在多个 AD 中具有多个订阅的 Azure VNet 对等互连。可能的?
Azure VNet Peering with multiple subscription in mutiple AD. Possible?
我和我的同事拥有 Azure 帐户(使用 BizSpark 计划)。我们都在每个中创建了 VNet 和一些 VM。现在,他想访问我创建的一些虚拟机,因此我们尝试在这些帐户之间设置 VNet 对等互连。有可能这样做吗?
PS:我们尝试了 VNet 对等互连选项,因为 VPN 成本很高。
更多信息:
- 没有重叠的 IP 范围。
- 所有虚拟机都在同一区域(美国中南部)。
- 订阅有不同的租户 ID
PPS:在关注 the tutorial
时获得更多信息
我有两个订阅:
Sub1 :
订阅名称:Visual Studio 企业:BizSpark
订阅 ID:79409421-0edc-40c5-a55b-4ef3ccfb0d53
租户编号:b726dcac-a1f2-420b-8713-cbee132aa6cc
用户登录 ID:aaaa@example.com
VNet 名称:vnet1
资源组:newRG
Sub2:
订阅名称:Visual Studio 企业:BizSpark
订阅 ID:3a97ecb8-5b69-4f7b-a46b-a678eb05ae00
租户编号:88cc20a7-90cf-4854-9201-6f1424ebf7fa
用户登录 ID:bbbb@example.com
VNet 名称:vnet2
资源组:newRG
我打开了两个Powershell windows和运行命令如下
Window1(子 1):
Login-AzureRmAccount ( logged in with aaaa@example.com )
Get-AzureRmSubscription
Select-AzureRmSubscription -SubscriptionId "79409421-0edc-40c5-a55b-4ef3ccfb0d53"
New-AzureRmRoleAssignment -SignInName "bbbb@example.com" -RoleDefinitionName "Network Contributor" -Scope /subscriptions/79409421-0edc-40c5-a55b-4ef3ccfb0d53/resourceGroups/newRG/providers/Microsoft.Network/VirtualNetworks/vnet2
当我运行上面的命令时,我得到的错误是
New-AzureRmRoleAssignment : The provided information does not map to an AD object id.
At line:1 char:1
+ New-AzureRmRoleAssignment -SignInName "bbbb@example.com" -RoleDefi ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : CloseError: (:) [New-AzureRmRoleAssignment], KeyNotFoundException
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.Resources.NewAzureRoleAssignmentCommand
然后当我运行命令
$vnet1 = Get-AzureRmVirtualNetwork -ResourceGroupName newRG -Name vnet1
Add-AzureRmVirtualNetworkPeering -name LinkTovnet2 -VirtualNetwork $vnet1 -RemoteVirtualNetworkId "/subscriptions/3a97ecb8-5b69-4f7b-a46b-a678eb05ae00/resourceGroups/newRG/providers/Microsoft.Network/virtualNetworks/vnet2" -BlockVirtualNetworkAccess
错误是
Add-AzureRmVirtualNetworkPeering : The client has permission to perform action 'Microsoft.Network/virtualNetworks/peer/action' on scope '/subscriptions/79409421-0edc-40c5-a55b-4ef3ccfb0d53/resourceGroups/newRG/providers/Microsoft.Network/virtualNetworks/vnet1/virtualNetworkPeerings/LinkTovnet2', however the linked subscription '3a97ecb8-5b69-4f7b-a46b-a678eb05ae00'is not in current tenant 'b726dcac-a1f2-420b-8713-cbee132aa6cc'.
StatusCode: 403
ReasonPhrase: Forbidden
OperationID : 'a2e1807b-df0d-4ef5-b832-a166a781bfbe'
At line:1 char:1
+ Add-AzureRmVirtualNetworkPeering -name LinkTovnet2 -VirtualNet ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : CloseError: (:) [Add-AzureRmVirtualNetworkPeering], NetworkCloudException
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.Network.AddAzureVirtualNetworkPeeringCommand
Window2(子 2):
Login-AzureRmAccount( logged in with bbbb@example.com )
Get-AzureRmSubscription
Select-AzureRmSubscription -SubscriptionId "79409421-0edc-40c5-a55b-4ef3ccfb0d53"
New-AzureRmRoleAssignment -SignInName "aaaa@example.com" - RoleDefinitionName "Network Contributor" -Scope /subscriptions/3a97ecb8-5b69-4f7b-a46b-a678eb05ae00/resourceGroups/newRG/providers/Microsoft.Network/VirtualNetworks/vnet1
当我运行上面的命令时,得到与上面相同的错误
是的,"Peering can be established between virtual networks in two different subscriptions as long a privileged user of both subscriptions authorizes the peering and the subscriptions are associated to the same Active Directory tenant. "
我在下面链接到的页面上还有一些其他注意事项,例如。你不能有重叠的 IP 地址范围。
我和我的同事拥有 Azure 帐户(使用 BizSpark 计划)。我们都在每个中创建了 VNet 和一些 VM。现在,他想访问我创建的一些虚拟机,因此我们尝试在这些帐户之间设置 VNet 对等互连。有可能这样做吗?
