Share via

Tenants Peering

immm 20 Reputation points
2025-01-27T10:56:25.7566667+00:00

Hello,

I would like to ask several questions regarding Tenants Peering:

Is it possible to create peering between Tenant A and Tenant B in case if they have same IP Addresses?
Tenant A has vNet - 10.0.0.0/16 and Tenant B also has vNet - 10.0.0.0/16? We can't change IP address range. If yes, which solution I should use? Azure Firewall or BGP Gateway or something else?

Will be possible to do some temporary rotes in Azure Route table for example for 10.0.1.0/24 sub-network from this 10.0.0.0/16 big network from Tenant A to Tenant B?

Azure Network Function Manager
Azure Network Function Manager
An Azure service used for deploying 5G and software-defined WAN network functions on edge devices.
3 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Praveen Bandaru 425 Reputation points Microsoft Vendor
    2025-01-29T01:08:49.89+00:00

    Hello immm

    Greetings!

    Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

    Yes, it is possible with VPN gateway kindly check the below information:

    To connect these two VNets with overlapping IP addresses, consider the following alternatives:

    a. Azure Firewall or Network Virtual Appliance (NVA)

    • Azure Firewall: Deploy an Azure Firewall in one of the VNets (e.g., Tenant A) and configure it to route traffic to the other VNet (Tenant B). The Azure Firewall can handle overlapping IP addresses using NAT (Network Address Translation) to translate the IP addresses of the traffic.
    • Network Virtual Appliance (NVA): Similar to Azure Firewall, a third-party NVA that supports NAT can be used to manage traffic between the two VNets, allowing you to route traffic while avoiding IP address conflicts.

    b. VPN Gateway with BGP

    • Site-to-Site VPN: Establish a Site-to-Site VPN connection between the two VNets using VPN Gateways. This can involve using BGP (Border Gateway Protocol) to manage routing. However, challenges with overlapping IP addresses may persist, requiring NAT implementation on one side to avoid conflicts.

    c. Routing with Hub-and-Spoke Architecture

    • You can add a route to a specific host with a /32 mask in the route table of the VNet in Tenant A. For instance, if there is a host at 10.0.0.1 in Tenant A, you can create a route directing traffic for 10.0.0.1/32 to the VPN Gateway connecting to Tenant B.
    • Note that if Tenant A and Tenant B have overlapping address spaces (e.g., both using 10.0.0.0/24), NAT (Network Address Translation) on the VPN Gateway or a Network Virtual Appliance (NVA) is necessary to avoid routing conflicts.

    d. Default Route (0.0.0.0/0)

    Providing Internet Access:

    • You can add a default route (0.0.0.0/0) in the route table of Tenant A pointing to the VPN Gateway connected to Tenant B. This allows servers in Tenant A to route internet-bound traffic through Tenant B.
    • Ensure that Tenant B has the necessary configurations for outbound internet access (e.g., through a NAT Gateway or Azure Firewall).

    Azure Private Link does not support routing traffic between overlapping IP address spaces directly. Here’s an explanation of how Azure Private Link operates and its implications for your scenario:

    Azure Private Link Overview

    • Azure Private Link enables access to Azure services (such as Azure Storage, Azure SQL Database, etc.) via a private endpoint in your virtual network, ensuring that the traffic between your VNet and the Azure service stays on the Microsoft backbone network, rather than the public internet.
    • Private Link is mainly intended for secure and private access to Azure services, not for routing traffic between VNets with overlapping address spaces.

    Overlapping IP Address Spaces

    In your case, both Tenant A and Tenant B have VNets with the same address space of 10.0.0.0/16. Due to this overlap:

    • You cannot establish a Private Link connection to route traffic from 10.0.1.0/24 in Tenant A to 10.0.0.0/16 in Tenant B. The overlapping address spaces would cause routing ambiguity, as Azure would not be able to determine the correct VNet for the traffic.

    Unfortunately, creating a cross-tenant VNET peering is not possible due to address overlapping. However, if the addresses do not overlap and you have the necessary permissions in both tenants, cross-tenant VNET peering can be established.

    Given the overlapping address issue, we recommend proceeding with a VPN Gateway.

    I hope this has been helpful!

    Your feedback is important so please take a moment to accept answers. If you still have questions, please let us know what is needed in the comments so the question can be answered. Thank you for helping to improve Microsoft Q&A!

    Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.

    1 person found this answer helpful.
  2. Adharsh Santhanam 5,785 Reputation points
    2025-01-27T12:32:21.0933333+00:00

    Hello immm, creating peering between Tenant A and Tenant B when both have the same IP address range (10.0.0.0/16) is indeed challenging, but here are some solutions you can consider:

    • Azure Private Link - This service can be used to enable private connectivity between tenants, even with overlapping IP address spaces. It allows you to access services privately without exposing them to the public internet
    • Hub-Spoke architecture with VPN gateway - You can use a hub-spoke architecture where each tenant has its own hub and spoke setup. The hubs can be connected via a VPN gateway with site-to-site connections. This setup can help route traffic between the tenants while managing overlapping IP addresses

    Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.