Reputation: 450
VNet whitelisting for Azure SQL Server across azure tenants
I have an Azure SQL Server residing in tenant A and I need to add a Virtual network rule for a subnet residing in tenant B.
For this, I have created a service principal and given it multi-tenant access. I am also able to see the SP in both tenants. The SP is given access to both the subscriptions and resources (SQL Server and VnNet) in both the tenants.
When I try to add the VNet rule using the SP credentials/login, I encounter the following error:
New-AzSqlServerVirtualNetworkRule:
The client has permission to perform action 'Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/Action'
on scope '/subscriptions/{subscription ID}/resourceGroups/{resource group name}/providers/Microsoft.Sql/servers/
{SQL Server name}/virtualNetworkRules/{rule name}',
however the current tenant 'xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' is not authorized to access linked subscription 'xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'.
Upvotes: 1
Views: 831
Answers (2)
Reputation: 442
If I understand you correctly you want to connect resources that reside in two separate VNETs.
Have you set up any VNET peering between the two networks (tutorial)?
Upvotes: 1
Reputation: 5540
To encounter the following error
New-AzSqlServerVirtualNetworkRule: The client has permission to perform action 'Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/Action' on scope '/subscriptions/{subscription ID}/resourceGroups/{resource group name}/providers/Microsoft.Sql/servers/{SQL Server name}/virtualNetworkRules/{rule name}', however the current tenant 'xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' is not authorized to access linked subscription 'xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'.
- The service connection in your Azure SQL Server across azure tenants will have only access to the virtual network in one tenant. It does not have access to the virtual network in the other tenant.
- You can assign Network Contributor role to that virtual network in below steps:
Go to Azure Portal ->Resource group -> Access Control (IAM) -> Add Role assignment. -> Select network Contributor -> Add
Upvotes: 1
Related Questions
- VNet Integration For Azure Web App and Azure SQL Server
- Whitelist Azure SQL Server IP to access Az Storage Account
- Whitelist IP between Web apps and SQL Server
- Cannot connect to Azure SQL database, even with whitelisted IP
- Restricting access to Azure SQL from Azure VM
- Configuring Azure SQL Server firewall - is allowing all IP's to connect a red flag?
- SQL Azure Firewall Rules on New Portal
- Can Azure SQL Logins be restricted to specific IPs?
- Filter access to sql Server hosted to Azure from Web App Azure
- Azure Cloud Service + SQL Azure and firewall configuration