I have three resource groups based on locations, each of these are set up with two Vnets and two Gateways, one for connecting to the VPN using a cert and one for connecting over AAD. Everyone that connects to the VPN is able to see each other AAD/Cert for RDP purposes. On one of these resource groups there is a VM that needs to be able touch every machine across the three resource groups (essentially pinging), but we do not want the three resource groups to be able to see each other because we don’t want them to RDP outside of their resource group.
The issue is that I’m not sure how to set everything up to allow the VM to touch each of these machines without allowing the machines to access/RDP other machines outside of their resource group.