|
| 1 | +--- |
| 2 | +title: Configure cross-tenant connection in Azure Virtual Network Manager - PowerShell |
| 3 | +description: #Required; article description that is displayed in search results. |
| 4 | +author: mbender-ms |
| 5 | +ms.author: mbender |
| 6 | +ms.service: virtual-network-manager |
| 7 | +ms.topic: how-to |
| 8 | +ms.date: 11/02/2022 |
| 9 | +ms.custom: template-how-to |
| 10 | +#customerintent: As a cloud admin, in need to manage multi tenants from a single network manager instance. Cross tenant functionality will give me this so I manage all network resources governed by azure virtual network manager |
| 11 | +--- |
| 12 | + |
| 13 | + |
| 14 | +# Configure cross-tenant connection in Azure Virtual Network Manager - PowerShell |
| 15 | + |
| 16 | +In this article, you'll learn to create [cross-tenant connections](concept-cross-tenant.md) in the Azure Virtual Network Manager with Azure PowerShell. First, you'll create the scope connection on the central network manager. Then you'll create the network manager connection on the connecting tenant, and verify connection. Last, you'll add virtual networks from different tenants and verify. Once completed, You can centrally manage the resources of other tenants from single network manager instance. |
| 17 | + |
| 18 | +To learn more, see [how cross-tenant connections work in [Azure Virtual Network Manager](concept-cross-tenant.md). |
| 19 | + |
| 20 | +## Prerequisites |
| 21 | + |
| 22 | +- Two Azure tenants with virtual networks needing to be managed by Azure Virtual Network Manager Deploy |
| 23 | +- Azure Virtual Network Manager deployed in tenant |
| 24 | +- Permissions <> |
| 25 | +- Tenant-specific information including: |
| 26 | + - Resource ID |
| 27 | + - Tenant IDs |
| 28 | + - Resource Group name |
| 29 | + - Network manager name |
| 30 | + - |
| 31 | + |
| 32 | + |
| 33 | +## Create scope connection within network manager |
| 34 | +Creation of the scope connection begins on the central network manager. This is the network manager where you plan to manager all of your resources. In this task, you'll set up a scope connection with [New-AzNetworkManagerSubscriptionConnection](/powershell/module/az.network/new-aznetworkmanagersubscriptionconnection) |
| 35 | + |
| 36 | +```azurepowershell |
| 37 | +
|
| 38 | +# Create scope connection to target tenant |
| 39 | +New-AzNetworkManagerScopeConnection -Name toFabrikamTenantSub -ResourceGroup $rg.name -NetworkManagerName jaredgorthy -ResourceId "/subscriptions/87654321-abcd-1234-1def-0987654321ab" -Description "this is to manage fabrikam's vnets" -TenantId "12345678-12a3-4abc-5cde-678909876543" |
| 40 | +
|
| 41 | +
|
| 42 | +``` |
| 43 | + |
| 44 | +## Create network manager connection on subscription in other tenant |
| 45 | +Once the scope connection is created, you'll switch to your target tenant for the network manager connection. During this task, you'll connect the target tenant to the scope connection created previously |
| 46 | + |
| 47 | +```azurepowershell |
| 48 | +
|
| 49 | +Set-AzContext -TenantId 12345678-12a3-4abc-5cde-678909876543 |
| 50 | +
|
| 51 | +Select-AzSubscription 87654321-abcd-1234-1def-0987654321ab |
| 52 | +
|
| 53 | +New-AzNetworkManagerSubscriptionConnection -Name toContosoTenantNM -Description "this is to be managed by a contoso network manager" -NetworkManagerId "/subscriptions/13579864-1234-5678-abcd-0987654321ab/resourceGroups/$rg.name/providers/Microsoft.Network/networkManagers/jaredgorthy" |
| 54 | +
|
| 55 | +
|
| 56 | +
|
| 57 | +Get-AzNetworkManagerSubscriptionConnection -Name toContosoTenantNM |
| 58 | +``` |
| 59 | + |
| 60 | +## Verify the connection state is ‘Connected’ (via grid item ‘Status’) |
| 61 | + |
| 62 | +Switch back to the Contoso tenant, and performing a get on the network manager should show the subscription added via the cross tenant scopes property. |
| 63 | + |
| 64 | +```azurepowershell |
| 65 | +
|
| 66 | +Get-AzNetworkManager -ResourceGroup $rg.name -Name jaredgorthy |
| 67 | +
|
| 68 | +``` |
| 69 | + |
| 70 | +## Generate auth tokens for PowerShell |
| 71 | +From Azure Portal and Azure CLI we generate the auth tokens needed for the put static member request behind the scenes. Unfortunately, this is not possible (yet) via AVNM’s powershell cmdlets, so the tokens must be generated manually and the request must be sent via the ‘Invoke-RestMethod’ cmdlet |
| 72 | + |
| 73 | + |
| 74 | +# Get the group you want to add the static members to |
| 75 | +$group = Get-AzNetworkManagerGroup -NetworkManagerName jaredgorthy -ResourceGroup $rg.name -Name containsCrossTenantResources |
| 76 | + |
| 77 | +# Need to be modified |
| 78 | +$networkManagerTenant = "24680975-1234-abcd-56fg-121314ab5643" |
| 79 | +$vnetTenant = "12345678-12a3-4abc-5cde-678909876543" |
| 80 | +$staticMemberName = "crossTenantMember" |
| 81 | +$vnetResourceId = “/subscriptions/795fe552-a2fc-466a-b436-de4520b73dd2/resourceGroups/temp/providers/Microsoft.Network/virtualNetworks/Vnet1” |
| 82 | + |
| 83 | +# Everything after this can be copy/pasted |
| 84 | +$networkManagerToken = Get-AzAccessToken -TenantId $networkManagerTenant |
| 85 | +$vnetToken = Get-AzAccessToken -TenantId $vnetTenant |
| 86 | + |
| 87 | +$authHeader = @{ |
| 88 | + 'Content-Type'='application/json' |
| 89 | + 'Authorization'='Bearer ' + $networkManagerToken.Token |
| 90 | + 'x-ms-authorization-auxiliary'='Bearer ' + $vnetToken.Token |
| 91 | +} |
| 92 | + |
| 93 | +$body = (@{ |
| 94 | + ‘properties'= @{ |
| 95 | + 'resourceId'=$vnetResourceId |
| 96 | + } |
| 97 | +} | ConvertTo-Json) |
| 98 | + |
| 99 | +$restUri = "https://management.azure.com" + $group.Id + "/staticMembers/" + $staticMemberName + "?api-version=2022-01-01" |
| 100 | +Invoke-RestMethod -Uri $restUri -Method Put -Headers $authHeader -Body $body |
| 101 | + |
0 commit comments