Azure VNET peering in multiple subscription

Question

I have 8 Azure subscriptions, and I want all VNET in each subscription to communicate with each other and any one of them act as hub for all so that I may apply firewall all in that with the gateway.

All deployment is in same region and same Azure directory.

I have created VNET peering between all VNET as it's implicit so it becomes like mess network now.

Is there any other possible way to do this?

My main motive is that all VNET communicates with each other and same firewall rules over all subscriptions.

Answer 1

In this case, you can consider creating a hub-spoke-hub-spoke topology, where the first level of spokes also acts as hubs. The following diagram shows this approach.

Refer to this.

The hub VNet, and each spoke VNet, can be implemented in different resource groups, and even different subscriptions, as long as they belong to the same Azure Active Directory (Azure AD) tenant in the same Azure region. A hub-spoke topology can also be used without a gateway, if you don't need connectivity with your on-premises network.

VNet peering connection is non-transitive. If you have multiple spokes which needed to take to each other, you can consider using UDRs to force traffic destined to a spoke to be sent to an NVA acting as a router at the hub VNet. This will allow the spokes to connect with each other. Also, you can use UDRs in the spoke to forward traffic to the hub with allow forwarded traffic enabled.