azure-cli icon indicating copy to clipboard operation
azure-cli copied to clipboard

Published 20 hours ago verified publisher icon Azure

Cross-tenant support for Azure Load Balancer

Open mahipdeora opened this issue 9 months ago • 2 comments

Describe the bug

Azure Load balancer supports cross-subscription load balancing. with either the frontend IP address or the backend VNet residing in different subscriptions. However, CLI only supports cross-subscription load balancing within a single Microsoft Tenant. Cross-Tenant linkage is supported on Load balancer through ARM/rest API, and we would like to extend support to CLI.

Cross-tenant support should be enabled for both LB creates but also any LB updates as well (probes, rules, etc.)

Cross-tenant deployments needs to include x-ms-authorization-auxiliary tokens in the header of the payload.

https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/authenticate-multi-tenant

Related command

az network lb

Errors

(LinkedAuthorizationFailed) The client has permission to perform action 'Microsoft.Network/loadBalancers/backendAddressPools/join/action' on scope '/subscriptions/8ffb2cba-9d0c-4f5b-9465-24c6fd9954b1/resourceGroups/mahip3/providers/Microsoft.Network/networkInterfaces/test428_z1', however the current tenant 'ca4b3f71-9173-47df-baff-8538b81446b5' is not authorized to access linked subscription '6bb4a28a-db84-4e8a-b1dc-fabf7bd9f0b2'. Code: LinkedAuthorizationFailed Message: The client has permission to perform action 'Microsoft.Network/loadBalancers/backendAddressPools/join/action' on scope '/subscriptions/8ffb2cba-9d0c-4f5b-9465-24c6fd9954b1/resourceGroups/mahip3/providers/Microsoft.Network/networkInterfaces/test428_z1', however the current tenant 'ca4b3f71-9173-47df-baff-8538b81446b5' is not authorized to access linked subscription '6bb4a28a-db84-4e8a-b1dc-fabf7bd9f0b2'.

Issue script & Debug output

NA

Expected behavior

Cross-tenant deployments are supported on CLI

Environment Summary

azure-cli 2.40.0 *

core 2.40.0 * telemetry 1.0.8 *

Dependencies: msal 1.20.0b1 azure-mgmt-resource 21.1.0b1

Python location 'C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\python.exe' Extensions directory 'C:\Users\mahipdeora.azure\cliextensions'

Python (Windows) 3.10.5 (tags/v3.10.5:f377153, Jun 6 2022, 15:58:59) [MSC v.1929 32 bit (Intel)]

Legal docs and information: aka.ms/AzureCliLegal

Additional context

please reach out to me on teams with any questions

mahipdeora avatar May 01 '24 22:05 mahipdeora

Hi @mahipdeora,

2.40.0 is not the latest Azure CLI(2.60.0).

If you haven't already attempted to do so, please upgrade to the latest Azure CLI version by following https://learn.microsoft.com/en-us/cli/azure/update-azure-cli.

azure-client-tools-bot-prd[bot] avatar May 01 '24 22:05 azure-client-tools-bot-prd[bot]

Thank you for opening this issue, we will look into it.

yonzhan avatar May 01 '24 22:05 yonzhan

@mahipdeora which cli command are you using? could you please try to provide id instead of name for --frontend-ip/--frontend-ip-name?

necusjz avatar May 06 '24 03:05 necusjz

Hi @necusjz I am using the ID for frontend IP

mahipdeora avatar May 06 '24 15:05 mahipdeora

and this is for multiple commands, add frontend, backend address, etc.

mahipdeora avatar May 06 '24 15:05 mahipdeora