![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(86.4, 56.00000000000001%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EK%3C/text%3E%3C/svg%3E)
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,593 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(108.80000000000001, 17%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERV%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(291.2, 38%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMP%3C/text%3E%3C/svg%3E)
In your scenario, where you want to allow a virtual network (VNet) in the Azure subscription associated with Entra tenant B (let's call it VNetB) to connect to an on-premises web server through an existing Site-to-Site (S2S) VPN connection to the virtual network (let's call it VNetA) in the Azure subscription associated with Entra tenant A, the most cost-effective solution would likely be VNet Peering between the two virtual networks:
- VNet Peering (Cost-effective solution)
- Description: VNet peering allows two VNets to communicate with each other, and if you peer VNets in different tenants, you can enable communication between VNetB and the on-premises environment via the existing S2S VPN.
- Cost: VNet peering charges are typically low compared to other options, especially if the traffic is limited to intra-region or same-region peering. The cost will mainly depend on the amount of traffic transferred between the VNets. Since you are only seeking minimal connectivity, VNet peering will be cost-effective.
- Set up VNet Peering between Tenant A and Tenant B, ensuring proper network routes.
- Configure routing in Tenant A to forward traffic from Tenant B's VNet to the on-premises network.
- Ensure network security groups (NSGs) and other security controls are properly configured to allow the required traffic.
- Private Link
- Description: Private Link enables private, secure connections to services hosted on Azure, such as PaaS services. It maps the traffic to a private IP address in the VNet.
- Cost: Private Link generally involves higher costs compared to VNet peering because it involves provisioning private endpoints, traffic charges, and more setup complexity.
- Use case: Private Link would typically be used for PaaS services.
- Private Endpoint (for PaaS services)
- Description: Private Endpoint allows you to connect to Azure services (like Azure SQL, Storage, or other PaaS services) using private IP addresses. It is primarily used for Azure-hosted services.
- Cost: Similar to Private Link, using Private Endpoints involves additional costs.
- Use case: This is not suitable for connecting to an on-premises web server since it’s designed for connecting to Azure services.
If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.
hth
Marcin