VNet Peering between different Azure Active Directory Tenants
In this post I want to show how to peer two VNets from different Azure Active Directory tenants.
I will peer here the following two VNets:
- VNet-braincourt.de (production tenant braincourt.de)
- VNet-braintesting.de (lab tenant braintesting.de)
The peering we need to set up in each tenant, therefore the user we use to set up the peering in each tenant, needs to be also a guest user in the corresponding remote (foreign) tenant.
To the guest user in the corresponding remote (foreign) tenant, we also need to assign the Network Contributor role to have the required permissions to perform the peering with the corresponding remote VNet.
In my case I had in both tenants a test user named John Doe, in my production tenant the user principal name is email@example.com and in my lab environment the UPN is firstname.lastname@example.org.
So I need to invite both of them into the corresponding remote (foreign) tenant, email@example.com I need to invite into the production tenant braincourt.de and firstname.lastname@example.org I need to invite into the lab tenant braintesting.de.
Then I need to assign to each guest user the Network Contributor role for the VNet it wants to peer from its own tenant.
The peering we have to set up from each tenant by using of course the John Doe user which is homed in that tenant.
So first I will invite John Doe (email@example.com) from the production tenant into my lab tenant.
In my lab tenant I will click within Azure AD and the all users menu on New user –> Invite external user.
Here I will enter the user principal name (UPN) to invite him into my lab tenant.
The invitation I will have to accept for my testuser John Doe from my production tenant braincourt.de.
From now on the user John Doe from my production tenant is a guest user in my lab tenant.
In order John Doe from my production tenant can set up the peering with the VNet from my lab environment, as mentioned I also need to assign to him the Network Contributor role for my lab VNet as shown below.
Within my lab VNet we need to click on Access control (IAM) and Add –> Add role assignment
For the role we need to select Network Contributor
Under Assign access to we select User, group, or service principal and select John Doe from the production tenant which is our guest user in the lab tenant.
Finally we click on assign.
Below you can see the role assignments for my lab tenant VNet, here both John Doe’s (production tenant and lab tenant) are listed. Because John Doe from the lab tenant have assigned the owner role for the subscription, the VNet was created, he already have full access to the VNet and I didn’t need to assign also the Network Contributor role to him.
The same we now need to do on the production tenant, we need to invite John Doe from the lab tenant (firstname.lastname@example.org) into the production tenant and assign the Network Contributor role for the production tenant VNet to him.
I will skip the separate steps as they will be same as above for the lab tenant, finally the Access Control (IAM) roles on the production tenant will looks like this.
So now both users I will use to set up the peering in each tenant, have the required permissions for the corresponding remote (foreign) VNet in the foreign tenant.
From which tenant you start to set up the peering, doesn’t matter, we need to do the steps in each tenant. I will start in my lab environment.
Within my lab VNet I will click on Peerings and Add.
Here I have to enter a name for the peering links for my lab VNet and for my remote VNet from the production tenant. Deployment model by default is Resource manager.
Under Virtual network we need to select the VNet we want to peer, so I need to select the VNet from my production tenant.
Here you will just find the virtual networks from your own tenant.
Therefore we need to check I know my resource ID in order to be able to enter the resource ID from the VNet in our remote (foreign) tenant we want to peer.
The resource ID you will find in the properties of the VNet, you want to peer.
Now I can enter the resource ID from the VNet in my production tenant, I want to peer with the VNet in my lab tenant.
As noted above, the lab tenant determined that the resource id is from a different directory and tenant. So we also need to select the directory the resource id (VNet) is from.
In my case this is the production tenant.
Finally click on Authenticate and Add.
Looking good but the Peering status is still initiated as we also need to set up the peering in the production tenant.
I will skip the steps to set up the peering in the production tenant as they will be the same as shown above for the lab tenant.
After set up the peering also in the production tenant, the Peering status changed to Connected as shown below for both tenants.
VNet Peering on the production tenant
VNet Peering on the lab tenant
Virtual network peering