Create a virtual network peering - Resource Manager, different subscriptions and Azure Active Directory tenants

• An Azure account(s) with two active subscriptions. Create an account for trial.

• An Azure account with permissions in both subscriptions or an account in each subscription with the proper permissions to create a virtual network peering. For a list of permissions, see Virtual network peering permissions.

  • To separate the duty of managing the network belonging to each tenant, add the user from each tenant as a guest in the opposite tenant and assign them the Network Contributor role to the virtual network. This procedure applies if the virtual networks are in different subscriptions and Active Directory tenants.

  • To establish a network peering when you don't intend to separate the duty of managing the network belonging to each tenant, add the user from tenant A as a guest in the opposite tenant. Then, assign them the Network Contributor role to initiate and connect the network peering from each subscription. With these permissions, the user is able to establish the network peering from each subscription.

  • For more information about guest users, see Add Azure Active Directory B2B collaboration users in the Azure portal.

  • Each user must accept the guest user invitation from the opposite Azure Active Directory tenant.

• An Azure account(s) with two active subscriptions. Create an account for trial.

• An Azure account with permissions in both subscriptions or an account in each subscription with the proper permissions to create a virtual network peering. For a list of permissions, see Virtual network peering permissions.

  • To separate the duty of managing the network belonging to each tenant, add the user from each tenant as a guest in the opposite tenant and assign them the Network Contributor role to the virtual network. This procedure applies if the virtual networks are in different subscriptions and Active Directory tenants.

  • To establish a network peering when you don't intend to separate the duty of managing the network belonging to each tenant, add the user from tenant A as a guest in the opposite tenant. Then, assign them the Network Contributor role to initiate and connect the network peering from each subscription. With these permissions, the user is able to establish the network peering from each subscription.

  • For more information about guest users, see Add Azure Active Directory B2B collaboration users in the Azure portal.

  • Each user must accept the guest user invitation from the opposite Azure Active Directory tenant.

• Azure PowerShell installed locally.

• Sign in to Azure PowerShell and ensure you've selected the subscription with which you want to use this feature. For more information, see Sign in with Azure PowerShell.

• Ensure your Az.Network module is 4.3.0 or later. To verify the installed module, use the command Get-InstalledModule -Name "Az.Network". If the module requires an update, use the command Update-Module -Name Az.Network if necessary.

This article requires the Azure PowerShell module version 5.4.1 or later. Run Get-Module -ListAvailable Az to find the installed version. If you need to upgrade, see Install Azure PowerShell module. You also need to run Connect-AzAccount -Environment AzureChinaCloud to create a connection with Azure.

• An Azure account(s) with two active subscriptions. Create an account for trial.

• An Azure account with permissions in both subscriptions or an account in each subscription with the proper permissions to create a virtual network peering. For a list of permissions, see Virtual network peering permissions.

  • To separate the duty of managing the network belonging to each tenant, add the user from each tenant as a guest in the opposite tenant and assign them the Network Contributor role to the virtual network. This procedure applies if the virtual networks are in different subscriptions and Active Directory tenants.

  • To establish a network peering when you don't intend to separate the duty of managing the network belonging to each tenant, add the user from tenant A as a guest in the opposite tenant. Then, assign them the Network Contributor role to initiate and connect the network peering from each subscription. With these permissions, the user is able to establish the network peering from each subscription.

  • For more information about guest users, see Add Azure Active Directory B2B collaboration users in the Azure portal.

  • Each user must accept the guest user invitation from the opposite Azure Active Directory tenant.

• If you prefer to run CLI reference commands locally, install the Azure CLI. If you're running on Windows or macOS, consider running Azure CLI in a Docker container. For more information, see How to run the Azure CLI in a Docker container.

  • If you're using a local installation, sign in to the Azure CLI by using the az login command. To finish the authentication process, follow the steps displayed in your terminal. For other sign-in options, see Sign in with the Azure CLI.

  • When you're prompted, install the Azure CLI extension on first use. For more information about extensions, see Use extensions with the Azure CLI.

  • Run az version to find the version and dependent libraries that are installed. To upgrade to the latest version, run az upgrade.

• This how-to article requires version 2.31.0 or later of the Azure CLI.

