Sharing Azure ExpressRoute Connection Across Multiple Azure Tenants

Ali Md 20 Reputation points
2023-10-17T15:21:28.9+00:00

Hello Azure Community,

I'm currently working on a project where I need to share an Azure ExpressRoute connection across different Azure tenants. The setup involves a hub-and-spoke architecture, with one Azure account owning the ExpressRoute circuit (hub) and multiple Azure accounts (spokes) needing to connect to it.

I've already gone through some general guidelines on setting up ExpressRoute and cross-tenant connectivity, but I'm looking for more specific details and best practices. Can anyone provide insights, references, or documentation related to this scenario?

Specifically, I'd appreciate information on:

  1. Configuration steps for setting up ExpressRoute across different Azure tenants.
  2. Recommended networking and security practices.
  3. Any changes in Azure that may affect this setup.

Any references, links, or personal experiences would be greatly appreciated. Thank you in advance for your assistance!

Azure ExpressRoute
Azure ExpressRoute
An Azure service that provides private connections between Azure datacenters and infrastructure, either on premises or in a colocation environment.
342 questions
0 comments
Accepted answer
  1. msrini-MSFT 9,266 Reputation points Microsoft Employee
    2023-10-18T00:32:04.5166667+00:00

    Hi,

    You can deploy your ER circuit in a subscription and provision it. Once ER circuit is provisioned, you will need to create ER gateway to connect to the ER circuit.

    1. Based on your description you are planning to have one HUB where you will be deploying the ER Gateway and other Azure Tenants will be peering with the HUB to reach On-Premises.

    There is another way to do it. You can deploy multiple ER gateways - 1 per tenant and connect them to the ER circuit.

    If all Azure tenant VNETs are of same customer, you are good. If you don't want traffic from one VNET to transit to other VNET via ER Circuit, you will need to implement this via NSGs and other options. This is because when you connect VNETs to same ER circuits all the VNETs can communicate with each other by default.

    Regards,

    Karthik Srinivas

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. ChaitanyaNaykodi-MSFT 24,231 Reputation points Microsoft Employee
    2023-10-18T01:10:50.49+00:00

    @Ali Md

    Thank you for reaching out.

    Based on my understanding from your question above

    You are working on a project where you need to share an Azure ExpressRoute connection across different Azure tenants. You have a hub-and-spoke architecture, with one Azure account owning the ExpressRoute circuit (hub) and multiple Azure accounts (spokes) connecting to it.

    As documented here ExpressRoute authorizations can span subscription, tenant, and enrollment boundaries with no extra configuration required. Connectivity and bandwidth charges for the dedicated circuit gets applied to the ExpressRoute circuit owner and all virtual networks share the same bandwidth.

    You can follow the documentation here for implementation which showcases a similar set-up.

    Regarding Networking and security practices you can go through this architecture to understand security and other considerations like Availability etc. Also, you can establish Virtual Network peering across tenants for Vnet -Vnet communication if required, as Vnet-VNET connectivity using express route can cause latency as described here.

    Additional reference:

    https://video2.skills-academy.com/en-us/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering

    https://video2.skills-academy.com/en-us/security/benchmark/azure/baselines/expressroute-security-baseline?toc=%2Fazure%2Fexpressroute%2FTOC.json

    Hope this helps! Please let me know if you have any additional questions. Thank you!

    ​​Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments