Merge pull request #197875 from cynthn/direct-sharing

Sharing

Author: ttorble

articles/virtual-machines/.openpublishing.redirection.virtual-machines.json

@@ -2859,7 +2859,16 @@
             "source_path_from_root": "/articles/virtual-machines/maintenance-control-powershell.md",
             "redirect_url": "/azure/virtual-machines/maintenance-configurations-powershell",
             "redirect_document_id": false
-          },  
+          },
+          {
+            "source_path_from_root": "/articles/virtual-machines/windows/share-images-across-tenants.md",
+            "redirect_url": "/azure/virtual-machines/azure-compute-gallery#sharing",
+            "redirect_document_id": false
+          },           {
+            "source_path_from_root": "/articles/virtual-machines/linux/share-images-across-tenants.md",
+            "redirect_url": "/azure/virtual-machines/azure-compute-gallery#sharing",
+            "redirect_document_id": false
+          }, 
           {
             "source_path_from_root": "/articles/virtual-machines/windows/create-portal-availability-zone.md",
             "redirect_url": "/azure/virtual-machines/create-portal-availability-zone",

articles/virtual-machines/TOC.yml

@@ -380,7 +380,13 @@
       displayName: Shared Image Gallery, SIG, sig, gallery, image
       href: create-gallery.md
     - name: Share a gallery
-      href: share-gallery.md
+      items: 
+      - name: RBAC
+        href: share-gallery.md
+      - name: Direct share
+        href: share-gallery-direct.md
+      - name: Community gallery
+        href: share-gallery-community.md
     - name: Images
       items:
       - name: Images in a gallery
@@ -402,14 +408,6 @@
       - name: Update image resources
         displayName: Shared Image Gallery, SIG, sig, gallery, image
         href: update-image-resources.md
-      - name: App registration for sharing
-        items:
-        - name: Linux
-          displayName: Shared Image Gallery, SIG, sig, gallery, image, app registration
-          href: ./linux/share-images-across-tenants.md
-        - name: Windows
-          displayName: Shared Image Gallery, SIG, sig, gallery, image, app registration
-          href: ./windows/share-images-across-tenants.md
       - name: Resource Manager Templates
         items:
         - name: Create an Azure Compute Gallery
@@ -719,13 +717,13 @@
     - name: Remove a VM
       displayName: on-demand capacity reservation
       href: capacity-reservation-remove-vm.md
-    - name: Associate a VM scale set - Flexible 
+    - name: Associate a scale set - Flexible 
       displayName: on-demand capacity reservation with flexible orchestration
       href: capacity-reservation-associate-virtual-machine-scale-set-flex.md
-    - name: Associate a VM scale set - Uniform 
+    - name: Associate a scale set - Uniform 
       displayName: on-demand capacity reservation
       href: capacity-reservation-associate-virtual-machine-scale-set.md
-    - name: Remove a VM scale set
+    - name: Remove a scale set
       displayName: on-demand capacity reservation
       href: capacity-reservation-remove-virtual-machine-scale-set.md
   - name: Create Virtual Machines
@@ -2012,7 +2010,6 @@
         href: ./windows/aws-to-azure.md
       - name: Upload on-premises VM
         href: ./linux/upload-vhd.md
-        displayname: Migrate from Amazon Web Services (AWS) to Azure
       - name: Use Azure Site Recovery
         href: ../site-recovery/migrate-overview.md?context=/azure/virtual-machines/context/context
 - name: Infrastructure automation

articles/virtual-machines/azure-compute-gallery.md

@@ -6,7 +6,7 @@ ms.author: cynthn
 ms.service: virtual-machines
 ms.subservice: gallery
 ms.topic: overview
-ms.date: 04/26/2022
+ms.date: 07/18/2022
 ms.reviewer: cynthn
 
 ---
@@ -81,18 +81,73 @@ The regions that a resource is replicated to can be updated after creation time.
 ![Graphic showing how you can replicate images](./media/shared-image-galleries/replication.png)
 
 <a name=community></a>
-## Community gallery (preview)
 
