Azure subscription access between multiple subscription - azure

I need help with some azure questions, sorry I new to azure
If under one agreement I have multiple subscriptions broken out into the following
production-client-a
production-client-b
IAT
UAT
Infrastructure
Can services in either "production-client-a" or "production-client-b" subscriptions access services in the "infrastructure-main", this would be like active directory / chef server / octopus deploy servers,etc
If this is possible, can you then control what networks have access to certain services in different subscriptions?
for example:
production-client-a subscription hosts (access to ports 80 + 443) to infrastructure-main subscription chef-server
How would you go about setting this up ?
Hope this makes sense

I believe no, not directly. If these are PaaS services that can be used with some endpoints or connection strings, then yes. If you want to access resources from the subscription1 from subscription2 in like... one namespace or just select "subscription1 resource" from the subscription2 dashboard, then no.
If you want to put your Chef master in one subscription and add slaves from different subscriptions, there should not be a problem.

Related

Shared or private resources on azure portal

My company has a Microsoft account (office365, mails, ...)
I plan to work with azure virtual machines.
There is something strange: all my virtual machines and all my azure resources (websites, ...) are private. My collegues cannot manage them. They can connect with ssh but they don’t see entry in there azure portal account.
Is there a way to share all the azure resources in the whole company, for all users ?
Thanks
You have to assign role to see azure resources. In azure we have a bunch of predefined roles for example - reader. If you assign reader role at the subscription level, so the member can read all resources located in that subscription, but can not make any changes. Here can you read more about roles based access control
Why users can connect to vm, but can't see in the portal? My bet is that VM ports are not blocked and all internet can connect to those VM's.

Azure Devops: securing deployments to on-premise servers at webapp level

It's clear that you can set which roles can deploy to a certain on-premise server thanks to the security settings in Deployment Groups and Agent pools. But, any way of restrict access at webapp level?
The only ways I found are:
Creating a specific account, giving it deploying permissions in target server's IIS in required webapps only and provide this credentials to developers on charge of creating the pipelines for deploying those webapps (they will put them as custom environment vars or similar in pipelines)
Same than 1 but using the created account as a service account for an agent. Access to this agent will be restricted to developers on charge of creating the pipelines for deploying those webapps.
Both cases require to create new accounts and to give permissions on server's IIS. No way of doing this from Azure DevOps on the same way that access to whole servers can be restricted?
Regards.
It's clear that you can set which roles can deploy to a certain
on-premise server thanks to the security settings in Deployment Groups
and Agent pools. But, any way of restrict access at webapp level?
Sorry but as I know Azure Devops Service doesn't support such out-of-box feature.
We can manage the access in Organization level(Organization settings), Project Level(Project settings), Feature Level(Security of Pipelines/Deployment Groups feature...) and even the 'instance Level' (Set security for one specific pipeline/deployment group/one specific git repo).
But the 'instance level' is the lowest level, we can only manage the access in specific pipeline or specific deployment group but not one webapp which will be deployed by pipeline/deploymentGroup.
The webapp is not an option hosted by Azure Devops Service, it's just something to be deployed by pipelines(hosted by Azure Devops Service). So Azure Devops Service avtually have no knowledge about the webapp(it also won't have UI that represents one webapp), that's why we can manage the access in pipeline but not webapp in that pipeline...
Update 1
Once you have only one deployment group for the specific target server, you can determine who can access the deployment group here:
The person who is assigned with reader permission can't use the deployment group to do the deploy.
Ok, following the suggestion from #Lance and after some research, this is what I´m planning to do:
Creating a custom service connection where following fields can be set: IIS Server where the WebApp is, Webapp name, User (with permissions to deployment) and Password.
Together with the Custom Service connection I will provide a custom task where developer team can select the service connection against they want to do the deployment (obviously, server admins will only configure service connections to webapps which this team is allowed to deploy).
Agent will run with a low-privileged account (no way of affecting any app) and the custom task will use internally the creds provided on service connection to perform the deploying.
I think that approach is the best workaround to the initial problem and can be extensible to fix the granularity problem in other kinds of resources (like DB´s, Shared Folders, ...) just simply adding another specific custom service connection (to specify the resource and the deployment credentials) and a linked Custom task which allows deployments only against that resource.
The only drawback is the fact that, if you want to set a deployment approval, you have to do it at resource level (for every webapp, for every DB, ...) and that means that approvers will have to approve resource by resource when deploying also (instead of a single approval for the whole application deployment as, in my understanding, should be)
What do you think guys? Any remark before start coding this?
Regards.

