You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/virtual-machines/azure-compute-gallery.md
+65-22Lines changed: 65 additions & 22 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -6,7 +6,7 @@ ms.author: cynthn
6
6
ms.service: virtual-machines
7
7
ms.subservice: gallery
8
8
ms.topic: overview
9
-
ms.date: 04/26/2022
9
+
ms.date: 07/18/2022
10
10
ms.reviewer: cynthn
11
11
12
12
---
@@ -81,18 +81,73 @@ The regions that a resource is replicated to can be updated after creation time.
81
81

82
82
83
83
<aname=community></a>
84
-
## Community gallery (preview)
85
84
85
+
## Sharing
86
+
87
+
There are three main ways to share images in an Azure Compute Gallery, depending on who you want to share with:
88
+
89
+
| Share with\:| Option |
90
+
|----|----|
91
+
|[Specific people, groups, or service principals](#rbac)| Role-based access control (RBAC) lets you share resources to specific people, groups, or service principals on a granular level. |
92
+
|[Subscriptions or tenants](#shared-directly-to-a-tenant-or-subscription)| Direct shared gallery (preview) lets you share to everyone in a subscription or tenant. |
93
+
|[Everyone](#community-gallery)| Community gallery (preview) lets you share your entire gallery publicly, to all Azure users. |
94
+
95
+
### RBAC
96
+
97
+
As the Azure Compute Gallery, definition, and version are all resources, they can be shared using the built-in native Azure Roles-based Access Control (RBAC) roles. Using Azure RBAC roles you can share these resources to other users, service principals, and groups. You can even share access to individuals outside of the tenant they were created within. Once a user has access to the resource version, they can use it to deploy a VM or a Virtual Machine Scale Set. Here is the sharing matrix that helps understand what the user gets access to:
98
+
99
+
| Shared with User | Azure Compute Gallery | Image Definition | Image version |
We recommend sharing at the Gallery level for the best experience. We do not recommend sharing individual image versions. For more information about Azure RBAC, see [Assign Azure roles](../role-based-access-control/role-assignments-portal.md).
105
+
106
+
For more information, see [Share using RBAC](./share-gallery.md).
107
+
108
+
109
+
### Shared directly to a tenant or subscription
110
+
111
+
Give specific subscriptions or tenants access to a direct shared Azure Compute Gallery. Sharing a gallery with tenants and subscriptions give them read-only access to your gallery. For more information, see [Share a gallery with subscriptions or tenants](./share-gallery-direct.md).
86
112
87
113
> [!IMPORTANT]
88
-
> Azure Compute Gallery – community gallery is currently in PREVIEW and subject to the [Preview Terms for Azure Compute Gallery - community gallery](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
114
+
> Azure Compute Gallery – direct shared gallery is currently in PREVIEW and subject to the [Preview Terms for Azure Compute Gallery](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
115
+
>
116
+
> To publish images to a direct shared gallery during the preview, you need to register at [https://aka.ms/directsharedgallery-preview](https://aka.ms/directsharedgallery-preview). Creating VMs from a direct shared gallery is open to all Azure users.
89
117
>
90
-
> To share images in the community gallery, you need to register for the preview at [https://aka.ms/communitygallery-preview](https://aka.ms/communitygallery-preview). Creating VMs and scale sets from images shared the community gallery is open to all Azure users.
118
+
> During the preview, you need to create a new gallery, with the property `sharingProfile.permissions` set to `Groups`. When using the CLI to create a gallery, use the `--permissions groups` parameter. You can't use an existing gallery, the property can't currently be updated.
119
+
>
120
+
> You can't currently create a Flexible virtual machine scale set from an image shared to you by another tenant.
121
+
122
+
#### Limitations
123
+
124
+
During the preview:
125
+
- You can only share to subscriptions that are also in the preview.
126
+
- You can only share to 30 subscriptions and 5 tenants.
127
+
- A direct shared gallery cannot contain encrypted image versions. Encrypted images cannot be created within a gallery that is directly shared.
128
+
- Only the owner of a subscription, or a user or service principal assigned to the `Compute Gallery Sharing Admin` role at the subscription or gallery level will be able to enable group-based sharing.
129
+
- You need to create a new gallery, with the property `sharingProfile.permissions` set to `Groups`. When using the CLI to create a gallery, use the `--permissions groups` parameter. You can't use an existing gallery, the property can't currently be updated.
91
130
131
+
### Community gallery
92
132
93
-
Sharing images to the community is a new capability in Azure Compute Gallery. In the preview, you can make your image galleries public, and share them to all Azure customers. When a gallery is marked as a community gallery, all images under the gallery become available to all Azure customers as a new resource type under Microsoft.Compute/communityGalleries. All Azure customers can see the galleries and use them to create VMs. Your original resources of the type `Microsoft.Compute/galleries` are still under your subscription, and private.