+## Sharing
+
+There are three main ways to share images in an Azure Compute Gallery, depending on who you want to share with:
+
+| Share with\: | Option |
+|----|----|
+| [Specific people, groups, or service principals](#rbac) | Role-based access control (RBAC) lets you share resources to specific people, groups, or service principals on a granular level. |
+| [Subscriptions or tenants](#shared-directly-to-a-tenant-or-subscription) | Direct shared gallery (preview) lets you share to everyone in a subscription or tenant. |
+| [Everyone](#community-gallery) | Community gallery (preview) lets you share your entire gallery publicly, to all Azure users. |
+
+### RBAC
+
+As the Azure Compute Gallery, definition, and version are all resources, they can be shared using the built-in native Azure Roles-based Access Control (RBAC) roles. Using Azure RBAC roles you can share these resources to other users, service principals, and groups. You can even share access to individuals outside of the tenant they were created within. Once a user has access to the resource version, they can use it to deploy a VM or a Virtual Machine Scale Set.  Here is the sharing matrix that helps understand what the user gets access to:
+
+| Shared with User     | Azure Compute Gallery | Image Definition | Image version |
+|----------------------|----------------------|--------------|----------------------|
+| Azure Compute Gallery | Yes                  | Yes          | Yes                  |
+| Image Definition     | No                   | Yes          | Yes                  |
+
+We recommend sharing at the Gallery level for the best experience. We do not recommend sharing individual image versions. For more information about Azure RBAC, see [Assign Azure roles](../role-based-access-control/role-assignments-portal.md).
+
+For more information, see [Share using RBAC](./share-gallery.md).
+
+
+### Shared directly to a tenant or subscription
+
+Give specific subscriptions or tenants access to a direct shared Azure Compute Gallery. Sharing a gallery with tenants and subscriptions give them read-only access to your gallery. For more information, see [Share a gallery with subscriptions or tenants](./share-gallery-direct.md).
 
 > [!IMPORTANT]
-> Azure Compute Gallery – community gallery is currently in PREVIEW and subject to the [Preview Terms for Azure Compute Gallery - community gallery](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
+> Azure Compute Gallery – direct shared gallery is currently in PREVIEW and subject to the [Preview Terms for Azure Compute Gallery](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
+>
+> To publish images to a direct shared gallery during the preview, you need to register at [https://aka.ms/directsharedgallery-preview](https://aka.ms/directsharedgallery-preview). Creating VMs from a direct shared gallery is open to all Azure users.
 > 
-> To share images in the community gallery, you need to register for the preview at [https://aka.ms/communitygallery-preview](https://aka.ms/communitygallery-preview). Creating VMs and scale sets from images shared the community gallery is open to all Azure users.
+> During the preview, you need to create a new gallery, with the property `sharingProfile.permissions` set to `Groups`. When using the CLI to create a gallery, use the `--permissions groups` parameter. You can't use an existing gallery, the property can't currently be updated.
+>
+> You can't currently create a Flexible virtual machine scale set from an image shared to you by another tenant.
+
+#### Limitations
+
+During the preview:
+- You can only share to subscriptions that are also in the preview.
+- You can only share to 30 subscriptions and 5 tenants.
+- A direct shared gallery cannot contain encrypted image versions. Encrypted images cannot be created within a gallery that is directly shared.
+- Only the owner of a subscription, or a user or service principal assigned to the `Compute Gallery Sharing Admin` role at the subscription or gallery level will be able to enable group-based sharing.
+- You need to create a new gallery,  with the property `sharingProfile.permissions` set to `Groups`. When using the CLI to create a gallery, use the `--permissions groups` parameter. You can't use an existing gallery, the property can't currently be updated.
 
+### Community gallery
 
-Sharing images to the community is a new capability in Azure Compute Gallery. In the preview, you can make your image galleries public, and share them to all Azure customers. When a gallery is marked as a community gallery, all images under the gallery become available to all Azure customers as a new resource type under Microsoft.Compute/communityGalleries. All Azure customers can see the galleries and use them to create VMs. Your original resources of the type `Microsoft.Compute/galleries` are still under your subscription, and private.
+To share a gallery with all Azure users, you can create a community gallery (preview). Community galleries can be used by anyone with an Azure subscription. Someone creating a VM can browse images shared with the community using the portal, REST, or the Azure CLI.
 