Automation RBAC requirements for Security Center/Sentinel Playbooks

I am currently in the process of setting up Sentinel POC, within Sentinel you have playbooks which is basically Logic Apps, it is same as the playbooks in security center.
I need to know what permissions i need on target subscriptions in order to automate remediation of alerts, for example isolate a VM, Stop a VM, etc.
Our Sentinel will have its own subscription in a tenant where there are 100's of subscriptions.
Its best to use a service principal for having centralized access control.
With this, you can use the service principal to authenticate and authorize actions against resources. It can be configured for the Azure Resource Manager connector in Logic Apps as well.
Another option would be to use Managed Identity, but that is supported only for the HTTP Action.
As for the exact permissions for this service principal / managed identity, you can use this reference of built-in roles for providing granular control. For example, to just stop/start VMs, your service principal would need Virtual Machine Contributor.
You could also provision finer access to resources by creating custom roles.

How to move resources from subscriptions in different directories in Azure

In my azure account I have 2 directories, lets call them directory A and B.
With some recent changes I need to switch a app service from a subscription in directory A to a subscription that is on directory B.
Is this possible to achieve, and if it is how?
EDIT 1
As directory I mean the directory that you can see in the image below:
EDIT 2
Since It seems that I have mislead people I will try to explain what i want to achieve with images.
I want to move the App Service from the App Service Plan in the directory A as you can see in here:
to the App Service Plan in the directory B that you can see in here:
It looks like you want to move resources between subscriptions. It is possible to do this but there are a few restictions and rules around what you can do.
You can definitely move an App Service between subscriptions. However, in your case, as the subscriptions in question exist in different AD tenants, you will need to change the tenant of one of the subscriptions. You can only do this if you are a Service Administrator and signed in using a Microsoft i.e non organizational account.
Check this reference document from Microsoft, it explains in detail how the transfer process works.
I think we might need some additional information, since it seems that the terms we're using are sometimes equivocal. Microsoft Azure subscriptions are not associated to Azure Active Directories, but to an Service Account. You can add how many Azure ADs you want to an Azure subscription, but the Azure subscription itself will be managed by the service account (which is not necessarily member of a certain Azure AD).
Further, only the service administrator can manage Azure resources, like VMs, App Services and so on. Azure AD admins can only manage identity aspects that define identity life cycles within that specific Azure AD. The service admin could add a co-admin a user from the default Azure AD and that user would then also be able to manage Azure resources, like App Services and so on.
So the Azure App Service is tied to a Azure subscription that is managed by a service account, not by the Azure AD. Please check the official documentation on this topic. Also please clarify exactly what you would like to do.

Azure multiple subscriptions network

I'm currently stuck with designing my Azure environments.
What i would like to have is multiple Azure subscriptions that work togheter in a private network with Active directory on the different subscriptions that are synced.
Imagine the following scenario:
I've got two developers, who each have an own Azure Subscription (free with msdn) on which they develop their software.
When they finished the code, they will do a checkin to a visualstudio online and a build server on a second azure subscription will build the code.
When everything is ok, the code will be deployed on a VM in a third subscription.
All this would need to work with synced active directory's and in a private network.
This means that if their is a website created in the thrid subscription, it would only be accesible from a VM in subscription 1 or 2
So as resume:
1 subscription for the developer to developer code (visual studio, AD, sql, ...)
1 subscription for building the code of the developer
1 subscription for collect all the code and test the software (AD, SQL, website, ...)
Only subscription 1 should be able to access VM's, websites, ... in subscription 2 or 3.
Could any of you advise how I should set up the Virtual network, VPN, ...? Or maybe is just not possible?
Thanks in advance!!
Today's Virtual Network feature does not let you span data center regions, subscriptions, etc. as far as I know, sorry!
I'm sure people are looking at what it would take to support this sort of scenario someday.
I'd recommend to look at Azure VNet-to-VNet VPN gateway. It works fine through different regions and Azure subscriptions.

Resources