133
+
To share a gallery with all Azure users, you can create a community gallery (preview). Community galleries can be used by anyone with an Azure subscription. Someone creating a VM can browse images shared with the community using the portal, REST, or the Azure CLI.
94
134
95
-
### Why share to the community?
135
+
Sharing images to the community is a new capability in [Azure Compute Gallery](./azure-compute-gallery.md). In the preview, you can make your image galleries public, and share them to all Azure customers. When a gallery is marked as a community gallery, all images under the gallery become available to all Azure customers as a new resource type under Microsoft.Compute/communityGalleries. All Azure customers can see the galleries and use them to create VMs. Your original resources of the type `Microsoft.Compute/galleries` are still under your subscription, and private.
136
+
137
+
For more information, see [Share images using a community gallery](./share-gallery-community.md).
138
+
139
+
140
+
> [!IMPORTANT]
141
+
> Azure Compute Gallery – community galleries is currently in PREVIEW and subject to the [Preview Terms for Azure Compute Gallery - community gallery](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
142
+
>
143
+
> To publish a community gallery, you need to register for the preview at [https://aka.ms/communitygallery-preview](https://aka.ms/communitygallery-preview). Creating VMs from the community gallery is open to all Azure users.
144
+
>
145
+
> During the preview, the gallery must be created as a community gallery (for CLI, this means using the `--permissions community` parameter) you currently can't migrate a regular gallery to a community gallery.
146
+
>
147
+
> You can't currently create a Flexible virtual machine scale set from an image shared by another tenant.
148
+
149
+
150
+
#### Why share to the community?
96
151
97
152
As a content publisher, you might want to share a gallery to the community:
98
153
@@ -104,9 +159,9 @@ As a content publisher, you might want to share a gallery to the community:
104
159
105
160
- You don’t want to deal with the complexity of multi-tenant authentication when sharing with multiple tenants on Azure.
106
161
107
-
### How sharing with the community works
162
+
####How sharing with the community works
108
163
109
-
You [create a gallery resource](create-gallery.md#create-a-community-gallery-preview) under `Microsoft.Compute/Galleries` and choose `community` as a sharing option.
164
+
You [create a gallery resource](create-gallery.md#create-a-community-gallery) under `Microsoft.Compute/Galleries` and choose `community` as a sharing option.
110
165
111
166
When you are ready, you flag your gallery as ready to be shared publicly. Only the owner of a subscription, or a user or service principal with the `Compute Gallery Sharing Admin` role at the subscription or gallery level, can enable a gallery to go public to the community. At this point, the Azure infrastructure creates proxy read-only regional resources, under `Microsoft.Compute/CommunityGalleries`, which are public.
112
167
@@ -128,7 +183,7 @@ Information from your image definitions will also be publicly available, like wh
128
183
> If you stop sharing your gallery during the preview, you won't be able to re-share it.
129
184
130
185
131
-
### Limitations for images shared to the community
186
+
####Limitations for images shared to the community
132
187
133
188
There are some limitations for sharing your gallery to the community:
134
189
- Encrypted images aren't supported.
@@ -140,7 +195,7 @@ There are some limitations for sharing your gallery to the community:
140
195
> [!IMPORTANT]
141
196
> Microsoft does not provide support for images you share to the community.
142
197
143
-
### Community-shared images FAQ
198
+
####Community-shared images FAQ
144
199
145
200
**Q: What are the charges for using a gallery that is shared to the community?**
146
201
@@ -168,18 +223,6 @@ There are some limitations for sharing your gallery to the community:
168
223
169
224
**A**: Only the content publishers have control over the regions their images are available in. If you don’t find an image in a specific region, reach out to the publisher directly.
170
225
171
-
172
-
## Explicit sharing using RBAC roles
173
-
174
-
As the Azure Compute Gallery, definition, and version are all resources, they can be shared using the built-in native Azure Roles-based Access Control (RBAC) roles. Using Azure RBAC roles you can share these resources to other users, service principals, and groups. You can even share access to individuals outside of the tenant they were created within. Once a user has access to the resource version, they can use it to deploy a VM or a Virtual Machine Scale Set. Here is the sharing matrix that helps understand what the user gets access to:
175
-
176
-
| Shared with User | Azure Compute Gallery | Image Definition | Image version |
We recommend sharing at the Gallery level for the best experience. We do not recommend sharing individual image versions. For more information about Azure RBAC, see [Assign Azure roles](../role-based-access-control/role-assignments-portal.md).
182
-
183
226
## Activity Log
184
227
The [Activity log](../azure-monitor/essentials/activity-log.md) displays recent activity on the gallery, image, or version including any configuration changes and when it was created and deleted. View the activity log in the Azure portal, or create a [diagnostic setting to send it to a Log Analytics workspace](../azure-monitor/essentials/activity-log.md#send-to-log-analytics-workspace), where you can view events over time or analyze them with other collected data
0 commit comments