search

Azure / azure-cli

Azure Command-Line Interface
MIT License
3.99k stars 2.97k forks source link

Private DNS link vnet from different tenant #9851

Closed tleepa closed 5 years ago

tleepa commented 5 years ago

Describe the bug

I have two tenants (tenant1, tenant2). Each tenant has a subscription (sub1, sub2), resource group (rg1, rg2), vnets (vnet1, vnet2). I am able to create a peering between vnet1 and vnet2 using the IAM roles configured (added user from tenant1 to rg2 with Network Contributor role) I am trying to register vnet2 as a resolution network (old nomenclature) to the private zone created in sub1. Tried both previous and current preview version of Private DNS zone feature - both failing with similar messages. Documentation only specifies permissions necessary to create vnet peering between different tenants - Network Contributor. Do I need any other permissions?

Is it possible at all?

az account list for user1:

[
  {
    "cloudName": "AzureCloud",
    "id": "_sub1_",
    "isDefault": true,
    "name": "Visual Studio Enterprise",
    "state": "Enabled",
    "tenantId": "_tenant1_",
    "user": {
      "name": "_user1_",
      "type": "user"
    }
  },
  {
    "cloudName": "AzureCloud",
    "id": "_sub2_",
    "isDefault": false,
    "name": "_sub2-name_",
    "state": "Enabled",
    "tenantId": "_tenant2_",
    "user": {
      "name": "_user1_",
      "type": "user"
    }
  }
]

Command Name az network private-dns link vnet create

Errors:

The client has permission to perform action 'Microsoft.Network/virtualNetworks/join/action' on scope '/subscriptions/_sub1_/resourceGroups/_rg1_/providers/Microsoft.Network/privateDnsZones/_zonename_/virtualNetworkLinks/_vnet1_', however the current tenant '_tenant1_' is not authorized to access linked subscription '_sub2_'.

To Reproduce:

az network private-dns link vnet create --resource-group rg1 --name linkname --zone-name zonename --virtual-network /subscriptions/sub2/resourceGroups/rg2/providers/Microsoft.Network/virtualNetworks/vnet2 --registration-enabled false --subscription sub1

tjprescott commented 5 years ago

@dijyotir for comment

mmyyrroonn commented 5 years ago

@dijyotir Hello. Any update?

ghost commented 5 years ago

@MyronFanQiu Hi, this functionality is right now only available in Portal. Right now CLI and Powershell does not support this functionality.

mmyyrroonn commented 5 years ago

@tleepa Should I change this issue into a feature request?

tleepa commented 5 years ago

@MyronFanQiu Yes, please. Thank you.

roblohmann commented 4 years ago

@dijyotir i'm not quite sure if this is the correct place to ask this question. But i'm working with the Azure CLI to link a VNET to a private DNS as well. However, my VNET is in a different resource group than the Private DNS is, and I suspect that this is giving me the following error:

'Can not perform requested operation on nested resource. Parent resource 'my-zone-name' not found.'

Could this have to do something with this feature request as well?

ghost commented 4 years ago

@roblohmann The error seems to suggest that you are trying to create a virtual network link under a private zone but that zone doesn't exist.

roblohmann commented 4 years ago

@roblohmann The error seems to suggest that you are trying to create a virtual network link under a private zone but that zone doesn't exist.

That was also my inital thought, however I'm sure it exists and linking the VNET to the Private DNS Zone through the portal is not an issue. I just see that I got a response on Stackoverflow to my question regarding this issue, so I'll see what that brings. Otherwise I'll open a new tread here I think.

roblohmann commented 4 years ago

@roblohmann The error seems to suggest that you are trying to create a virtual network link under a private zone but that zone doesn't exist.

That was also my inital thought, however I'm sure it exists and linking the VNET to the Private DNS Zone through the portal is not an issue. I just see that I got a response on Stackoverflow to my question regarding this issue, so I'll see what that brings. Otherwise I'll open a new tread here I think.

For future references: Got the answer on Stackoverflow, had to get the virtual network id and pass that in. Also see https://stackoverflow.com/a/59384739/291293

randy2ner commented 3 years ago

I'm not sure if this solution was available due to the bug filed, but I ran into the same problem. By doing this through PowerShell using New-AzPrivateDnsVirtualNetworkLink there is a parameter called -RemoteVirtualNetworkId you can use to reference a VNET in a different tenant.