I have the following parties:
Org1 - The owner of the application that is being built
Vendor1 - The 3rd party that build the application
Client1 - A consumer of the application
Clinet2 - A consumer of the application
Our application is set up as "multi-tenancy via infrastructure" (i.e. every client gets their own set of servers, DBs, etc. One requirement is that each client has direct access to their database and the database is only accessible over VPN.
To support this we have set up the following VNets:
Clinet1_Internal_VNet - The database lives in this VNet
Clinet2_Internal_VNet - The database lives in this VNet
Vendor1_VNet - Vendor1's VPN connects to a Virtual Network Gateway in this VNET
Clinet1_VPN_VNet - Client1's VPN connects to a Virtual Network Gateway in this VNET
Clinet2_VPN_VNet - Client2's VPN connects to a Virtual Network Gateway in this VNET
Peerings are as follows:
Clinet1_VPN_VNet -> Connects to Clinet1_Internal_VNet
Clinet2_VPN_VNet -> Connects to Clinet2_Internal_VNet
Vendor1_VNet -> Connects to Clinet1_Internal_VNet and Clinet2_Internal_VNet
If I set Clinet1_Internal_VNet to use the (remote) gateway in Clinet1_VPN_VNet connections work.
If I then set Clinet1_Internal_VNet to use the (remote) gateway in Vendor1_VNet I get an error (as you can only have 1 remote gateway per VNet).
I tried to manually add the route (Clinet1_Internal_VNet -> Vendor1_VNet) in a Route Table but the UI doesn't allow that.
If I look at traffic I see traffic flow between VNets but it does not go outside (through the gateway).
Is there a way I can accomplish this, keeping the vnet segregation (I understand I can set up a multi site to site VPN in a hub and spoke model, but I'm concerned with Client1 getting access to Client2's VNet).