connect with VM-B using Cross tenant VWAN-to-Vnet integration, where we need clarity on routing requirements.

User's image

Sai Prasanna Sinde 2,680 Reputation points Microsoft Vendor

2024-11-18T07:45:08.36+00:00
Hi @Gopinath Rethinam,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.Option A: This is not supported.

Option B: VM-A have to connect with VM-B over direct VWAN integration across tenant through VPN. This is possible.

You can connect vHub in VWAN A to vHub in VWAN B using VPN gateway of the Virtual Hubs.

Please refer to this document for detailed explanation: https://learn.microsoft.com/en-us/azure/virtual-wan/connect-virtual-network-gateway-vwan

Option C: This is not supported but could you proceed with setting up the cross-tenant VNet peering? It should be feasible to accomplish.

Reference: https://learn.microsoft.com/en-us/azure/virtual-network/create-peering-different-subscriptions?tabs=create-peering-portal#cli

We recommend opting for option B because introducing multiple scopes or a multi-hub architecture can lead to confusion.

Kindly let us know if the above helps or you need further assistance on this issue.

Thanks,

Sai.
Gopinath Rethinam 20 Reputation points

2024-11-18T09:05:57.89+00:00

Hi @Sai Prasanna Sinde , If Option B is possible, I have few more query regarding the details you shared for Option B.

Which configuration do I need to refer instead of Configure VPN Gateway virtual network gateway as I have VWAN on both side? I am trying to connect VWAN over VPN not Vnet.

What will be the provider name, Private Address Space?, as both target and destination are Azure VWAN not any On Prem?
Sai Prasanna Sinde 2,680 Reputation points Microsoft Vendor

2024-11-19T10:28:15.3766667+00:00
Hi @Gopinath Rethinam,

Greetings!

Unfortunately, we do not have any additional documents for Cross-tenant network integration over Azure vWAN beyond the ones attached above. But to achieve this, please use the VPN gateway and execute the following commands with Azure CLI.

Virtual WAN supports VPN connectivity, allowing each Virtual WAN to function as a VPN site for one another.

If you have any previously configured Site to Site VPN and it will have a public IP address of your gateways and that is what you would use when defining the VPN sites. If you didn't configure any VPN, just configure a bogus destination IP in the first site, you will be able to change it later.

In Virtual WAN 1 you would define a VPN site to connect to hub2 in Virtual WAN 2 by using AZ CLI:

az network vpn-site create -n hub2-0 -g $rg -l $location1 --virtual-wan $vwan1 --ip-address $hub2_gw0_pip --address-prefixes $location2_summary --device-vendor microsoft --device-model vhub --link-speed 100

After having the site, you now connect it to the gateway:

az network vpn-gateway connection create -n hub2-0 --gateway-name hubvpn1 -g $rg --remote-vpn-site hub2-0 --enable-bgp false --protocol-type IKEv2 --shared-key "$password" --connection-bandwidth 100 --routing-weight 10 --internet-security true

And for the other direction (vwan2 to vwan1), the opposite commands:

az network vpn-site create -n hub1-0 -g $rg -l $location2 --virtual-wan $vwan2 --ip-address $hub1_gw0_pip --address-prefixes $location1_summary --device-vendor microsoft --device-model vhub --link-speed 100 az network vpn-gateway connection create -n hub1-0 --gateway-name hubvpn2 -g $rg --remote-vpn-site hub1-0 --enable-bgp false --protocol-type IKEv2 --shared-key "$password" --connection-bandwidth 100 --routing-weight 10 --internet-security true

We need to disable the BGP in the VPN connection as there is an existing limitation in Virtual WAN, you cannot change the ASN to anything other than 65,515. If you try to create a virtual Hub with some other ASN you will get an error message.

Please try the above CLI commands and try to establish the connection between vWANs.

Kindly let us know if the above helps or you need further assistance on this issue.

Regards,

Sai Prasanna.
Sai Prasanna Sinde 2,680 Reputation points Microsoft Vendor

2024-11-20T08:59:44.7133333+00:00

Hi @Gopinath Rethinam,

Hope you are having a great day.

Just checking in to see if you have got a chance to see my response to your question in resolving the issue.

If you are still facing any further issues, please let us know. We are happy to assist you.

