Is virtual network peering across azure tenants possible?

vnet peering across tenants
azure vnet peering limits
azure peering service
azure vnet peering pricing
azure vnet peering vs vpn gateway
azure vnet peering step by step
azure vnet peering gateway transit
azure vnet peering across regions

I'm trying to use the new Azure Virtual Network public preview of the peering feature to join two networks I have on two different subscriptions, i.e. different tenants. Is this possible, I've not seen anything to say otherwise, but when I try to peer them in PowerShell I get the following error.

The client has permission to perform action 'Microsoft.Network/virtualNetworks/peer/action' on scope '/subscriptions/{Guid2}/resourceGroups/Default-Sydney/providers /Microsoft.Network/virtualNetworks/SYDVN/virtualNetworkPeerings/LinkToSYDVN', however the linked subscription '{Guid1}' is not in current tenant '{Guid3}'.

Full error and command

PS C:\Windows\system32> Add-AzureRmVirtualNetworkPeering -name LinkToSYDVN -VirtualNetwork $SYDVN -RemoteVirtualNetworkId "/subscriptions/{Guid1}/resourceGroups/Default-Sydney/providers/Microsoft.Network/virtualNetworks/SYDVN1" -BlockVirtualNetworkAccess
WARNING: The output object type of this cmdlet will be modified in a future release.
Add-AzureRmVirtualNetworkPeering : The client has permission to perform action 'Microsoft.Network/virtualNetworks/peer/action' on scope '/s
ubscriptions/{Guid2}/resourceGroups/Default-Sydney/providers/Microsoft.Network/virtualNetworks/SYDVN/virtualNe
tworkPeerings/LinkToSYDVN', however the linked subscription '{Guid1}' is not in current tenant 
'{Guid3}'.
StatusCode: 403
ReasonPhrase: Forbidden
OperationID : '{Guid4}'
At line:1 char:1
+ Add-AzureRmVirtualNetworkPeering -name LinkToSYDVN -VirtualNetwork $S ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : CloseError: (:) [Add-AzureRmVirtualNetworkPeering], NetworkCloudException
    + FullyQualifiedErrorId : Microsoft.Azure.Commands.Network.AddAzureVirtualNetworkPeeringCommand

Any help will be much appreciated.

UPDATE

From a MS tech Loydon

"VNet peering relies on ARM RBAC for authorization. However, ARM RBAC does not support cross tenant linked access checks. So Both subscriptions must belong to the same Azure Active Directory tenant. Therefore currently VNet peering is limited to customer’s subscriptions in the same Azure Active Directory domain. This gives them the same Tenant stamp which allows the peering to occur. We offer No support for linking VNETs across subscriptions in different AAD tenants."

https://social.msdn.microsoft.com/Forums/en-US/824aaf76-71df-4235-9190-5816976dbd30/is-virtual-network-peering-across-azure-tenants-possible?forum=WAVirtualMachinesVirtualNetwork

VNet peering across different tenants is not currently supported.

-- Anavi [MSFT]

Virtual network peering across Azure Active Directory tenants , The ability to transfer data between virtual networks across Azure subscriptions, Azure Active Directory tenants, deployment models, and Azure  So Both subscriptions must belong to the same Azure Active Directory tenant. Therefore currently VNet peering is limited to customer’s subscriptions in the same Azure Active Directory domain. This gives them the same Tenant stamp which allows the peering to occur.

This is now supported; from the Azure virtual network peering documentation, requirements section:

The virtual networks can be in the same, or different subscriptions. When you peer virtual networks in different subscriptions, both subscriptions can be associated to the same or different Azure Active Directory tenant.

You cannot use the portal.

Azure Virtual Network peering, Virtual network peering is now available for virtual networks that belong to subscriptions in different Azure Active Directory tenants. Virtual  Virtual network peering enables you to seamlessly connect networks in Azure Virtual Network. The virtual networks appear as one for connectivity purposes. The traffic between virtual machines uses the Microsoft backbone infrastructure. Like traffic between virtual machines in the same network, traffic is routed through Microsoft's private network only.

We have enabled this. VNet Peering and Global VNet Peering is supported across Azure active directory tenants.

https://docs.microsoft.com/en-us/azure/virtual-network/create-peering-different-subscriptions#portal

https://azure.microsoft.com/en-us/updates/cross-aad-vnet-peering/

Virtual network peering across Azure Active Directory tenants, The virtual networks can be in the same Azure subscription or in different can we implement VNet Peering across different Azure Active Directory Tenants. We can configure VNet Peering by using the Azure portal, Azure  If the virtual networks are in different subscriptions, and the subscriptions are associated with different Azure Active Directory tenants, complete the following steps before continuing: Add the user from each Active Directory tenant as a guest user in the opposite Azure Active Directory tenant.

Creating Peering from different Azure Active Directory tenants with , Support for peering across virtual networks from subscriptions associated to different Azure Active Directory tenants is not available in Portal. You can use CLI​,  In this video, we look at how to create Azure Virtual Network Peering across subscriptions that are in different Azure Active Directory tenants using Service Principal authentication.

Ability peer two Azure Virtual Networks? Two different Azure , I haven't had success with vnet peering between the two tenants and GitHub is home to over 50 million developers working together to host  Note that you can peer virtual networks that exist in two different subscriptions as long as a privileged user of both subscriptions authorizes the peering and the subscriptions are associated with the same Active Directory tenant. Now the from this we can already see that it is possible to doe cross subscription peering.

Unable to Peer VNets in different subscriptions and different Azure , Updated over a week ago For an Azure virtual network peering's state to become connected between The support for cross tenant peerings is relatively new, and the Azure portal does not yet have full support for this. In case you get the error below, it's possible the role assignment from step 6 hasn't taken effect yet. we tried almost everything, but peering between two virtual networks in same location but with different subscriptions in different directories even with RBAC configured as Owner at subscription level is not working with bizspark subscription.

Comments
  • Thanks Anavi, after a day and no answers I also posted on MD Forums. See here for more detailed answer social.msdn.microsoft.com/Forums/en-US/…
  • Is there any possibility of supporting the peering across ADT? This constraint is really limiting the usage of mighty VN peering.
  • This answer is no longer valid, support was added OCT19 , per Anavi N below.