Azure network peering when not authorized to access linked subscription

I got stacked for several hours on the case with network peering across different subscriptions with different tenantsRelated documentation. This scenario is usually when you do network peering with customer's Azure tenant or between Azure tenants with different owners. My case was easy since it was between Azures both managed by me, but still, there was a weird error. Luckily it got resolved by the way which you want to try too.

Azure Portal WebUI error message
Error: The client has permission to perform action 'Microsoft.Network/virtualNetworks/peer/action' on scope '<rg>/providers/Microsoft.Network/virtualNetworks/<vnet>/virtualNetworkPeerings/<peeringName>', however the current tenant 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' is not authorized to access linked subscription 'yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy'.

That sounds like you are missing some access rights. I tried despite I was subscription owner in IAM configuration to add a minimal needed role "Network Contributor".
az role assignment create --assignee name.surmame@company.com --role "Network Contributor" --scope /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/<rg>/providers/Microsoft.Network/virtualNetworks/<vnet>

and also the same right for the other side
az role assignment create --assignee name.surmame@company.com --role "Network Contributor" --scope /subscriptions/yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy/resourceGroups/<rg>/providers/Microsoft.Network/virtualNetworks/<vnet>

It should be now working, but it wasn't. The portal's authorize button in peering configuration opened a window where is usually a login page, but it stayed forever on redirection. URL was https://rc.portal.azure.com/tokenauthorize#access_token=XXX. Using different web browser was not enough to resolve.

What next? Let's try to use Azure CLI via Cloud shell console.
az network vnet peering create --name vnetPeeringName --resource-group rgName --vnet-name vnetName --remote-vnet-id /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/<rg>/providers/Microsoft.Network/virtualNetworks/<vnet> --allow-vnet-access

But an error out of this was the opposite subscription not found. So what next? WebUI is not working, the Azure command line is not working in this scenario? What's left? Yes, it's Powershell!
1) + 7)
Set-AzContext -SubscriptionId xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx -TenantId zzzzzzzz-zzzz-zzzz-zzzz-zzzzzzzzzzzz

New-AzRoleAssignment -SignInName name.surmame@company.com -RoleDefinitionName "Network Contributor" -Scope /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/<rg>/providers/Microsoft.Network/virtualNetworks/<vnet>

$vNetA=Get-AzVirtualNetwork -Name vnetName -ResourceGroupName rgName
Add-AzVirtualNetworkPeering -Name vnetPeeringName -VirtualNetwork $vNetA -RemoteVirtualNetworkId "/subscriptions/yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy/resourceGroups/<rg2>/providers/Microsoft.Network/virtualNetworks/<vnet2>"

3) + 9)

4) + 10)
Set-AzContext -SubscriptionId yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy -TenantId qqqqqqqq-qqqq-qqqq-qqqq-qqqqqqqqqqqq

New-AzRoleAssignment -SignInName name.surmame@company.com -RoleDefinitionName "Network Contributor" -Scope /subscriptions/yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy/resourceGroups/<rg2>/providers/Microsoft.Network/virtualNetworks/<vnet2>


$vNetB=Get-AzVirtualNetwork -Name vnetName2 -ResourceGroupName rgName2
Add-AzVirtualNetworkPeering -Name vnetPeeringName2 -VirtualNetwork $vNetB -RemoteVirtualNetworkId "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/<rg>/providers/Microsoft.Network/virtualNetworks/<vnet>"


Network peering is enstablished after this procedure and thing which I don't understand is why it works only in PowerShell console and not in both other options. Well, at least it's working now.

1 komentář :

  1. Hi Ivo,

    Thank you very much for this step by step guide. My issue was fixed!!!



Dotaz, připomínka, oprava?
(pokud máte problém s vložením příspěvku, vyzkoušejte to v prohlížeči Chrome)