Is it possible to share a particular resource (redis cache in my case) across multiple resource group?
Resource group is just logical container. It doesn't matter in which resource group resource is. You can use resources from any resource group.
Example:
Imagine that you create App Service Plan in RG1 and Web App Service in RG2. This Web App Service can use App Service Plan from RG1.
Your redis cache could be used from any code you write, whether in the cloud, on-premises, or wherever, given proper uri + access key.
As long as you have access keys/passwords/etc. to your resources, you can use your resources no matter what resource group they're in. This includes ssh keys, vm usernames/passwords, redis cache keys, storage keys, cosmos db keys, sql database logins, etc.
The only thing access-specific, with resource groups, is granted user permissions. That is: if you add someone as a contributor to resource group A, and not to resource group B, they won't be able to manipulate the settings in resource group B via the portal or any of the Management APIs. Still, they'd be able to work with all of the resources in resource group B, assuming they had the login details / keys / etc.
Related
I have a client that can only give me full access to one or two resource groups.
I need to deliver some prescripted terraform resources that contain the need for a service principal.
Can you lock an SP to a resource group? The subscription itself is a production subscription so they want to know if you can tie down using role base access just to that group.
Or should I be create a MI account?
Can you lock an SP to a resource group?
You most certainly can. Azure Role-based access control is very granular and you can apply access control at any level (management group, subscription, resource group or even at individual resource).
Please see this for more details: https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-steps.
In our organization, we have a common Azure subscription with a separate resource group for each solution. I have Owner rights for my solution's resource group, but when we create Databricks workspaces, a separate managed resource group databricks-rg-*** is created which I don't have access to. To be able to manage our Azure costs, I need to have access to the Cost analysis section of this managed resource group. What role do I need in this resource group to be able to see the costs?
To be able to manage our Azure costs, I need to have access to the Cost analysis section of this managed resource group. What role do I need in this resource group to be able to see the costs?
To see the cost, the Reader role is enough. If you want to do other operations except reading, you need the role e.g. Contributor, Owner.
Im this scenario I'm hosting several resources for several projects in one azure tenant.
Additionally I have multiple azure subscriptions with corresponding resource groups per project:
Azure Subscription A -> Resource Group A -> VMs, DNS, Bastion Host... for project A
Azure Subscription B -> Resource Group B -> VMs, DNS, Bastion Host... for project B
Azure Subscription C -> Resource Group C -> VMs, DNS, Bastion Host... for project C
In the Azure AD I would like to create groups like Project A, Project B, Project C and grant them role permissions to the dedicated resource groups.
But unfortunately if I grant the role Contributor this also includes the permission of the subscription to add new services. I just want to enable them to manager their resources (access the vm through bastion host) without givin them permission to add new services.
We can restrict the user not to create the resources in the resource group in two ways,
You can grant contributor permissions to each individual resource,
that way user won't be able to create new resources, only modify
existing ones (he would be able to delete resource).
Combination of RBAC and AzurePolicy.The users that have
assigned contributor access have access to all resources in their
resource groups. In Azure Policy you can use a policy like
Allowed resource types, Not allowed resource types, Allowed location
will enable you to specify the resource types that your organization
can deploy.
There is a similar scenario that you can find here.
I have two resource groups in our azure account, one(A) is having all the database(SQL) resources and other one(B) having other resources like app service, key vault, service bus etc.
Now we have decided to make a single resource group and we are trying to move SQL resources from resource group A resource group B. but it gives duplicate resources error as saying the resources we are trying to move is already there. But I have checked properly and those resources are not in resource group B.I have checked hidden types as well.
(A)
(B)
I have two SQL managed instance in two different region(One in Australia East another one in Australia Southeast. They are in a Pay-As-You-Go subscription. Now I want to move those resources to a CSP subscription. Is it possible to move SQL managed instance across subscription?
Azure SQL managed instance supports the move operation: move to another resource group or another subscription. You can get this from this document: Move operation support for resources.
If you want to move the managed instance subscription, you need to operate on the resource group overview. Choose all the resource about managed instance.
For more details, please see this Azure tutorial: Move resources to new resource group or subscription:
Summary:
This article shows you how to move Azure resources to either another Azure subscription or another resource group under the same subscription. You can use the Azure portal, Azure PowerShell, Azure CLI, or the REST API to move resources.
Both the source group and the target group are locked during the move operation. Write and delete operations are blocked on the resource groups until the move completes. This lock means you can't add, update, or delete resources in the resource groups, but it doesn't mean the resources are frozen. For example, if you move a SQL Server and its database to a new resource group, an application that uses the database experiences no downtime. It can still read and write to the database.
Moving a resource only moves it to a new resource group. The move operation can't change the location of the resource. The new resource group may have a different location, but that doesn't change the location of the resource.
It also gives you many examples about how to move resource group or subscription:
By using Azure portal.
By using Azure PowerShell.
By using Azure CLI.
By using REST API.
Hope this helps.