Support cross-tenant virtual network linking for Private DNS zones #10582
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ghost
requested a review
from 
ghost
closed this
ghost
reopened this
|
CC @myronfanqiu, who is domain expert for Network module. |
|
Hi @myronfanqiu, please add this to the sprint 75. |
mmyyrroonn
reviewed
Sep 25, 2019
src/azure-cli/azure/cli/command_modules/privatedns/tests/latest/test_privatedns_commands.py
Show resolved
Hide resolved
|
@dijyotir Hello. Please rebase your branch against latest dev and modify the history. Then I will merge this PR. |
mmyyrroonn
approved these changes
Sep 25, 2019
|
Hi Team, Can you please share the reference document or azure cli command to support cross tenant vnet linking for Private DNS Zone using two different service principals? |
|
@msyyc, could you help on this? |
|
@manvkaur, this is definitely something that should be placed in the public doc. You may take this script as a reference for "support cross-tenant VNET linking for Private DNS Zone using two different service principals". We need to create 2 apps:
Log in with a user account# Prepare args
tenantA='ca97...'
subA="414a..."
tenantB='5482...'
subB="0b1f..."
# Login with a user account which is a tenant Application Administrator
az loginCreate appA under tenantA# Switch to subA under tenantA
az account set --subscription $subA
# Create appA and spA
spA=$(az ad sp create-for-rbac --role Contributor)
# Save the appId and password for later login
appIdA=$(echo $spA | jq --raw-output .appId)
passwordA=$(echo $spA | jq --raw-output .password)Create appB under tenantB# Switch to subB under tenantB
az account set --subscription $subB
# Create appB and spB
spB=$(az ad sp create-for-rbac --role Contributor)
# Save the appId and password for later login
appIdB=$(echo $spB | jq --raw-output .appId)
passwordB=$(echo $spB | jq --raw-output .password)
# Make appB multi-tenant
# --identifier-uris must be on a tenant verified domain. See https://stackoverflow.com/a/60396506/2199657
az ad app update --id $appIdB --available-to-other-tenants --identifier-uris "https://AzureSDKTeam.onmicrosoft.com/$appIdB"Make appB a guest under tenantA# Switch to subA under tenantA
az account set --subscription $subA
# Make appB a guest in tenantA by creating spBA
az ad sp create --id $appIdB
# Grant appB Contributor role in subA
# You may narrow the scope of the role assignment by specifying --scope
az role assignment create --assignee $appIdB --role ContributorCreate VNET in subA# Log in with appA in tenantA
az login --service-principal --username $appIdA --password $passwordA --tenant $tenantA
# Create myResourceGroupA
az group create --name myResourceGroupA --location "East US"
# Create myVnetA
az network vnet create --resource-group myResourceGroupA --name myVnetA --location eastus --address-prefix 10.2.0.0/16 --subnet-name backendSubnet --subnet-prefixes 10.2.0.0/24Create private DNS zone in subB# Log in with appB in tenantB
az login --service-principal --username $appIdB --password $passwordB --tenant $tenantB
# Create myResourceGroupB
az group create --name myResourceGroupB --location "East US"
# Create private DNS private.contoso.com
az network private-dns zone create -g myResourceGroupB -n private.contoso.comLog in with appB in tenantA (optional)This step is optional. If not executed, # Log in with appB in tenantA
az login --service-principal --username $appIdB --password $passwordB --tenant $tenantA
# Switch back to subB
az login --service-principal --username $appIdB --password $passwordB --tenant $tenantBCreate private DNS link in subB# Create private DNS link MyDNSLink
az network private-dns link vnet create -g myResourceGroupB -n MyDNSLink -z private.contoso.com -v "/subscriptions/$subA/resourceGroups/myResourceGroupA/providers/Microsoft.Network/virtualNetworks/myVnetA" -e trueThe request will contain following headers:
References |
|
BTW, once private DNS is migrated to Track 2, it will also be affected by Azure/azure-sdk-for-python#8313. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This checklist is used to make sure that common guidelines for a pull request are followed.
The PR has modified HISTORY.rst describing any customer-facing, functional changes. Note that this does not include changes only to help content. (see Modifying change log).
I adhere to the Command Guidelines.
Fixes #9851