I have a hub and spoke topology and one of my spoke hosts a VPN Gateway that has a S2S VPN with another VNET (in another tenant).
The IP Range of the remote network (10.10.6.0/24) (connected with S2S VPN) is not added in my route table (and therefore in the BGP table).
What am I missing here? What configuration do I have to do to have this IP range propagated in my route table and BGP table?
I tried to reproduce the same in my environment and got results like below:
To achieve your scenario, you can make use of cross tenant vnet peering like below:
Go to azure active directory -> users -> create users for both tenants also.
In your tenant -> subscriptions -> access control (IAM) -> Add Network contributor role for user and guest user and same for another tenant with local user and guest user like below:
Now open guest user, try to send invitation to the user like below:
Use the invitation URL and try to login Incognito tab accept the permission and do same in another tenant with guest user login and accept permission as same and close it.
Now, try to login with local primary user for both tenant like below:
Go to your vnet -> Add peering under setting try to select below option.
Resource id should be your vnet of another tenant which we are trying to peer. In that tenant -> vnet -> properties under setting you can find resource id
Then you can see two directories once the invitation accepted you will be able to see two directories. choose another tenant of default directory click on authenticate and add your virtual peering successfully.
Then go to another tenant do the same process select vnet add peering -> select virtual network gateway or route server and select resource id in that another tenant properties and authenticated as same like above:
This way you can easily connect your vnet from another tenant. When I tested with my vpn it got connected successfully like below:
Related
We have multiple P2S virtual network gateways confgured. The VPN uses OpenVPN and Azure AD authentication. Each gateway has its own virtual network for customer/project private resources.
We have a conditional access policy configured to give only specific users access to the Azure VPN enterprise application via an Azure AD security group. This however means that the users in the group will have access to all resources as long as they have the customer/project VPN XML file (for the Azure VPN Client).
Is there a way to have more fine-grained control over this? So for example create a security group and assign it to a specific P2S VPN?
We know this can be done with a NSG and restrict IPs but these are dynamic so we can't really use this.
We have an Azure Storage Account that we need to access from our company but it also needs to be accessible to one of our web apps in the same Resource group. This app is only visible to our company and some other apps that use some parts of it.
So the path looks something like this:
Storage account (Secured for App1 and our company) <= App1 (Secured for Other Apps and our company) <= Other apps (Publicly available)
My question is: How to secure/setup the storage account so the App1 can use it but it is still only available to our company without using VNET?
Currently there is only the exception for our company on the storage account. And the "Allow Azure services on the trusted services list to access this storage account." setting allowed which I read on some Technet thread that it should allow the access of resources in the same subscripition to the storage account which it unfortunatelly doesnt as Web Apps dont seem to be on the trusted list for some reason.
The App1 is .NET Framowork 4.8 connecting to the storage in the account via conenction string and is using a container inside it. When the Networking security is disabled everything is working properly.
So far I have tried the following:
Allowing all the outbound address of App1 on the storage account FW
Giving App1 an Identity and assigning it with the Storage Blob Data Contributor role on Subscription lvl per this manual https://learn.microsoft.com/en-us/azure/app-service/scenario-secure-app-access-storage?tabs=azure-portal%2Cprogramming-language-csharp
Is there any option that could do the trick before we start messing with VNETs which should work?
How to secure/setup the storage account so the App1 can use it but it
is still only available to our company without using VNET?
You can integrate your web app with VNET so that the web app can access the resources in the Virtual Network
Go to your Web App in the portal --> Select networking --> In the outbound traffic, select VNET integration --> Add your VNET and the subnets
Now go to your Storage Account --> Select Networking --> Under the selected networks, click on Add existing virtual network --> Add your virtual network and the subnets
Now, you would be able to access the storage account from your web app.
Is it possible to use a Private endpoint between two services -
In different VNETs
VNETs are in different subscriptions and VNETs have not peered
Subscriptions are in different Tenant
On similar lines, it seems, Private Link could also support the same - Support for across VNET sharing. Extract below -
"
Privately access services on the Azure platform: Connect your virtual network to services in Azure without a public IP address at the source or destination. Service providers can render their services in their own virtual network and consumers can access those services in their local virtual network. The Private Link platform will handle the connectivity between the consumer and services over the Azure backbone network"
Regards,
Nitin
In this case, I don't think it's possible without VNet peered.
