We have two on-premise locations (different IP-ranges) that both are connected to separate VNETs in Azure though site-to-site VPN and VPN gateways.

Devices at location 1 can reach resources in VNET1 and resources in VNET1 can reach on-premise resources at location 1.

Similary devices at location 2 can reach resources in VNET2 and resources in VNET2 can reach on-premise resources at location 2.

Now we want to setup some shared services (Kubernetes cluster) that can be reached from both on-premise locations and that can reach devices at both locations. Devices at location 1 should not reach devices at location 2.

I can use "allow gateway transition" on the one of the peerings. But I cannot use it on both since you can only have it if you don't already have a gateway and on max one peering.

So I've been looking into User Defined Routes (UDR). but I'm not having any luck.

On the "default" subnet in service vnet I try to define a route to 10.252.0.0/16 that's to use 192.168.30.1 (VNET 1 GW) as next hop. That does not work. Do I have to setup some virtual firewall appliance on the two vnets to route via?

Q: How can I make devices at location 1 and 2 access the shared Kubernetes services and how can the Kubernetes services access on-premise resources at both location 1 and 2.