2020-07-15

Azure network peering when not authorized to access linked subscription

I got stacked for several hours on the case with network peering across different subscriptions with different tenantsRelated documentation. This scenario is usually when you do network peering with customer's Azure or between Azure with different owners. My case was easy since it was between Azure's managed by me, but still, there was a weird error. Luckily it got resolved by the way which you want to try too.

Azure Portal WebUI error message
Error: The client has permission to perform action 'Microsoft.Network/virtualNetworks/peer/action' on scope '<rg>/providers/Microsoft.Network/virtualNetworks/<vnet>/virtualNetworkPeerings/<peeringName>', however the current tenant 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' is not authorized to access linked subscription 'yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy'.

That sounds like you are missing some access rights. I tried despite I was subscription owner in IAM configuration to add a minimal needed role "Network Contributor".
az role assignment create --assignee name.surmame@company.com --role "Network Contributor" --scope /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/<rg>/providers/Microsoft.Network/virtualNetworks/<vnet>

and also the same right for the other side
az role assignment create --assignee name.surmame@company.com --role "Network Contributor" --scope /subscriptions/yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy/resourceGroups/<rg>/providers/Microsoft.Network/virtualNetworks/<vnet>

It should be now working, but it wasn't. The portal's authorize button in peering configuration opened a window where is usually a login page, but it stayed forever on redirection. URL was https://rc.portal.azure.com/tokenauthorize#access_token=XXX. Using different web browser was not enough to resolve.

What next? Let's try to use Azure CLI via Cloud shell console.
az network vnet peering create --name vnetPeeringName --resource-group rgName --vnet-name vnetName --remote-vnet-id /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/<rg>/providers/Microsoft.Network/virtualNetworks/<vnet> --allow-vnet-access

But an error out of this was the opposite subscription not found. So what next? WebUI is not working, the Azure command line is not working in this scenario? What's left? Yes, it's Powershell!
1) + 7)
Connect-AzAccount
Set-AzContext -SubscriptionId xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx -TenantId zzzzzzzz-zzzz-zzzz-zzzz-zzzzzzzzzzzz

2)
New-AzRoleAssignment -SignInName name.surmame@company.com -RoleDefinitionName "Network Contributor" -Scope /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/<rg>/providers/Microsoft.Network/virtualNetworks/<vnet>

8)
$vNetA=Get-AzVirtualNetwork -Name vnetName -ResourceGroupName rgName
Add-AzVirtualNetworkPeering -Name vnetPeeringName -VirtualNetwork $vNetA -RemoteVirtualNetworkId "/subscriptions/yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy/resourceGroups/<rg2>/providers/Microsoft.Network/virtualNetworks/<vnet2>"


3) + 9)
Disconnect-AzAccount

4) + 10)
Connect-AzAccount
Set-AzContext -SubscriptionId yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy -TenantId qqqqqqqq-qqqq-qqqq-qqqq-qqqqqqqqqqqq

5)
New-AzRoleAssignment -SignInName name.surmame@company.com -RoleDefinitionName "Network Contributor" -Scope /subscriptions/yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy/resourceGroups/<rg2>/providers/Microsoft.Network/virtualNetworks/<vnet2>

6)
Disconnect-AzAccount

11)
$vNetB=Get-AzVirtualNetwork -Name vnetName2 -ResourceGroupName rgName2
Add-AzVirtualNetworkPeering -Name vnetPeeringName2 -VirtualNetwork $vNetB -RemoteVirtualNetworkId "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/<rg>/providers/Microsoft.Network/virtualNetworks/<vnet>"

12)
Disconnect-AzAccount

Network peering is enstablished after this procedure and thing which I don't understand is why it works only in PowerShell console and not in both other options. Well, at least it's working now.

2020-07-12

EDUMA programme review at JYU

I decided to publish my thoughts about the study programme EDUMA on JYU, which is a code name of "Master's Degree Programme in Educational Sciences at the University of Jyväskylä (Jyväskylän yliopisto)". I originally thought the programme is lousy, but it's not that simple to put blame on one place only.

How to describe what is the content of EDUMA briefly? It is a study programme about researching the area of education. The students of the programme have different backgrounds and reasons to apply, but I have observed that the current students are usually the people who were in touch with teaching or have pedagogical backgrounds and they wish to improve their skills in the area further. I think these areas and topics are not properly covered within the programme.

Let me explain by unscrolling to a bit higher level. Whether you are a doorkeeper or anyone above in some kind of educational institution around the globe you have probably heard about "the great Finnish education system". The hype exists about that unrepeatable set of environmental conditions which makes education in Finnish schools good. 

So, you are a student of teaching and you see references to the Finnish education system everywhere and you decide to go study for your masters in Finland. The next question is: Where in the country of thousand lakes? Whether you ask anyone from Vantaa airport staff to a president, you are surely going to get the answer Jyväskyla, since the city is generally known as the Mecca of teachers. So you open the website of the only one "real" university of Jyväskylä, select educational faculty, click on studying in English, and apply for only one programme offered there, even without reading fliers and specifically without reading them in between the lines. That's my answer to why there are so many interesting people studying rather unspecific and untargeted programme.

My experience from the studies themselves in quite short, as I resigned from many courses when I felt that people who are teaching are not experienced experts in their topic. Not that they would not know, but they felt more like theoreticians to me. Not all of them, but quite many. I like theories but there is a reality to every theory. I heard so much from various people about how real universities (yliopisto) are better than the universities of applied sciences (ammattikorkeakoulu) where I did my previous Finnish degree, so I expected to experience a great upgrade. The EDUMA program did not provide me that feeling in the sense of the content or structure. However, the other parameters of the programme (and the great Finnish educational system) are good, e.g. you are not just another student number; there is a trust to you and a flat hierarchy which means equality with professors, etc. 

Well, the biggest observed issue of EDUMA alumni is the lack of qualification to work in Finland as an educator, which you probably hoped for. The programme does not contain anything that would support or prove your previous pedagogical skills, so you cannot officially be even a language teacher. Secondly, the area of suggested career paths contains roles such as "educational planner, administrator, consultant, coordinator, teacher educator or researcher" which are quite narrow, small, and probably protected for Finnish students.

Despite the official government strategy to keep graduate students in Finland (to return the investment and boost competitiveness), there are not too many opportunities to find a job in that area. It is never easy of course, but there are so many people planning to leave due to a lack of work prospects. You might do better at home by selling your expertise in great Finnish education. This is my theory supported by fragments of interviews with my dear classmates.

What to do with the EDUMA issue then? In my opinion: 

  • If you are a representative of the University, please offer a programme with the better fit - check what kind of people applied in the past, review their background, modify the programme based on that.
  • If you are an employer in the area of education, think if you can offer a working position that would fit the EDUMA graduates' qualifications, but also recognize their previous knowledge and skills.
  • If you are a teacher of EDUMA, please give more concrete examples of what you mean by referenced theories. Don't present generally known stuff and point the interesting things into readings, but do it rather the other way around.
  • If you are an applicant, read the EDUMA description page once again or check the program called DEICO
  • If you are part of the student ambassador project, please don't make videos "how you like studying EDUMA" with people in their second week of studies. 
  • If you are a current student, you can anonymously post under the article.

P. S. Sorry for the clickbait on the headline, this is not actually a review. It's like with university courses when you realize in the end that the course name was not so accurate, but it was attractive to select.