Merge pull request #216758 from mbender-ms/avnm-cross-tenant-cli

ShannonLeavitt · web-flow · commit 067a45ff54a1 · 2022-11-01T14:44:43.000-06:00
AVNM - New Article - Cross-tennant connection How-to w/ CLI
diff --git a/articles/virtual-network-manager/TOC.yml b/articles/virtual-network-manager/TOC.yml
@@ -77,6 +77,8 @@
     items:
     - name: Configure cross-tenant connection - Portal
       href: how-to-configure-cross-tenant-portal.md
+    - name: Configure cross-tenant connection - CLI
+      href: how-to-configure-cross-tenant-cli.md
   - name: View applied configurations
     href: how-to-view-applied-configurations.md
   - name: Define dynamic network group membership with Azure Policy
diff --git a/articles/virtual-network-manager/how-to-configure-cross-tenant-cli.md b/articles/virtual-network-manager/how-to-configure-cross-tenant-cli.md
@@ -0,0 +1,118 @@
+---
+title: Configure cross-tenant connection in Azure Virtual Network Manager - CLI
+description: Learn to connect Azure subscriptions in Azure Virtual Network Manager using cross-tenant connections for the management of virtual networks across subscriptions.
+author: mbender-ms
+ms.author: mbender
+ms.service: virtual-network-manager
+ms.topic: how-to 
+ms.date: 11/1/2022
+ms.custom: template-how-to 
+#customerintent: As a cloud admin, in need to manage multi tenants from a single network manager instance. Cross tenant functionality will give me this so I can easily manage all network resources governed by azure virtual network manager
+---
+
+# Configure cross-tenant connection in Azure Virtual Network Manager
+
+In this article, you’ll learn how-to create cross-tenant connections in Azure Virtual Network Manager using [Azure CLI](/cli/azure/network/manager/scope-connection). Cross-tenant support allows organizations to use a central Network Manager instance for managing virtual networks across different tenants and subscriptions. First, you'll create the scope connection on the central network manager. Then you'll create the network manager connection on the connecting tenant, and verify connection. Last, you'll add virtual networks from different tenants and verify. Once completed, You can centrally manage the resources of other tenants from a central network manager instance.
+
+> [!IMPORTANT]
+> Azure Virtual Network Manager is currently in public preview.
+> This preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.
+> For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
+
+## Prerequisites
+
+- Two Azure tenants with virtual networks needing to be managed by Azure Virtual Network Manager Deploy. During the how-to, the tenants will be referred to as follows:
+  - **Central management tenant** - The tenant where an Azure Virtual Network Manager instance is installed, and you'll centrally manage network groups from cross-tenant connections.
+  - **Target managed tenant** - The tenant containing virtual networks to be managed. This tenant will be connected to the central management tenant.
+- Azure Virtual Network Manager deployed in the central management tenant.
+- Required permissions include:
+  - Administrator of central management tenant has guest account in target managed tenant.
+  - Administrator guest account has *Network Contributor* permissions applied at appropriate scope level(Management group, subscription, or virtual network).
+
+Need help with setting up permissions? Check out how to [add guest users in the Azure portal](../active-directory/external-identities/b2b-quickstart-add-guest-users-portal.md), and how to [assign user roles to resources in Azure portal](../role-based-access-control/role-assignments-portal.md)
+
+## Create scope connection within network manager
+
+Creation of the scope connection begins on the central management tenant with a network manager deployed, which is the network manager where you plan to manage all of your resources across tenants. In this task, you'll set up a scope connection to add a subscription from a target tenant. If you wish to use a management group, you'll modify the `–resource-id` argument to look like `/providers/Microsoft.Management/managementGroups/{mgId}`.
+
+```azurecli
+# Create scope connection in network manager in the central management tenant
+az network manager scope-connection create --resource-group "myRG" --network-manager-name "myAVNM" --name "ToTargetManagedTenant" --description "This is a connection to manage resources in the target managed tenant" --resource-id "/subscriptions/13579864-1234-5678-abcd-0987654321ab" --tenant-id "24680975-1234-abcd-56fg-121314ab5643"
+```
+
+## Create network manager connection on subscription in other tenant 
+Once the scope connection is created, you'll switch to your target tenant for the network manager connection. During this task, you'll connect the target tenant to the scope connection created previously and verify the connection state.
+
+1. Enter the following command to connect to the target managed tenant with your administrative account:
+
+   ```azurecli
+   
+   # Login to target managed tenant
+   # Note: Change the --tenant value to the appropriate tenant ID
+   az login --tenant "12345678-12a3-4abc-5cde-678909876543"
+   ```
+   You'll be required to complete authentication with your organization based on your organizations policies.
+
+1. Enter the following command to create the cross tenant connection on the central management.
+Set the subscription (note it’s the same as the one the connection references in step 1).
+
+    ```azurecli
+    # Set the Azure subscription
+    az account set --subscription 87654321-abcd-1234-1def-0987654321ab
+
+
+    # Create cross-tenant connection to central management tenant
+    az network manager connection subscription create --connection-name "toCentralManagementTenant" --description "This connection allows management of the tenant by a central management tenant" --network-manager-id "/subscriptions/13579864-1234-5678-abcd-0987654321ab/resourceGroups/myRG/providers/Microsoft.Network/networkManagers/myAVNM"
+    ```
+
+## Verify the connection state
+
+1.	Enter the following command to check the connection Status:
+
+    ```azurecli
+    # Check connection status
+    az network manager connection subscription show --name "toCentralManagementTenant"
+    ```
+
+1. Switch back to the central management tenant, and performing a get on the network manager shows the subscription added via the cross tenant scopes property.
+
+    ```azurecli
+    # View subscription added to network manager
+    az network manager show --resource-group myAVNMResourceGroup --name myAVNM
+    ```
+
+## Add static members to your network group 
+In this task, you'll add a cross-tenant virtual network to your network group with static membership. The virtual network subscription used below is the same as referenced when creating connections above.
+
+```azurecli
+# Create network group with static member from target managed tenant
+az network manager group static-member create --network-group-name "CrossTenantNetworkGroup" --network-manager-name "myAVNM" --resource-group "myAVNMResourceGroup" --static-member-name "targetVnet01" --resource-id="/subscriptions/87654321-abcd-1234-1def-0987654321ab
+/resourceGroups/myScopeAVNM/providers/Microsoft.Network/virtualNetworks/targetVnet01"
+```
+## Delete virtual network manager configurations
+
+Now that the virtual network is in the network group, configurations will be applied. To remove the static member or cross-tenant resources, use the corresponding delete commands.
+
+```azurecli
+
+# Delete static member group
+az network manager group static-member delete --network-group-name  "CrossTenantNetworkGroup" --network-manager-name " myAVNM" --resource-group "myRG" --static-member-name "fabrikamVnet” 
+
+# Delete scope connections
+az network manager scope-connection delete --resource-group "myRG" --network-manager-name "myAVNM" --name "ToTargetManagedTenant" 
+
+# Switch to ‘managed tenant’ if needed 
+# 
+az network manager connection subscription delete --name "toCentralManagementTenant"  
+
+```
+
+## Next steps
+
+> [!div class="nextstepaction"]
+
+- Learn more about [Security admin rules](concept-security-admins.md).
+
+- Learn how to [create a mesh network topology with Azure Virtual Network Manager using the Azure portal](how-to-create-mesh-network.md)
+
+- Check out the [Azure Virtual Network Manager FAQ](faq.md)