1. Sign-in to the Azure portal as UserA.

2. In the search box a the top of the portal, enter Virtual network. Select Virtual networks in the search results.

3. Select + Create.

4. In the Basics tab of Create virtual network, enter or select the following information:

   Setting	Value
   Project details
   Subscription	Select your SubscriptionA.
   Resource group	Select Create new. Enter myResourceGroupA in Name. Select OK.
   Instance details
   Name	Enter myVNetA.
   Region	Select a region.

5. Select Next: IP Addresses.

6. In IPv4 address space, enter 10.1.0.0/16.

7. Select + Add subnet.

8. Enter or select the following information:

   Setting	Value
   Subnet name	Enter mySubnet.
   Subnet address range	Enter 10.1.0.0/24.

9. Select Add.

10. Select Review + create.

11. Select Create.

Sign in to SubscriptionA

Use Connect-AzAccount to sign in to SubscriptionA.

Connect-AzAccount -Environment AzureChinaCloud

If you're using one account for both subscriptions, sign in to that account and change the subscription context to SubscriptionA with Set-AzContext.

Set-AzContext -Subscription SubscriptionA

Create a resource group - myResourceGroupA

An Azure resource group is a logical container where Azure resources are deployed and managed.

Create a resource group with New-AzResourceGroup:

$rsg = @{
    Name = 'myResourceGroupA'
    Location = 'chinaeast2'
}
New-AzResourceGroup @rsg

Create the virtual network

Create a virtual network with New-AzVirtualNetwork. This example creates a default virtual network named myVNetA in the China East 2 location:

$vnet = @{
    Name = 'myVNetA'
    ResourceGroupName = 'myResourceGroupA'
    Location = 'chinaeast2'
    AddressPrefix = '10.1.0.0/16'
}
$virtualNetwork = New-AzVirtualNetwork @vnet

Add a subnet

Azure deploys resources to a subnet within a virtual network, so you need to create a subnet. Create a subnet configuration named default with Add-AzVirtualNetworkSubnetConfig:

$subnet = @{
    Name = 'default'
    VirtualNetwork = $virtualNetwork
    AddressPrefix = '10.1.0.0/24'
}
$subnetConfig = Add-AzVirtualNetworkSubnetConfig @subnet

Associate the subnet to the virtual network

You can write the subnet configuration to the virtual network with Set-AzVirtualNetwork. This command creates the subnet:

$virtualNetwork | Set-AzVirtualNetwork

Sign in to SubscriptionA

Use az login to sign in to SubscriptionA.

az login

If you're using one account for both subscriptions, sign in to that account and change the subscription context to SubscriptionA with az account set.

az account set --subscription "SubscriptionA"

Create a resource group - myResourceGroupA

An Azure resource group is a logical container where Azure resources are deployed and managed.

Create a resource group with az group create:

az group create \
    --name myResourceGroupA \
    --location chinaeast2

Create the virtual network

Create a virtual network and subnet with az network vnet create. This example creates a default virtual network named myVNetA in the China East 2 location.

az network vnet create \
    --resource-group myResourceGroupA\
    --location chinaeast2 \
    --name myVNetA \
    --address-prefixes 10.1.0.0/16 \
    --subnet-name default \
    --subnet-prefixes 10.1.0.0/24

1. Remain signed in to the portal as UserA.

2. In the search box a the top of the portal, enter Virtual network. Select Virtual networks in the search results.

3. Select myVNetA.

4. Select Access control (IAM).

5. Select + Add -> Add role assignment.

6. In Add role assignment in the Role tab, select Network Contributor.

7. Select Next.

8. In the Members tab, select + Select members.

9. In Select members in the search box, enter UserB.

10. Select Select.

11. Select Review + assign.

12. Select Review + assign.

Use Get-AzVirtualNetwork to obtain the resource ID for myVNetA. Assign UserB from SubscriptionB to myVNetA with New-AzRoleAssignment.

Use Get-AzADUser to obtain the object ID for UserB.

UserB is used in this example for the user account. Replace this value with the display name for the user from SubscriptionB that you wish to assign permissions to myVNetA. You can skip this step if you're using the same account for both subscriptions.

$id = @{
    Name = 'myVNetA'
    ResourceGroupName = 'myResourceGroupA'
}
$vnet = Get-AzVirtualNetwork @id

$obj = Get-AzADUser -DisplayName 'UserB'

$role = @{
    ObjectId = $obj.id
    RoleDefinitionName = 'Network Contributor'
    Scope = $vnet.id
}
New-AzRoleAssignment @role

Use az network vnet show to obtain the resource ID for myVNetA. Assign UserB from SubscriptionB to myVNetA with az role assignment create.

