search

Azure / azure-cli

Azure Command-Line Interface
MIT License
3.98k stars 2.96k forks source link

Cross-tenant support for Azure Load Balancer #28871

Open mahipdeora opened 5 months ago

mahipdeora commented 5 months ago

Describe the bug

Azure Load balancer supports cross-subscription load balancing. with either the frontend IP address or the backend VNet residing in different subscriptions. However, CLI only supports cross-subscription load balancing within a single Microsoft Tenant. Cross-Tenant linkage is supported on Load balancer through ARM/rest API, and we would like to extend support to CLI.

Cross-tenant support should be enabled for both LB creates but also any LB updates as well (probes, rules, etc.)

Cross-tenant deployments needs to include x-ms-authorization-auxiliary tokens in the header of the payload.

https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/authenticate-multi-tenant

Related command

az network lb

Errors

(LinkedAuthorizationFailed) The client has permission to perform action 'Microsoft.Network/loadBalancers/backendAddressPools/join/action' on scope '/subscriptions/8ffb2cba-9d0c-4f5b-9465-24c6fd9954b1/resourceGroups/mahip3/providers/Microsoft.Network/networkInterfaces/test428_z1', however the current tenant 'ca4b3f71-9173-47df-baff-8538b81446b5' is not authorized to access linked subscription '6bb4a28a-db84-4e8a-b1dc-fabf7bd9f0b2'. Code: LinkedAuthorizationFailed Message: The client has permission to perform action 'Microsoft.Network/loadBalancers/backendAddressPools/join/action' on scope '/subscriptions/8ffb2cba-9d0c-4f5b-9465-24c6fd9954b1/resourceGroups/mahip3/providers/Microsoft.Network/networkInterfaces/test428_z1', however the current tenant 'ca4b3f71-9173-47df-baff-8538b81446b5' is not authorized to access linked subscription '6bb4a28a-db84-4e8a-b1dc-fabf7bd9f0b2'.

Issue script & Debug output

NA

Expected behavior

Cross-tenant deployments are supported on CLI

Environment Summary

azure-cli 2.40.0 *

core 2.40.0 telemetry 1.0.8

Dependencies: msal 1.20.0b1 azure-mgmt-resource 21.1.0b1

Python location 'C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\python.exe' Extensions directory 'C:\Users\mahipdeora.azure\cliextensions'

Python (Windows) 3.10.5 (tags/v3.10.5:f377153, Jun 6 2022, 15:58:59) [MSC v.1929 32 bit (Intel)]

Legal docs and information: aka.ms/AzureCliLegal

Additional context

please reach out to me on teams with any questions

azure-client-tools-bot-prd[bot] commented 5 months ago

Hi @mahipdeora,

2.40.0 is not the latest Azure CLI(2.60.0).

If you haven't already attempted to do so, please upgrade to the latest Azure CLI version by following https://learn.microsoft.com/en-us/cli/azure/update-azure-cli.

yonzhan commented 5 months ago

Thank you for opening this issue, we will look into it.

necusjz commented 4 months ago

@mahipdeora which cli command are you using? could you please try to provide id instead of name for --frontend-ip/--frontend-ip-name?

mahipdeora commented 4 months ago

Hi @necusjz I am using the ID for frontend IP

mahipdeora commented 4 months ago

and this is for multiple commands, add frontend, backend address, etc.