Connectivity between Multiple Subcription in same region

%3CLINGO-SUB%20id%3D%22lingo-sub-2527798%22%20slang%3D%22en-US%22%3EConnectivity%20between%20Multiple%20Subcription%20in%20same%20region%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2527798%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20have%20a%20Azure%26nbsp%3B%20Tenant%20with%20One%20subcription%20Managed%20by%20a%20CSP.%20we%20want%20to%20create%20another%20Subscription%20of%207%20VM's%20to%20run%20Azure%20Openshift%20(%20with%20RH%20VM's)%2C%20In%20the%20same%20Region.%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20Question%20is.%26nbsp%3B%3C%2FP%3E%3CP%3E-%20We%20want%20to%20leverage%20the%20AD%2FDC%20resources%20in%20Existing%20subscription%2C%20for%20this%2C%20Do%20we%20need%20to%20have%20any%20Additional%20Network%20Components%20(%20vNet%20Peering%20etc)%20..%26nbsp%3B%3C%2FP%3E%3CP%3E-%20Do%20we%20need%20other%20network%20Components%20like%20WAF%2C%20Firefall%2C%20LB%20etc%20in%20the%20New%20subcription.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2550947%22%20slang%3D%22en-US%22%3ERe%3A%20Connectivity%20between%20Multiple%20Subcription%20in%20same%20region%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2550947%22%20slang%3D%22en-US%22%3EIf%20you%20want%20to%20access%20resources%20on%20the%20other%20subscription%2C%20then%20yes%20-%20another%20VNET%20with%20Peering%20between%20the%20two%2C%20will%20allow%20access%2C%20then%20set%20the%20DNS%20of%20the%20secondary%20VNET%20to%20point%20towards%20the%20IP%20of%20the%20domain%20controller%2C%20no%20need%20for%20WAF%2FFirewall%20etc%20unless%20something%20is%20published%20externally%20over%20the%20internet.%3CBR%20%2F%3E%3CBR%20%2F%3EThen%20you%20need%20whatever%20resources%20you%20need%20for%20Openshift%2C%20(you%20will%20need%20a%20separate%20Back%20Recovery%20Vault%2C%20for%20Backups)%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2818389%22%20slang%3D%22en-US%22%3ERe%3A%20Connectivity%20between%20Multiple%20Subcription%20in%20same%20region%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2818389%22%20slang%3D%22en-US%22%3Eyou%20can%20peer%20virtual%20networks%20that%20exist%20in%20two%20different%20subscriptions%20as%20long%20as%20a%20privileged%20user%20of%20both%20subscriptions%20authorizes%20the%20peering%20and%20the%20subscriptions%20are%20associated%20with%20the%20same%20Active%20Directory%20tenant%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fazure.microsoft.com%2Fen-in%2Fupdates%2Fvnet-peering-cross-version-cross-subscription%2F%23%3A~%3Atext%3DNote%2520that%2520you%2520can%2520peer%2520virtual%2520networks%2520that%2Cmore%2520information%2520in%2520the%2520Virtual%2520network%2520peering%2520article%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fazure.microsoft.com%2Fen-in%2Fupdates%2Fvnet-peering-cross-version-cross-subscription%2F%23%3A~%3Atext%3DNote%2520that%2520you%2520can%2520peer%2520virtual%2520networks%2520that%2Cmore%2520information%2520in%2520the%2520Virtual%2520network%2520peering%2520article%3C%2FA%3E.%3C%2FLINGO-BODY%3E
Frequent Visitor

We have a Azure  Tenant with One subcription Managed by a CSP. we want to create another Subscription of 7 VM's to run Azure Openshift ( with RH VM's), In the same Region. 

The Question is. 

- We want to leverage the AD/DC resources in Existing subscription, for this, Do we need to have any Additional Network Components ( vNet Peering etc) .. 

- Do we need other network Components like WAF, Firefall, LB etc in the New subcription. 

 

2 Replies
If you want to access resources on the other subscription, then yes - another VNET with Peering between the two, will allow access, then set the DNS of the secondary VNET to point towards the IP of the domain controller, no need for WAF/Firewall etc unless something is published externally over the internet.

Then you need whatever resources you need for Openshift, (you will need a separate Back Recovery Vault, for Backups)

you can peer virtual networks that exist in two different subscriptions as long as a privileged user of both subscriptions authorizes the peering and the subscriptions are associated with the same Active Directory tenant. 
https://azure.microsoft.com/en-in/updates/vnet-peering-cross-version-cross-subscription/#:~:text=Not....

Once the network peering is established you can replicate the AD sync with each other 

assuming if you have Hub and spoke configuration then peer both subscription to the HUB vNet where you have the firewall and route the AD/DNS traffic  via firewall .

Hope this helps