Use az ad user list to obtain the object ID for UserB.

UserB is used in this example for the user account. Replace this value with the display name for the user from SubscriptionB that you wish to assign permissions to myVNetA. You can skip this step if you're using the same account for both subscriptions.

az ad user list --display-name UserB

[
  {
    "businessPhones": [],
    "displayName": "UserB",
    "givenName": null,
    "id": "16d51293-ec4b-43b1-b54b-3422c108321a",
    "jobTitle": null,
    "mail": "userB@fabrikam.com",
    "mobilePhone": null,
    "officeLocation": null,
    "preferredLanguage": null,
    "surname": null,
    "userPrincipalName": "userb_fabrikam.com#EXT#@contoso.partner.onmschina.cn"
  }
]

Make note of the object ID of UserB in field id. In this example, its 16d51293-ec4b-43b1-b54b-3422c108321a.

vnetid=$(az network vnet show \
    --name myVNetA \
    --resource-group myResourceGroupA \
    --query id \
    --output tsv)

az role assignment create \
      --assignee 16d51293-ec4b-43b1-b54b-3422c108321a \
      --role "Network Contributor" \
      --scope $vnetid

Replace the example guid in --assignee with the real object ID for UserB.

1. Remain signed in to the portal as UserA.

2. In the search box a the top of the portal, enter Virtual network. Select Virtual networks in the search results.

3. Select myVNetA.

4. In Settings, select Properties.

5. Copy the information in the Resource ID field and save for the later steps. The resource ID is similar to the following example: /subscriptions/<Subscription Id>/resourceGroups/myResourceGroupA/providers/Microsoft.Network/virtualNetworks/myVnetA.

6. Sign out of the portal as UserA.

The resource ID of myVNetA is required to set up the peering connection from myVNetB to myVNetA. Use Get-AzVirtualNetwork to obtain the resource ID for myVNetA.

$id = @{
    Name = 'myVNetA'
    ResourceGroupName = 'myResourceGroupA'
}
$vnetA = Get-AzVirtualNetwork @id

$vnetA.id

The resource ID of myVNetA is required to set up the peering connection from myVNetB to myVNetA. Use az network vnet show to obtain the resource ID for myVNetA.

vnetidA=$(az network vnet show \
    --name myVNetA \
    --resource-group myResourceGroupA \
    --query id \
    --output tsv)

echo $vnetidA

1. Sign in to the portal as UserB. If you're using one account for both subscriptions, change to SubscriptionB in the portal.

2. In the search box a the top of the portal, enter Virtual network. Select Virtual networks in the search results.

3. Select + Create.

4. In the Basics tab of Create virtual network, enter or select the following information:

   Setting	Value
   Project details
   Subscription	Select your SubscriptionB.
   Resource group	Select Create new. Enter myResourceGroupB in Name. Select OK.
   Instance details
   Name	Enter myVNetB.
   Region	Select a region.

5. Select Next: IP Addresses.

6. In IPv4 address space, enter 10.2.0.0/16.

7. Select + Add subnet.

8. Enter or select the following information:

   Setting	Value
   Subnet name	Enter mySubnet.
   Subnet address range	Enter 10.2.0.0/24.

9. Select Add.

10. Select Review + create.

11. Select Create.

Sign in to SubscriptionB

Use Connect-AzAccount to sign in to SubscriptionB.

Connect-AzAccount -Environment AzureChinaCloud

If you're using one account for both subscriptions, sign in to that account and change the subscription context to SubscriptionB with Set-AzContext.

Set-AzContext -Subscription SubscriptionB

Create a resource group - myResourceGroupB

An Azure resource group is a logical container where Azure resources are deployed and managed.

Create a resource group with New-AzResourceGroup:

$rsg = @{
    Name = 'myResourceGroupB'
    Location = 'chinaeast2'
}
New-AzResourceGroup @rsg

Create the virtual network

Create a virtual network with New-AzVirtualNetwork. This example creates a default virtual network named myVNetB in the China East 2 location:

$vnet = @{
    Name = 'myVNetB'
    ResourceGroupName = 'myResourceGroupB'
    Location = 'chinaeast2'
    AddressPrefix = '10.2.0.0/16'
}
$virtualNetwork = New-AzVirtualNetwork @vnet

Add a subnet

Azure deploys resources to a subnet within a virtual network, so you need to create a subnet. Create a subnet configuration named default with Add-AzVirtualNetworkSubnetConfig:

$subnet = @{
    Name = 'default'
    VirtualNetwork = $virtualNetwork
    AddressPrefix = '10.2.0.0/24'
}
$subnetConfig = Add-AzVirtualNetworkSubnetConfig @subnet

Associate the subnet to the virtual network

You can write the subnet configuration to the virtual network with Set-AzVirtualNetwork. This command creates the subnet:

$virtualNetwork | Set-AzVirtualNetwork

Sign in to SubscriptionB

Use az login to sign in to SubscriptionA.

az login

If you're using one account for both subscriptions, sign in to that account and change the subscription context to SubscriptionB with az account set.

az account set --subscription "SubscriptionB"

Create a resource group - myResourceGroupB

An Azure resource group is a logical container where Azure resources are deployed and managed.

Create a resource group with az group create:

az group create \
    --name myResourceGroupB \
    --location chinaeast2

Create the virtual network

Create a virtual network and subnet with az network vnet create. This example creates a default virtual network named myVNetB in the China East 2 location.

az network vnet create \
    --resource-group myResourceGroupB\
    --location chinaeast2 \
    --name myVNetB \
    --address-prefixes 10.2.0.0/16 \
    --subnet-name default \
    --subnet-prefixes 10.2.0.0/24

1. Remain signed in to the portal as UserB.

2. In the search box a the top of the portal, enter Virtual network. Select Virtual networks in the search results.

3. Select myVNetB.

4. Select Access control (IAM).

5. Select + Add -> Add role assignment.

6. In Add role assignment in the Role tab, select Network Contributor.

7. Select Next.

8. In the Members tab, select + Select members.

9. In Select members in the search box, enter UserA.

10. Select Select.

11. Select Review + assign.

12. Select Review + assign.

Use Get-AzVirtualNetwork to obtain the resource ID for myVNetA. Assign UserA from SubscriptionA to myVNetB with New-AzRoleAssignment.

Use Get-AzADUser to obtain the object ID for UserA.

UserA is used in this example for the user account. Replace this value with the display name for the user from SubscriptionA that you wish to assign permissions to myVNetB. You can skip this step if you're using the same account for both subscriptions.

$id = @{
    Name = 'myVNetB'
    ResourceGroupName = 'myResourceGroupB'
}
$vnet = Get-AzVirtualNetwork @id

$obj = Get-AzADUser -DisplayName 'UserA'

$role = @{
    ObjectId = $obj.id
    RoleDefinitionName = 'Network Contributor'
    Scope = $vnet.id
}
New-AzRoleAssignment @role

Use az network vnet show to obtain the resource ID for myVNetB. Assign UserA from SubscriptionA to myVNetB with az role assignment create.

Use az ad user list to obtain the object ID for UserA.

UserA is used in this example for the user account. Replace this value with the display name for the user from SubscriptionA that you wish to assign permissions to myVNetB. You can skip this step if you're using the same account for both subscriptions.

az ad user list --display-name UserA

[
  {
    "businessPhones": [],
    "displayName": "UserA",
    "givenName": null,
    "id": "ee0645cc-e439-4ffc-b956-79577e473969",
    "jobTitle": null,
    "mail": "userA@contoso.com",
    "mobilePhone": null,
    "officeLocation": null,
    "preferredLanguage": null,
    "surname": null,
    "userPrincipalName": "usera_contoso.com#EXT#@fabrikam.partner.onmschina.cn"
  }
]

Make note of the object ID of UserA in field id. In this example, it's ee0645cc-e439-4ffc-b956-79577e473969.

vnetid=$(az network vnet show \
    --name myVNetB \
    --resource-group myResourceGroupB \
    --query id \
    --output tsv)

az role assignment create \
      --assignee ee0645cc-e439-4ffc-b956-79577e473969 \
      --role "Network Contributor" \
      --scope $vnetid

1. Remain signed in to the portal as UserB.

2. In the search box a the top of the portal, enter Virtual network. Select Virtual networks in the search results.

3. Select myVNetB.

4. In Settings, select Properties.

5. Copy the information in the Resource ID field and save for the later steps. The resource ID is similar to the following example: /subscriptions/<Subscription Id>/resourceGroups/myResourceGroupB/providers/Microsoft.Network/virtualNetworks/myVnetB.

6. Sign out of the portal as UserB.

The resource ID of myVNetB is required to set up the peering connection from myVNetA to myVNetB. Use Get-AzVirtualNetwork to obtain the resource ID for myVNetB.