PS:我们尝试了 VNet 对等互连选项,因为 VPN 成本很高。
更多信息:
- 没有重叠的 IP 范围。
- 所有虚拟机都在同一区域(美国中南部)。
- 订阅有不同的租户 ID
PPS:在关注 the tutorial
时获得更多信息我有两个订阅:
Sub1 :
订阅名称:Visual Studio 企业:BizSpark
订阅 ID:79409421-0edc-40c5-a55b-4ef3ccfb0d53
租户编号:b726dcac-a1f2-420b-8713-cbee132aa6cc
用户登录 ID:aaaa@example.com
VNet 名称:vnet1
资源组:newRG
Sub2:
订阅名称:Visual Studio 企业:BizSpark
订阅 ID:3a97ecb8-5b69-4f7b-a46b-a678eb05ae00
租户编号:88cc20a7-90cf-4854-9201-6f1424ebf7fa
用户登录 ID:bbbb@example.com
VNet 名称:vnet2
资源组:newRG
我打开了两个Powershell windows和运行命令如下
Window1(子 1):
Login-AzureRmAccount ( logged in with aaaa@example.com )
Get-AzureRmSubscription
Select-AzureRmSubscription -SubscriptionId "79409421-0edc-40c5-a55b-4ef3ccfb0d53"
New-AzureRmRoleAssignment -SignInName "bbbb@example.com" -RoleDefinitionName "Network Contributor" -Scope /subscriptions/79409421-0edc-40c5-a55b-4ef3ccfb0d53/resourceGroups/newRG/providers/Microsoft.Network/VirtualNetworks/vnet2
当我运行上面的命令时,我得到的错误是
New-AzureRmRoleAssignment : The provided information does not map to an AD object id.
At line:1 char:1
+ New-AzureRmRoleAssignment -SignInName "bbbb@example.com" -RoleDefi ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : CloseError: (:) [New-AzureRmRoleAssignment], KeyNotFoundException
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.Resources.NewAzureRoleAssignmentCommand
然后当我运行命令
$vnet1 = Get-AzureRmVirtualNetwork -ResourceGroupName newRG -Name vnet1
Add-AzureRmVirtualNetworkPeering -name LinkTovnet2 -VirtualNetwork $vnet1 -RemoteVirtualNetworkId "/subscriptions/3a97ecb8-5b69-4f7b-a46b-a678eb05ae00/resourceGroups/newRG/providers/Microsoft.Network/virtualNetworks/vnet2" -BlockVirtualNetworkAccess
错误是
Add-AzureRmVirtualNetworkPeering : The client has permission to perform action 'Microsoft.Network/virtualNetworks/peer/action' on scope '/subscriptions/79409421-0edc-40c5-a55b-4ef3ccfb0d53/resourceGroups/newRG/providers/Microsoft.Network/virtualNetworks/vnet1/virtualNetworkPeerings/LinkTovnet2', however the linked subscription '3a97ecb8-5b69-4f7b-a46b-a678eb05ae00'is not in current tenant 'b726dcac-a1f2-420b-8713-cbee132aa6cc'.
StatusCode: 403
ReasonPhrase: Forbidden
OperationID : 'a2e1807b-df0d-4ef5-b832-a166a781bfbe'
At line:1 char:1
+ Add-AzureRmVirtualNetworkPeering -name LinkTovnet2 -VirtualNet ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : CloseError: (:) [Add-AzureRmVirtualNetworkPeering], NetworkCloudException
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.Network.AddAzureVirtualNetworkPeeringCommand
Window2(子 2):
Login-AzureRmAccount( logged in with bbbb@example.com )
Get-AzureRmSubscription
Select-AzureRmSubscription -SubscriptionId "79409421-0edc-40c5-a55b-4ef3ccfb0d53"
New-AzureRmRoleAssignment -SignInName "aaaa@example.com" - RoleDefinitionName "Network Contributor" -Scope /subscriptions/3a97ecb8-5b69-4f7b-a46b-a678eb05ae00/resourceGroups/newRG/providers/Microsoft.Network/VirtualNetworks/vnet1
当我运行上面的命令时,得到与上面相同的错误
是的,"Peering can be established between virtual networks in two different subscriptions as long a privileged user of both subscriptions authorizes the peering and the subscriptions are associated to the same Active Directory tenant. "
我在下面链接到的页面上还有一些其他注意事项,例如。你不能有重叠的 IP 地址范围。