-### Why share to the community?
+Sharing images to the community is a new capability in [Azure Compute Gallery](./azure-compute-gallery.md). In the preview, you can make your image galleries public, and share them to all Azure customers. When a gallery is marked as a community gallery, all images under the gallery become available to all Azure customers as a new resource type under Microsoft.Compute/communityGalleries. All Azure customers can see the galleries and use them to create VMs. Your original resources of the type `Microsoft.Compute/galleries` are still under your subscription, and private.
+
+For more information, see [Share images using a community gallery](./share-gallery-community.md).
+
+
+> [!IMPORTANT]
+> Azure Compute Gallery – community galleries is currently in PREVIEW and subject to the [Preview Terms for Azure Compute Gallery - community gallery](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
+> 
+> To publish a community gallery, you need to register for the preview at [https://aka.ms/communitygallery-preview](https://aka.ms/communitygallery-preview). Creating VMs from the community gallery is open to all Azure users.
+> 
+> During the preview, the gallery must be created as a community gallery (for CLI, this means using the `--permissions community` parameter) you currently can't migrate a regular gallery to a community gallery.
+> 
+> You can't currently create a Flexible virtual machine scale set from an image shared by another tenant.
+
+
+#### Why share to the community?
 
 As a content publisher, you might want to share a gallery to the community:
 
@@ -104,9 +159,9 @@ As a content publisher, you might want to share a gallery to the community:
 
 - You don’t want to deal with the complexity of multi-tenant authentication when sharing with multiple tenants on Azure.
 
-### How sharing with the community works
+#### How sharing with the community works
 
-You [create a gallery resource](create-gallery.md#create-a-community-gallery-preview) under `Microsoft.Compute/Galleries` and choose `community` as a sharing option.
+You [create a gallery resource](create-gallery.md#create-a-community-gallery) under `Microsoft.Compute/Galleries` and choose `community` as a sharing option.
 
 When you are ready, you flag your gallery as ready to be shared publicly. Only the  owner of a subscription, or a user or service principal with the `Compute Gallery Sharing Admin` role at the subscription or gallery level, can enable a gallery to go public to the community. At this point, the Azure infrastructure creates proxy read-only regional resources, under `Microsoft.Compute/CommunityGalleries`, which are public.
 
@@ -128,7 +183,7 @@ Information from your image definitions will also be publicly available, like wh
 > If you stop sharing your gallery during the preview, you won't be able to re-share it.
 
 
-### Limitations for images shared to the community
+#### Limitations for images shared to the community
 
 There are some limitations for sharing your gallery to the community:
 - Encrypted images aren't supported.
@@ -140,7 +195,7 @@ There are some limitations for sharing your gallery to the community:
 > [!IMPORTANT]
 > Microsoft does not provide support for images you share to the community.
 
-### Community-shared images FAQ
+#### Community-shared images FAQ
 
 **Q: What are the charges for using a gallery that is shared to the community?**
 
@@ -168,18 +223,6 @@ There are some limitations for sharing your gallery to the community:
 
 **A**: Only the content publishers have control over the regions their images are available in. If you don’t find an image in a specific region, reach out to the publisher directly.
 
-
-## Explicit sharing using RBAC roles
-
-As the Azure Compute Gallery, definition, and version are all resources, they can be shared using the built-in native Azure Roles-based Access Control (RBAC) roles. Using Azure RBAC roles you can share these resources to other users, service principals, and groups. You can even share access to individuals outside of the tenant they were created within. Once a user has access to the resource version, they can use it to deploy a VM or a Virtual Machine Scale Set.  Here is the sharing matrix that helps understand what the user gets access to:
-
-| Shared with User     | Azure Compute Gallery | Image Definition | Image version |
-|----------------------|----------------------|--------------|----------------------|
-| Azure Compute Gallery | Yes                  | Yes          | Yes                  |
-| Image Definition     | No                   | Yes          | Yes                  |
-
-We recommend sharing at the Gallery level for the best experience. We do not recommend sharing individual image versions. For more information about Azure RBAC, see [Assign Azure roles](../role-based-access-control/role-assignments-portal.md).
-
 ## Activity Log
 The [Activity log](../azure-monitor/essentials/activity-log.md) displays recent activity on the gallery, image, or version including any configuration changes and when it was created and deleted.  View the activity log in the Azure portal, or create a [diagnostic setting to send it to a Log Analytics workspace](../azure-monitor/essentials/activity-log.md#send-to-log-analytics-workspace), where you can view events over time or analyze them with other collected data