$id = @{
    Name = 'myVNetB'
    ResourceGroupName = 'myResourceGroupB'
}
$vnetB = Get-AzVirtualNetwork @id

$vnetB.id

The resource ID of myVNetB is required to set up the peering connection from myVNetA to myVNetB. Use az network vnet show to obtain the resource ID for myVNetB.

vnetidB=$(az network vnet show \
    --name myVNetB \
    --resource-group myResourceGroupB \
    --query id \
    --output tsv)

echo $vnetidB

1. Sign in to the Azure portal as UserA. If you're using one account for both subscriptions, change to SubscriptionA in the portal.

2. In the search box a the top of the portal, enter Virtual network. Select Virtual networks in the search results.

3. Select myVNetA.

4. Select Peerings.

5. Select + Add.

6. Enter or select the following information in Add peering:

   Setting	Value
   This virtual network
   Peering link name	Enter myVNetAToMyVNetB.
   Traffic to remote virtual network	Leave the default of Allow (default).
   Traffic forwarded from remote virtual network	Leave the default of Allow (default).
   Virtual network gateway	Leave the default of None (default).
   Remote virtual network
   Peering link name	Leave blank.
   Virtual network deployment model	Select Resource manager.
   Select the box for I know my resource ID.
   Resource ID	Enter or paste the Resource ID for myVNetB.

7. In the pull-down box, select the Directory that corresponds with myVNetB and UserB.

8. Select Authenticate.

9. Select Add.

10. Sign out of the portal as UserA.

Sign in to SubscriptionA

Use Connect-AzAccount to sign in to SubscriptionA.

Connect-AzAccount -Environment AzureChinaCloud

If you're using one account for both subscriptions, sign in to that account and change the subscription context to SubscriptionA with Set-AzContext.

Set-AzContext -Subscription SubscriptionA

Sign in to SubscriptionB

Authenticate to SubscriptionB so that the peering can be set up.

Use Connect-AzAccount to sign in to SubscriptionB.

Connect-AzAccount -Environment AzureChinaCloud

Change to SubscriptionA (optional)

You may have to switch back to SubscriptionA to continue with the actions in SubscriptionA.

Change context to SubscriptionA.

Set-AzContext -Subscription SubscriptionA

Create peering connection

Use Add-AzVirtualNetworkPeering to create a peering connection between myVNetA and myVNetB.

$netA = @{
    Name = 'myVNetA'
    ResourceGroupName = 'myResourceGroupA'
}
$vnetA = Get-AzVirtualNetwork @netA

$peer = @{
    Name = 'myVNetAToMyVNetB'
    VirtualNetwork = $vnetA
    RemoteVirtualNetworkId = '/subscriptions/<SubscriptionB-Id>/resourceGroups/myResourceGroupB/providers/Microsoft.Network/virtualNetworks/myVnetB'
}
Add-AzVirtualNetworkPeering @peer

Use Get-AzVirtualNetworkPeering to obtain the status of the peering connections from myVNetA to myVNetB.

$status = @{
    ResourceGroupName =  'myResourceGroupA'
    VirtualNetworkName = 'myVNetA'
}
Get-AzVirtualNetworkPeering @status | Format-Table VirtualNetworkName, PeeringState

PS /home/azureuser> Get-AzVirtualNetworkPeering @status | Format-Table VirtualNetworkName, PeeringState

VirtualNetworkName PeeringState
------------------ ------------
myVNetA            Initiated

Sign in to SubscriptionA

Use az login to sign in to SubscriptionA.

az login

If you're using one account for both subscriptions, sign in to that account and change the subscription context to SubscriptionA with az account set.

az account set --subscription "SubscriptionA"

Sign in to SubscriptionB

Authenticate to SubscriptionB so that the peering can be set up.

Use az login to sign in to SubscriptionB.

az login

Change to SubscriptionA (optional)

You may have to switch back to SubscriptionA to continue with the actions in SubscriptionA.

