After a Resource Group was created, an ExpressRoute connection/circuit was created and it is being used (private peering for some VMs in a VNET). We now need VMs in a different VNET (and different Resource Group) to use private peering to get to another resource over ExpressRoute. The two RGs/VNETs should not be able to see each other, just use ExpressRoute.
Is that possible? I am not finding that in the docs.
Current state: ResourceGroup1 with VNet1 with a VM with IP addr of 10.1.1.49 is used by on-prem users via ExpressRoute only. Future state: ResourceGroup2 with VNet1 with a VM with IP addr of 10.1.1.49 needs to be setup. Without ExpressRoute, there is network isolation because the VNets are completely independent in different Resource Groups. Concern is that if this ResourceGroup2 is uses same ER then there will be an address collision and resources in each VNET can see each other, isolation is lost.
Does this mean that each VNET should have the same address space but different subnets within each Resource Group to avoid collisions?
Thanks.
Hi as per the ExpressRoute FAQ all Virtual Networks on the same ExpressRoute connection are part of the same routing domain:
Are virtual networks connected to the same circuit isolated from each other?
No. All virtual networks linked to the same ExpressRoute circuit are part of the same routing domain and are not isolated from each other from a routing perspective. If you need route isolation, you’ll need to create a separate ExpressRoute circuit.
The FAQ is here: https://learn.microsoft.com/en-us/azure/expressroute/expressroute-faqs
As above you could use Network Security Groups / Network Virtual Appliances / etc. to manage traffic
Ian