Hi Want to clarify the following statement from the article EXpressRoute FAQs

Are virtual networks connected to the same circuit isolated from each other? No. From a routing perspective, all virtual networks linked to the same ExpressRoute circuit are part of the same routing domain and are not isolated from each other. If you need route isolation, you need to create a separate ExpressRoute circuit.

And from Azure Onboarding Guide for IT Organizations

If multiple virtual networks are to share a single enterprise ExpressRoute connection, essentially there is no network isolation between those networks. In this case, any separation the subscription design may try to define is eliminated and must be achieved through subnet layer Network Security Groups (NSGs). When the virtual networks are attached to the same ExpressRoute circuit, they are essentially a single routing domain. A subscription hosting only PaaS services could have no virtual network at all, and the design limitations discussed above would not apply.

Does that mean, if we connect multiple vNETs (even from different subscriptions) using single ExpressRoute connection, there's no network level isolation as we think of by having setup multiple subscriptions. If we want to enforce this isolation, we need to implement Network Security Groups Thanks Taranjeet Singh