Change context to SubscriptionA.

az account set --subscription "SubscriptionA"

Create peering connection

Use az network vnet peering create to create a peering connection between myVNetA and myVNetB.

az network vnet peering create \
    --name myVNetAToMyVNetB \
    --resource-group myResourceGroupA \
    --vnet-name myVNetA \
    --remote-vnet /subscriptions/<SubscriptionB-Id>/resourceGroups/myResourceGroupB/providers/Microsoft.Network/VirtualNetworks/myVNetB \
    --allow-vnet-access

Use az network vnet peering list to obtain the status of the peering connections from myVNetA to myVNetB.

az network vnet peering list \
    --resource-group myResourceGroupA \
    --vnet-name myVNetA \
    --output table

1. Sign in to the Azure portal as UserB. If you're using one account for both subscriptions, change to SubscriptionB in the portal.

2. In the search box a the top of the portal, enter Virtual network. Select Virtual networks in the search results.

3. Select myVNetB.

4. Select Peerings.

5. Select + Add.

6. Enter or select the following information in Add peering:

   Setting	Value
   This virtual network
   Peering link name	Enter myVNetBToMyVNetA.
   Traffic to remote virtual network	Leave the default of Allow (default).
   Traffic forwarded from remote virtual network	Leave the default of Allow (default).
   Virtual network gateway	Leave the default of None (default).
   Remote virtual network
   Peering link name	Leave blank.
   Virtual network deployment model	Select Resource manager.
   Select the box for I know my resource ID.
   Resource ID	Enter or paste the Resource ID for myVNetA.

7. In the pull-down box, select the Directory that corresponds with myVNetA and UserA.

8. Select Authenticate.

9. Select Add.

Sign in to SubscriptionB

Use Connect-AzAccount to sign in to SubscriptionB.

Connect-AzAccount -Environment AzureChinaCloud

If you're using one account for both subscriptions, sign in to that account and change the subscription context to SubscriptionB with Set-AzContext.

Set-AzContext -Subscription SubscriptionB

Sign in to SubscriptionA

Authenticate to SubscriptionA so that the peering can be set up.

Use Connect-AzAccount to sign in to SubscriptionA.

Connect-AzAccount -Environment AzureChinaCloud

Change to SubscriptionB (optional)

You may have to switch back to SubscriptionB to continue with the actions in SubscriptionB.

Change context to SubscriptionB.

Set-AzContext -Subscription SubscriptionB

Create peering connection

Use Add-AzVirtualNetworkPeering to create a peering connection between myVNetB and myVNetA.

$netB = @{
    Name = 'myVNetB'
    ResourceGroupName = 'myResourceGroupB'
}
$vnetB = Get-AzVirtualNetwork @netB

$peer = @{
    Name = 'myVNetBToMyVNetA'
    VirtualNetwork = $vnetB
    RemoteVirtualNetworkId = '/subscriptions/<SubscriptionA-Id>/resourceGroups/myResourceGroupA/providers/Microsoft.Network/virtualNetworks/myVNetA'
}
Add-AzVirtualNetworkPeering @peer

User Get-AzVirtualNetworkPeering to obtain the status of the peering connections from myVNetB to myVNetA.

$status = @{
    ResourceGroupName =  'myResourceGroupB'
    VirtualNetworkName = 'myVNetB'
}
Get-AzVirtualNetworkPeering @status | Format-Table VirtualNetworkName, PeeringState

PS /home/azureuser> Get-AzVirtualNetworkPeering @status | Format-Table VirtualNetworkName, PeeringState

VirtualNetworkName PeeringState
------------------ ------------
myVNetB            Connected

Sign in to SubscriptionB

Use az login to sign in to SubscriptionB.

az login

If you're using one account for both subscriptions, sign in to that account and change the subscription context to SubscriptionB with az account set.

az account set --subscription "SubscriptionB"

Sign in to SubscriptionA

Authenticate to SubscriptionA so that the peering can be set up.

Use az login to sign in to SubscriptionA.

az login

Change to SubscriptionB (optional)

You may have to switch back to SubscriptionB to continue with the actions in SubscriptionB.

Change context to SubscriptionB.

az account set --subscription "SubscriptionB"

Create peering connection

Use az network vnet peering create to create a peering connection between myVNetB and myVNetA.

az network vnet peering create \
    --name myVNetBToMyVNetA \
    --resource-group myResourceGroupB \
    --vnet-name myVNetB \
    --remote-vnet /subscriptions/<SubscriptionA-Id>/resourceGroups/myResourceGroupA/providers/Microsoft.Network/VirtualNetworks/myVNetA \
    --allow-vnet-access

Use az network vnet peering list to obtain the status of the peering connections from myVNetB to myVNetA.

az network vnet peering list \
    --resource-group myResourceGroupB \
    --vnet-name myVNetB \
    --output table