I'm trying to use the new Azure Virtual Network public preview of the peering feature to join two networks I have on two different subscriptions, i.e. different tenants. Is this possible, I've not seen anything to say otherwise, but when I try to peer them in PowerShell I get the following error.
The client has permission to perform action
'Microsoft.Network/virtualNetworks/peer/action' on scope
'/subscriptions/{Guid2}/resourceGroups/Default-Sydney/providers
/Microsoft.Network/virtualNetworks/SYDVN/virtualNetworkPeerings/LinkToSYDVN', however the linked subscription '{Guid1}'
is not in current tenant '{Guid3}'.
Full error and command
PS C:\Windows\system32> Add-AzureRmVirtualNetworkPeering -name LinkToSYDVN -VirtualNetwork $SYDVN -RemoteVirtualNetworkId "/subscriptions/{Guid1}/resourceGroups/Default-Sydney/providers/Microsoft.Network/virtualNetworks/SYDVN1" -BlockVirtualNetworkAccess
WARNING: The output object type of this cmdlet will be modified in a future release.
Add-AzureRmVirtualNetworkPeering : The client has permission to perform action 'Microsoft.Network/virtualNetworks/peer/action' on scope '/s
ubscriptions/{Guid2}/resourceGroups/Default-Sydney/providers/Microsoft.Network/virtualNetworks/SYDVN/virtualNe
tworkPeerings/LinkToSYDVN', however the linked subscription '{Guid1}' is not in current tenant
'{Guid3}'.
StatusCode: 403
ReasonPhrase: Forbidden
OperationID : '{Guid4}'
At line:1 char:1
+ Add-AzureRmVirtualNetworkPeering -name LinkToSYDVN -VirtualNetwork $S ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : CloseError: (:) [Add-AzureRmVirtualNetworkPeering], NetworkCloudException
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.Network.AddAzureVirtualNetworkPeeringCommand
Any help will be much appreciated.
UPDATE
From a MS tech Loydon
"VNet peering relies on ARM RBAC for authorization. However, ARM RBAC does not support cross tenant linked access checks. So Both subscriptions must belong to the same Azure Active Directory tenant. Therefore currently VNet peering is limited to customer’s subscriptions in the same Azure Active Directory domain. This gives them the same Tenant stamp which allows the peering to occur. We offer No support for linking VNETs across subscriptions in different AAD tenants."
https://social.msdn.microsoft.com/Forums/en-US/824aaf76-71df-4235-9190-5816976dbd30/is-virtual-network-peering-across-azure-tenants-possible?forum=WAVirtualMachinesVirtualNetwork
This is now supported; from the Azure virtual network peering documentation, requirements section:
The virtual networks can be in the same, or different subscriptions. When you peer virtual networks in different subscriptions, both subscriptions can be associated to the same or different Azure Active Directory tenant.
You cannot use the portal.
We have enabled this. VNet Peering and Global VNet Peering is supported across Azure active directory tenants.
https://learn.microsoft.com/en-us/azure/virtual-network/create-peering-different-subscriptions#portal
https://azure.microsoft.com/en-us/updates/cross-aad-vnet-peering/
VNet peering across different tenants is now supported: https://azure.microsoft.com/en-us/updates/cross-aad-vnet-peering/
-- Anavi [MSFT]
Related
I have an Azure SQL Server residing in tenant A and I need to add a Virtual network rule for a subnet residing in tenant B.
For this, I have created a service principal and given it multi-tenant access. I am also able to see the SP in both tenants. The SP is given access to both the subscriptions and resources (SQL Server and VnNet) in both the tenants.
When I try to add the VNet rule using the SP credentials/login, I encounter the following error:
New-AzSqlServerVirtualNetworkRule:
The client has permission to perform action 'Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/Action'
on scope '/subscriptions/{subscription ID}/resourceGroups/{resource group name}/providers/Microsoft.Sql/servers/
{SQL Server name}/virtualNetworkRules/{rule name}',
however the current tenant 'xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' is not authorized to access linked subscription 'xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'.
To encounter the following error
New-AzSqlServerVirtualNetworkRule: The client has permission to perform action 'Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/Action' on scope '/subscriptions/{subscription ID}/resourceGroups/{resource group name}/providers/Microsoft.Sql/servers/{SQL Server name}/virtualNetworkRules/{rule name}', however the current tenant 'xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' is not authorized to access linked subscription 'xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'.
The service connection in your Azure SQL Server across azure tenants will have only access to the virtual network in one tenant. It does not have access to the virtual network in the other tenant.
You can assign Network Contributor role to that virtual network in below steps:
Go to Azure Portal ->Resource group -> Access Control (IAM) -> Add Role assignment. -> Select network Contributor -> Add
If I understand you correctly you want to connect resources that reside in two separate VNETs.
Have you set up any VNET peering between the two networks (tutorial)?
I'm trying to create a peering between two virtual networks that reside in two different tenant using azure devops release pipelines.
