I have a resource group for my vnet (rg-private-vnet) and one for my webapp and sql server (rg-webapp). Now I want to create a private endpoint for my SQl server in the rg-webapp.
This works in case the private endpoint is created in the resource group from he vnet. But I want it to be located in the resource group of the sql server.
I used:
az network private-endpoint create --name $sqlPrivateEndpoint --resource-group $resourceGroupVnet --vnet-name $vnetName --subnet $sqlSubnetName --private-connection-resource-id $id --connection-name mySqlConnection --group-id sqlServer
In case I use the rg-webapp I got the error:
(InvalidResourceReference) Resource /subscriptions/XXX/[...} referenced by resource /subscriptions/XXX/[...] was not found. Please make sure that the referenced resource exists, and that both resources are in the same region.
with the rg-private-vnet it works. In the azure portal it is no problem to create the endpoint in the rg-webapp resource group. I don't see any more parameters to create it in a diffrent rg.
According to the documentation you need to provide the resource id of the subnet to the --subnet parameter (instead of the subnet name) and skip the --vnet-name parameter if the subnet resides in a different resource group:
--subnet Name or ID of an existing subnet. If name specified, also specify --vnet-name. If you want to use an existing subnet in other resource group or subscription, please provide the ID instead of the name of the subnet and do not specify the --vnet-name. (az network private-endpoint | Microsoft Docs)
Related
I am creating storage account where I need to use Connectivity method: Public endpoint(selected networks) where I have to provide Virtual network subscription and Virtual network.
How can I create it via Azure CLI or via Azure PowerShell module. I don't see there any parameter which I can use to provide such details.
One of the workarounds I did to create the storage account in the selected public networks using AZ CLI is:
Created the virtual network and a default subnet using AZ CLI:
az network vnet create --name myVNet --resource-group HariTestRG --subnet-name default
Created the service endpoint of Microsoft.Storage for the above created Virtual Network using AZ CLI:
az network vnet subnet update -g HariTestRG -n default --vnet-name myvnet --service-endpoints Microsoft.Storage
Then you can create the Azure Storage Account on the selected public networks using your VNet and subnet name from the AZ CLI:
az storage account create --name samplestorageaccount1204 --resource-group HariTestRG --vnet-name myvnet --subnet default --default-action Allow
Or
You can also add the network rule to move the storage account to the specified subnet in the virtual network:
az storage account network-rule add -g HariTestRG --account-name samplestorageaccount1205 --vnet-name myvnet --subnet default
Here the Network access is enabled for the specific subnet in the Virtual Network to Azure Storage account.
To allow or deny network access, add specific service endpoints to the specific Subnets or Virtual Networks and manage the firewall, refer this MSFT Document.
I'm having some trouble attaching a NIC (in resource group A) to a subnet belonging to a Vnet and NSG in a different resource group (say B). I have Contributor role in resource group A, but only Reader role in resource group B. Is this possible? If so, what am I doing wrong? Here's what it looks like (with UIDs shortened).
% az network nic create --resource-group A --name bastion-nic --vnet-name VN-B --subnet SubnetB
(InvalidResourceReference) Resource /subscriptions/40ef-b75f-c05a034bf2ff/resourceGroups/A/providers/Microsoft.Network/virtualNetworks/VN-B/subnets/SubnetB referenced by resource /subscriptions/b75f-c05a034bf2ff/resourceGroups/A/providers/Microsoft.Network/networkInterfaces/bastion-nic was not found. Please make sure that the referenced resource exists, and that both resources are in the same region.
Code: InvalidResourceReference
I tested the same scenario in my environment .
Scenario: I created a user , 2 resource groups i.e. contributorTest with Contributor access for the user and readerTest with Reader access for the user.
If I use the command you are using then it gives me the same error message as you. To describe the issue when you are using vnet-name, the command thinks that the vnet is also present in the same resource which has been mentioned in the command.
az network nic create --resource-group contributorTest --name bastion-nic --vnet-name ansumantest-vnet --subnet default
So , for example in the above command resource group is contributorTest and we have just provided vnet name and subnet name , which it thinks is present in the same group. So it throws the error as below:
As a Solution you can use the below command to create NIC if the VNet is in different resource group:
az network nic create --resource-group contributorTest --name bastion-nic --subnet /subscriptions/subID/resourceGroups/readerTest/providers/Microsoft.Network/virtualNetworks/ansumantest-vnet/subnets/default
In the above command , we are not providing vnet name & subnet name , as a alternative we have provided the resourceID of the subnet.