After my validation, we can access the service in different subscriptions and different tenants with private endpoint and VNet to VNet peering enabled in each VNet.
In subA and TenantA, I created
VNetA and one Azure VMa without public IP deployed in that VNet. We can access the VM with a bastion host in that VNet. Refer to this.
In subB and TenantB, I create
a storage account and a private DNS zone privatelink.file.core.windows.net and a VNetB.
Enable the private endpoint for this storage account and storage subresource file, you may refer to this
Note, we should link the VNetA and VNetB in the same private DNS zone, then we can get the file share FQDN resolved to the private IP address from the Azure VMa. Also, we should use an account having enough permission on both subscriptions.
If without the VNet peering, the network connecting is blocked because the VNet A and VNet B belong to different isolation virtual networks and there is no routing from VNet A and VNet B.
If the VNet peering at each other, the network connecting is successful.
It's perfectly possible, works Private Endpoints works just fine across subscriptions and tenants. You just need to create them slightly differently. Create them from the destination side, then on the Resource page select "Connect to an Azure resource by resource ID or alias.". And paste the resource id you are connecting to. Resource ID can be obtained on the resource overview page - JSon link.
One it's done - go to the source->private endpoints and manually approve requested private endpoint.
When selecting Connect to an Azure resource by resource ID or alias, what's not very clear are the actual values for Resource ID or alias(2) and Target sub-resource(3).
In this example, I am referencing a storage account and file share.
Resource ID or alias = Resource ID of the storage account. e.g:
/subscriptions/aaaaa-1111-11111-aaaa-asasdas212/resourceGroups/myresourcegroup/providers/Microsoft.Storage/storageAccounts/mystorageaccount
Target sub-resource is the name of the sub-resource from the following list:
Reference: https://learn.microsoft.com/en-us/azure/storage/common/storage-private-endpoints#dns-changes-for-private-endpoints
I'm trying to create Windows Server VM joined to the AAD where my Azure Subscription is.
I'm reading Join a Windows Server virtual machine to a managed domain, but I'm stuck on step #6:
select the virtual network in which your Azure AD DS-managed domain is
deployed. Pick a different subnet than the one that your managed
domain is deployed into
There are no virtual networks in the select box and the only options is to create new. But if I create new, then I can't reach the domain controller from the VM.
When using AAD with no other AD on prem or located in Azure, you need to create an Active Directory Domain Services account in order to join VMs to that domain.
Otherwise, if you are syncing your on premise domain to your AAD domain via AD Sync you just need to ensure that the VMs you want to join to the domain have access to the virtual network where the domain is located. This means you can opt to peer virtual networks in Azure or connect the separate networks using a Site-to-Site VPN connection.
For this particular issue, you would go with the Active Directory Domain Services account and put it into a blank subnet in the same Vnet as the Virtual Machines are located. Once this is one, you will be able to connect the VMs to your managed domain.
I've set up an azure domain services in a vnet, and already have a Win10 VM there. The DNS of the vnet was already updated successfully as well.
I would like to administer the domain with a specific account, "adadmin", which I created in my default Azure AD i.e. adadmin#azureaddefault.onmicrosoft.com. I added the account to the "AAD DC Administrators" group. However, i am unable to use the account to join the machines to the managed AD domain.
My understanding that creating the account after activating the domain services should allow creation of the NTLM hashes so the accounts can be used to manage the domain resources. Anyone encountered this issue during domain provisioning?
My understanding that creating the account after activating the domain
services should allow creation of the NTLM hashes so the accounts can
be used to manage the domain resources.
You are right, we can use the members of the AAD DC Administrators group to add join machines to the managed domain, more information we can refer to this link
After you add users to that group, we should wait about 5 mins, and flush this machine, then use this account to add this machine to AAD DS.
Note:
Close system properties and re-open it, then use this account to join domain.
More information about join a Windows Server VM to AAD DS, please refer to this link.
Update:
As Roman said, re-create the AAD DS and change the password, fix this problem.