Regards,

Sai.
Sai Prasanna Sinde 2,680 Reputation points Microsoft Vendor

2024-11-21T08:55:36.64+00:00

Hi @Gopinath Rethinam,

Greetings!

Just checking in to see if you have got a chance to see my response to your question in resolving the issue.

If you are still facing any further issues, please let us know. We are happy to assist you.

Regards,

Sai.
Gopinath Rethinam 20 Reputation points

2024-11-21T09:11:56.57+00:00

Hi @Sai Prasanna Sinde , I am working with both parties who mange their respective tenants, to do these changes ,hope this issue will be fixed. Will get back to you soon. Thanks for the support.

retards,

Gopi
Sai Prasanna Sinde 2,680 Reputation points Microsoft Vendor

2024-11-25T02:37:28.0433333+00:00

Hi @Gopinath Rethinam,

Greetings!

Following up to see if the above suggestion was helpful. And, if you have any further query do let us know in the comments below.

Thanks,

Sai Prasanna.
Gopinath Rethinam 20 Reputation points

2024-11-25T09:13:24.39+00:00

Hi @Sai Prasanna Sinde ,

Thanks for all the support, below is the solution created by @erjosito , which is working perfectly fine. As of now I have implemented Option B based on below link and I hope soon MS implement Option A as it is a better solution.

https://blog.cloudtrooper.net/author/erjosito/
https://github.com/erjosito/azcli/blob/master/vwan2vwan.azcli

regards,

Gopi

Accepted answer

Sai Prasanna Sinde 2,680 Reputation points Microsoft Vendor

2024-11-25T09:22:15.8933333+00:00

Hi @Gopinath Rethinam,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to "Accept " the answer.

Issue: Cross Tenant Network integration over Azure VWAN in same Azure region

Solution: Below is the solution created by @erjosito , which is working perfectly fine. As of now I have implemented Option B based on below link and I hope soon MS implement Option A as it is a better solution.

https://github.com/erjosito/azcli/blob/master/vwan2vwan.azcli

For Option A,

If you wish, you may also leave your feedback in the below forum requesting this feature. All the feedback you share in these forums will be monitored and reviewed by the Microsoft engineering teams responsible for building Azure. https://feedback.azure.com/d365community/forum/8ae9bf04-8326-ec11-b6e6-000d3a4f0789

If you have any other questions or are still running into more issues, please let us know. Thank you again for your time and patience throughout this issue.

Please remember to "Accept Answer" to close this thread, so that others in the community facing similar issues can easily find the solution.

Thanks,

Sai Prasanna.
Please sign in to rate this answer.
Sai Prasanna Sinde 2,680 Reputation points Microsoft Vendor

2024-11-26T00:53:39.8566667+00:00

Hi @Gopinath Rethinam,

Greetings!

Please click "Accept Answer" to close this thread, so that others in the community facing similar issues can easily find the solution.

Kindly let us know in the comments below if you have any other queries.

Thanks,

Sai.

Sai Prasanna Sinde 2,680 Reputation points Microsoft Vendor

2024-11-27T06:27:53.1633333+00:00

Hi @Gopinath Rethinam,

Hope you are having a great day!

Please click "Accept Answer" to close this thread, so that others in the community facing similar issues can easily find the solution.

Kindly let us know in the comments below if you have any other queries.

Thanks,

Sai.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

1 additional answer

Silvia Wibowo 4,256 Reputation points Microsoft Employee

2024-11-18T05:19:05.0533333+00:00
hi @Gopinath Rethinam , I understand that you have a requirement to connect 2 VWANs from different tenant.

Option A is not supported.

Option B can work.

Option C is not supported. One vnet can only peer to one Virtual Hub. If your vnet in Tenant B connects to Virtual Hub (Tenant A), it can't connect to Virtual Hub (Tenant B).

I'd suggest investigate further of your current landscape:

Which vnet in Tenant B need to communicate to which vnet in Tenant A?

Is it better to do VPN for cross-tenant VWAN communication, or migrate specific vnets from Tenant B to Tenant A (or vice versa)?

Can Azure Private Link (Extend to your own services) help?

Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.
Please sign in to rate this answer.

1 person found this answer helpful.

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Cross Tenant Network integration over Azure VWAN in same Azure region

1 additional answer

Your answer