Note: The above solution should work only if you have contributor access on both the resource group , in your case you will be getting the below error:
To describe the issue here, while you are creating a NIC it requires to join that NIC to the Subnet which you have specified but as you have reader access only on the VNET resource group it doesn't allow you to join the NIC and subnet.
So , Final solution can be :
Either have the VNET and subnet in the same resource group you are creating NIC on and have a Contributor access on it and use the command you are using .
Grant Contributor Access to the user for the second resource group and use the second Command that I have mentioned as a solution.
Output for the second command after providing contributor access for both the resource groups:
I need to deploy Azure container instance in differents Resource Groups.
In one Resource Group I allocate only the ACI and on another Resource Group I allocate the Vnet
Is this possible? I think that is not possible by design
It's possible.
You can create an azure container instance in a virtual network that is in a different resource group from the container instance resource group.
Suppose you have created a vNet myvnet and subnet aci-subnet in the RG myvnetRG for your ACI. Then you could use the following deployment examples.
VnetId=$(az network Vnet show -g myvnetRG -n myvnet --query 'id' -o tsv)
az container create -n appcontainer -g containerRG --image mcr.microsoft.com/azuredocs/aci-helloworld --vnet $VnetId --subnet aci-subnet
You can also deploy a container group to an existing virtual network by using a YAML file, then specify several additional properties like network profile and ID in the YAML.
It is possible by design, but why would you want to do that? It is not a recommended design thought.
If your resource groups in the different regions, you could configure a Vnet-to-Vnet connection. For your reference:
https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-vnet-vnet-resource-manager-portal
I am attempting to create a private link service that can be reached from a different region. I am getting conflicting information from Azure documentation, with one link suggesting "global reach" and another link limiting that
Global reach
Limitations
In practice, I have one private-resource-vnet in westus and one vnet in eastus. After creating a load balancer per the documentation in the private-resource-vnet, I add a private link to that vnet and resource, and attempt to link it to a private endpoint. The below sample shows adding an endpoint in both eastus (where the private link is) and westus (where the vnet to reach the link is)
PS Azure:\> az network private-endpoint create --name privateEndpoint --resource-group MyResourceGroup --vnet-name clientVNet --subnet clientSubnet --private-connection-resource-id "/subscription/link/to/private/resource/in/eastus" --connection-name myPLS --location westus
This command is in preview. It may be changed/removed in a future release.
InvalidResourceReference - Resource /subscriptions/[...]/CLIENTVNET referenced by resource /subscriptions/[...]/privateEndpoint was not found. Please make sure that the referenced resource exists, and that both resources are in the same region.
PS Azure:\> az network private-endpoint create --name privateEndpoint --resource-group MyResourceGroup --vnet-name clientVNet --subnet clientSubnet --private-connection-resource-id "/subscription/link/to/private/resource/in/eastus" --connection-name myPLS --location eastus
This command is in preview. It may be changed/removed in a future release.
Deployment failed. Correlation ID: [...]. Resource /subscriptions/[...]/myPLS not found.
I would greatly appreciate some insight on what I'm missing here!
Cross-region works with Azure services (SQL, Storage) that are behind Private Link. Customer owned services are limited to same region. Cross-region will be supported in the future.
anyone know if it is possible to create app gw with azure cli, when my vnet is in different resource group, not in the same as i'm creating the application gateway in? It seems az command doesnt let me provide --vnet-name id of vnet. If i provide the name of it, it just created new on in same resource group where i'm creating the app gateway.
Is it possible to reference the vnet from another resource group when using command - az network application-gateway create? As it seems from parameters only subnet supports the reference by ID... Is there a workaround?
--subnet
Name or ID of the subnet. Will create resource if it does not exist. If name specified, also specify --vnet-name.
--vnet-name
The virtual network (VNet) name.
Yeah. In Azure, there are many resources and sub-resources. Most have the ID that represents the unique one in Azure. For Subnet, it belongs to Vnet. If it exists and the ID can only refer to it.
So if you want to reference the existing subnet of a Vnet in Azure you just need to reference its ID. In addition, the Application Gateway needs an empty subnet and there should be no resource in it. You should pay attention to this point.
Got this answered by #Charles Xu.
The subnet always in a Vnet. If you reference the subnet it also means reference the Vnet. – Charles Xu