虚拟网络是否可以跨 azure 租户对等互连?
Is virtual network peering across azure tenants possible?
我正在尝试使用新的 Azure 虚拟网络 public 对等功能预览来加入我在两个不同订阅(即不同租户)上拥有的两个网络。这可能吗,我没有看到任何其他的说法,但是当我尝试在 PowerShell 中查看它们时,我收到以下错误。
The client has permission to perform action
'Microsoft.Network/virtualNetworks/peer/action' on scope
'/subscriptions/{Guid2}/resourceGroups/Default-Sydney/providers
/Microsoft.Network/virtualNetworks/SYDVN/virtualNetworkPeerings/LinkToSYDVN', however the linked subscription '{Guid1}'
is not in current tenant '{Guid3}'.
完整的错误和命令
PS C:\Windows\system32> Add-AzureRmVirtualNetworkPeering -name LinkToSYDVN -VirtualNetwork $SYDVN -RemoteVirtualNetworkId "/subscriptions/{Guid1}/resourceGroups/Default-Sydney/providers/Microsoft.Network/virtualNetworks/SYDVN1" -BlockVirtualNetworkAccess
WARNING: The output object type of this cmdlet will be modified in a future release.
Add-AzureRmVirtualNetworkPeering : The client has permission to perform action 'Microsoft.Network/virtualNetworks/peer/action' on scope '/s
ubscriptions/{Guid2}/resourceGroups/Default-Sydney/providers/Microsoft.Network/virtualNetworks/SYDVN/virtualNe
tworkPeerings/LinkToSYDVN', however the linked subscription '{Guid1}' is not in current tenant
'{Guid3}'.
StatusCode: 403
ReasonPhrase: Forbidden
OperationID : '{Guid4}'
At line:1 char:1
+ Add-AzureRmVirtualNetworkPeering -name LinkToSYDVN -VirtualNetwork $S ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : CloseError: (:) [Add-AzureRmVirtualNetworkPeering], NetworkCloudException
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.Network.AddAzureVirtualNetworkPeeringCommand
任何帮助将不胜感激。
更新
来自 MS 技术 Loydon
"VNet 对等依赖 ARM RBAC 进行授权。但是,ARM RBAC 不支持跨租户链接访问检查。因此两个订阅必须属于同一个 Azure Active Directory 租户。因此目前 VNet 对等仅限于同一 Azure Active Directory 域中的客户订阅。这为他们提供了相同的租户标记,允许对等互连发生。我们不支持在不同 AAD 租户中跨订阅链接 VNET。"
现在支持跨不同租户的 VNet 对等互连:https://azure.microsoft.com/en-us/updates/cross-aad-vnet-peering/
-- Anavi [MSFT]
现已支持;来自 Azure virtual network peering documentation, requirements section:
The virtual networks can be in the same, or different subscriptions. When you peer virtual networks in different subscriptions, both subscriptions can be associated to the same or different Azure Active Directory tenant.
您不能使用门户。
我们已启用此功能。跨 Azure 活动目录租户支持 VNet 对等互连和全局 VNet 对等互连。
https://docs.microsoft.com/en-us/azure/virtual-network/create-peering-different-subscriptions#portal
https://azure.microsoft.com/en-us/updates/cross-aad-vnet-peering/
我正在尝试使用新的 Azure 虚拟网络 public 对等功能预览来加入我在两个不同订阅(即不同租户)上拥有的两个网络。这可能吗,我没有看到任何其他的说法,但是当我尝试在 PowerShell 中查看它们时,我收到以下错误。
The client has permission to perform action 'Microsoft.Network/virtualNetworks/peer/action' on scope '/subscriptions/{Guid2}/resourceGroups/Default-Sydney/providers /Microsoft.Network/virtualNetworks/SYDVN/virtualNetworkPeerings/LinkToSYDVN', however the linked subscription '{Guid1}' is not in current tenant '{Guid3}'.
完整的错误和命令
PS C:\Windows\system32> Add-AzureRmVirtualNetworkPeering -name LinkToSYDVN -VirtualNetwork $SYDVN -RemoteVirtualNetworkId "/subscriptions/{Guid1}/resourceGroups/Default-Sydney/providers/Microsoft.Network/virtualNetworks/SYDVN1" -BlockVirtualNetworkAccess
WARNING: The output object type of this cmdlet will be modified in a future release.
Add-AzureRmVirtualNetworkPeering : The client has permission to perform action 'Microsoft.Network/virtualNetworks/peer/action' on scope '/s
ubscriptions/{Guid2}/resourceGroups/Default-Sydney/providers/Microsoft.Network/virtualNetworks/SYDVN/virtualNe
tworkPeerings/LinkToSYDVN', however the linked subscription '{Guid1}' is not in current tenant
'{Guid3}'.
StatusCode: 403
ReasonPhrase: Forbidden
OperationID : '{Guid4}'
At line:1 char:1
+ Add-AzureRmVirtualNetworkPeering -name LinkToSYDVN -VirtualNetwork $S ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : CloseError: (:) [Add-AzureRmVirtualNetworkPeering], NetworkCloudException
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.Network.AddAzureVirtualNetworkPeeringCommand
任何帮助将不胜感激。
更新
来自 MS 技术 Loydon
"VNet 对等依赖 ARM RBAC 进行授权。但是,ARM RBAC 不支持跨租户链接访问检查。因此两个订阅必须属于同一个 Azure Active Directory 租户。因此目前 VNet 对等仅限于同一 Azure Active Directory 域中的客户订阅。这为他们提供了相同的租户标记,允许对等互连发生。我们不支持在不同 AAD 租户中跨订阅链接 VNET。"
现在支持跨不同租户的 VNet 对等互连:https://azure.microsoft.com/en-us/updates/cross-aad-vnet-peering/
-- Anavi [MSFT]
现已支持;来自 Azure virtual network peering documentation, requirements section:
The virtual networks can be in the same, or different subscriptions. When you peer virtual networks in different subscriptions, both subscriptions can be associated to the same or different Azure Active Directory tenant.
您不能使用门户。
我们已启用此功能。跨 Azure 活动目录租户支持 VNet 对等互连和全局 VNet 对等互连。
https://docs.microsoft.com/en-us/azure/virtual-network/create-peering-different-subscriptions#portal
https://azure.microsoft.com/en-us/updates/cross-aad-vnet-peering/