Here's the error I get from the failed deployment:
LinkedAuthorizationFailed: The client has permission to perform action 'Microsoft.Network/virtualNetworks/peer/action' on scope '/subscriptions//resourcegroups/RG-VNet-A/providers/Microsoft.Network/virtualNetworks/vNet01/virtualNetworkPeerings/Tenant-A-to-Tenant-B', however the current tenant '***' is not authorized to access linked subscription 'tenant A subcription ID'.
LinkedAuthorizationFailed: The client has permission to perform action
'Microsoft.Network/virtualNetworks/peer/action' on scope
'/subscriptions//resourcegroups/RG-VNet-A/providers/Microsoft.Network/virtualNetworks/vNet01/virtualNetworkPeerings/Tenant-A-to-Tenant-B',
however the current tenant '***' is not authorized to access linked
subscription 'tenant A subcription ID'.
The service connection in your DevOps project only have access to the virtual network in one tenant. It does not have access to the virtual network in the other tenant.
You can assign Network Contributor role to that virtual network and you would be able to peer the two virtual networks using Azure DevOps pipelines
While trying to create Azure Virtual Desktop, I have created one resource group with Azure AD Domain Service to bind Active Directory with Virtual Network.
At the cleanup time, I tried to delete the resource group which contains the Azure AD Domain service.
I tried to delete the resource group from Portal as well as from Powershell. Using the following command -
Get-AzureRmResourceGroup -Name AADS | Remove-AzureRmResourceGroup -Verbose -Force
But I am receiving following error.
Cannot modify resource with id '/subscriptions//resourceGroups/AADS/providers/Microsoft.AAD/domainServices/' because the resource entity provisioning state is not terminal. Please wait for the provisioning state to become terminal and then retry the request.
I attempted delete operation multiple times with an interval of around 2-3 hours but still getting the same error.
This issue belongs to troubleshooting and was fixed by the Microsoft support team.
You can raise a support ticket on azure portal by following this link: https://learn.microsoft.com/en-us/azure/azure-supportability/how-to-create-azure-support-request
When using Azure Key Vault management REST API or cmdlet Add-AzureRmKeyVaultNetworkRule to allow a virtual network to access a key vault, I get the following error:
The client '{guid}' with object id '{guid}' does not have authorization to perform
action 'microsoft.network/virtualnetworks/taggedTrafficConsumers/validate/action'
over scope '/subscriptions/{guid}/resourcegroups/{resource-group}/providers/microsoft.network/virtualnetworks/{vnet-name}/taggedTrafficConsumers/Microsoft.KeyVault'
What is wrong?
Your subscription is not giving Microsoft.KeyVault resource provider permission to access Microsoft.Network resources. The fix is to register your subscription to Microsoft.KeyVault again:
Register-AzureRmResourceProvider -ProviderNamespace Microsoft.KeyVault
This will add required permissions for Microsoft.KeyVault and Microsoft.Network integrations, including the ability to limit access to a given Virtual Network.
For more information: https://learn.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-supported-services
This are the steps required to solve it:
https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/resource-providers-and-types#azure-portal
You just need to register the resource provider in the subscription, this doesn't only happens with Key Vault, my issue was with Sql Server as well :)
So I leave this answer here in case someone else needs it
This feels like a bug/limitation in both the Azure Portal and Azure CLI. We ran into this when trying to allow a subnet of a VNET in subscription X to access a storage account in subscription Y.
For us, the workaround was to look-up the name of the service principal that was mentioned in the error in our Azure AD directory using the "Search your tenant" box on the "Overview" tab of the directory (NOT the subscription but the Azure AD directory for the tenant). The name of the SP turned out to be "Storage Resource Provider" (yours may be different, so that's why you need to look it up in Azure AD), so we granted that SP "Owner" role (temporarily) in the other subscription. Then provisioning worked!
There should be a finer-grained set of permissions you need to grant than just "Owner" but when we granted just the "validate" permission, we got a new error:
Failed to save firewall and virtual network settings for storage account 'XXX'. Error: An operation is currently performing on this storage account that requires exclusive access.
Also experienced this error when adding a vnet to a storage-account in another subscription.
Fixed by adding a storage-account to the subscription using the portal. Then the vnet could be added to the storage-account.
Note: the result is the same as #fernacolo does with a powershell command.
We have two types of Azure Subscription
CSP Subscription ( through re-seller)
Pay As You Go (Direct Subscription)
We are using following PowerShell command (using rm account) to provision Azure Service Bus:
New-AzureRmResourceGroupDeployment -ResourceGroupName TestRG1 -TemplateUri
Using the above command, we have successfully added a new service bus under Pay As You Go subscription. But when we tried the same way under CSP subscription, we get the following error:
New-AzureRmResourceGroupDeployment : - Error: Code=DisallowedProvider;
Message=The operation is not permitted for namespace
'Microsoft.ServiceBus'"
Error detail
What is going wrong here? Is there any limitation under CSP subscription that there is no way to provision few services like service bus etc.?
Since under CSP subscription only ARM is available and no option for service bus management, we only use PowerShell to provision services and provisioning account has all the permissions.
From the CSP Release notes as of May 31st: • App Service Environment to host any App Services application (including Web Apps, Logic Apps or API Apps) is not available for CSP subscriptions. This capability will become available in the future.