Sharing VNet between subscriptions in Azure Pack
From time to time, I get into discussions with customers
on how to be more flexible around networking in Azure Pack.
Today each subscription is a boundary. Meaning, a
co-admin can have access to multiple subscriptions, but you are not allowed to “share”
anything between those subscriptions, such as virtual networks.
So here’s the
scenario.
A tenant subscribes to multiple subscriptions in Azure
Pack. Each subscription is based on its associated Hosting Plan, which is something
that is defined and exposed by the service administrator (the backend side of
Azure Pack). A Hosting Plan can contain several offerings, such as VM Clouds,
web site Clouds and more. The context as we move forward is the VM Cloud.
Let us say that a customer has two subscriptions today.
Each subscription has their own tenant administrator.
Subscription 1 is associated with Hosting Plan 1, which
offers standard virtual machines based on VM templates.
Subscription 2 is associated with Hosting Plan 2, which
offers VM Roles through Gallery Items.
The service provider has divided these offerings into two
different plans.
Tenant admin 1 has created his VNet on subscription 1 and
connected the virtual machines.
However, tenant admin 2 creates a new VNet on subscription
2 and connect his VM Roles, they are not able to communicate with the VMs on
subscription 1.
So what do we do?
As this isn’t something we are exposing through the GUI
nor the API, we have to get in touch with the service admin itself.
You have already noticed that we are dealing with two
tenants here, so that should give you an indication on what we are about to do.
We are going to share some resources in the backend.
If we head over to SCVMM and look at the VM Network in
Powershell, a few interesting properties are appearing to the surface.
UserRole which
says this is associated with a UserRole in SCVMM, which can be generated by
Azure Pack and aggregated through SPF.
Owner which is
owning the VM network in SCVMM.
GrantedToList which
is obviously where we can allow other UserRoles to have access to this object.
Interesting.
This means that the service admin can help their tenants
with the following.
Grant access to tenant admin 2 on the VNet that was
created on subscription 1 – by tenant admin 1.
Powershell
cmdlets:
### Find the VM network you want to share between
subscriptions
$VNet = Get-SCVMNetwork |
Where-Object {$_.name -eq "TechEd" -and
$_.Owner
-eq "knadm@internal.systemcenter365.com"}
### Find the tenant admin for that subscription
$tenant = Get-SCUserRole | Where-Object {$_.Name -like "*kristine*"}
### Grant access
Grant-SCResource -Resource $VNet -UserRoleID $tenant.ID -RunAsynchronously
Ok, so what is next?
You can now access the tenant portal and deploy your
workloads.
In the portal, you will never be able to manage
the VNet on this subscription, only deploy workloads that are connected to it.
2 comments:
Nice one Kristian. Do you know whether Network Security Groups can be applied to services of the second subscription?
If you find that important, I strongly recommend you to file that at this site: http://feedback.azure.com/forums/255259-azure-pack
Although we know things will come to Azure first, and WAP second, it's hard to know the exact priorities.
Post a Comment