You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/virtual-wan/how-to-nva-hub.md
+4-8Lines changed: 4 additions & 8 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -46,14 +46,11 @@ These permissions need to be granted to the Azure Marketplace Managed Applicatio
46
46
47
47
## Assigning Permissions to Azure Managed Application
48
48
49
-
>[!NOTE]
50
-
> At this time, assigning extra permissions to faciliate Azure Managed Application deployments of Network Virtual Appliances in Virtual WAN is not required for all NVA deployments but will be in the future. Reference provider documentation to determine whether or not user-assigned identities are applicable to your enviornment.
51
-
52
49
Network Virtual Appliances that are deployed via Azure Marketplace Managed Application are deployed in a special resource group in your Azure tenant called the **managed resource group**. When you create a Managed Application in your subscription, a corresponding and separate **managed resource group** is created in your subscription. All Azure resources created by the Managed Application (including the Network Virtual Appliance) are deployed into the **managed resource group**.
53
50
54
-
Azure Marketplace owns a first-party service principal that performs the deployment of resources into the **managed resource group**. This first-party principal has permissions to create resources in the **managed resource group**, but doesn;t have permissions to read, update or create Azure resources outside of the **managed resource group**.
51
+
Azure Marketplace owns a first-party service principal that performs the deployment of resources into the **managed resource group**. This first-party principal has permissions to create resources in the **managed resource group**, but doesn't have permissions to read, update or create Azure resources outside of the **managed resource group**.
55
52
56
-
To ensure that your NVA deployment is performed with the sufficient level of permissions, grant additional permissions to the Azure Marketplace deployment service principal by deploying your Managed Application with a user-assigned managed identity that has permissions over the Virtual WAN hub and public IP address that you want to use with your Network Virtual Appliance. This user-assigned Managed Identity is used only for initial deployment of resources in the managed resource group and is used solely in the context of that Managed Application deployment.
53
+
To ensure that your NVA deployment is performed with the sufficient level of permissions, grant additional permissions to the Azure Marketplace deployment service principal by deploying your Managed Application with a user-assigned managed identity that has permissions over the Virtual WAN hub and public IP address that you want to use with your Network Virtual Appliance. This user-assigned Managed Identity is used only for initial deployment of resources in the managed resource group and is used solely in the context of that Managed Application deployment.
57
54
58
55
>[!NOTE]
59
56
> Only user-assigned system identities can be assigned to Azure Managed Applications to deploy Network Virtual Appliances in the Virtual WAN Hub. System-assigned identities are not supported.
@@ -99,7 +96,7 @@ The following section describes the steps needed to deploy a Network Virtual App
99
96
100
97
:::image type="content" source="./media/network-virtual-appliance-creation/network-virtual-appliance-vendor.png"alt-text="Screenshot showing how to select NVA vendor."lightbox="./media/network-virtual-appliance-creation/network-virtual-appliance-vendor.png":::
101
98
102
-
4. Follow the managed application creation experience to deploy your NVA and reference any provider documentation. Ensure that the user-assigned system identity created in the previous section is selected as part of the managed application creation workflow.
99
+
4. Follow the managed application creation experience to deploy your NVA and reference your provider's documentation. Ensure that the user-assigned system identity created in the previous section is selected as part of the managed application creation workflow.
103
100
104
101
## Common Deployment Errors
105
102
@@ -110,8 +107,7 @@ The following section describes the steps needed to deploy a Network Virtual App
110
107
```
111
108
The client <> with object id <> has permission to perform action 'Microsoft.Network/networkVirtualAppliances/write' on scope '/subscriptions/<>/resourceGroups/mrg-<>; however, it doesn't have permission to perform action(s) 'Microsoft.Network/virtualHubs/read on the linked scope(s) '/subscriptions/<>/resourceGroups/<>/providers/Microsoft.Network/virtualHubs/<> (respectively) or the linked scope(s) are invalid."
112
109
```
113
-
114
-
110
+
115
111
## Next steps
116
112
117
113
* To learn more about Virtual WAN, see [What is Virtual WAN?](virtual-wan-about.md)
0 commit comments