VNet whitelisting for Azure SQL Server across azure tenants

Question

I have an Azure SQL Server residing in tenant A and I need to add a Virtual network rule for a subnet residing in tenant B.

For this, I have created a service principal and given it multi-tenant access. I am also able to see the SP in both tenants. The SP is given access to both the subscriptions and resources (SQL Server and VnNet) in both the tenants.

When I try to add the VNet rule using the SP credentials/login, I encounter the following error:

New-AzSqlServerVirtualNetworkRule:
The client has permission to perform action 'Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/Action'
on scope '/subscriptions/{subscription ID}/resourceGroups/{resource group name}/providers/Microsoft.Sql/servers/
{SQL Server name}/virtualNetworkRules/{rule name}',
however the current tenant 'xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' is not authorized to access linked subscription 'xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'.

Still looking for an answer for this – Subha_26 Jul 04 '22 at 12:23 — Subha_26, Jul 04 '22 at 12:23

score 1 · Answer 1 · answered May 20 '22 at 16:55

To encounter the following error

New-AzSqlServerVirtualNetworkRule: The client has permission to perform action 'Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/Action' on scope '/subscriptions/{subscription ID}/resourceGroups/{resource group name}/providers/Microsoft.Sql/servers/{SQL Server name}/virtualNetworkRules/{rule name}', however the current tenant 'xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' is not authorized to access linked subscription 'xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'.

The service connection in your Azure SQL Server across azure tenants will have only access to the virtual network in one tenant. It does not have access to the virtual network in the other tenant.
You can assign Network Contributor role to that virtual network in below steps:

Go to Azure Portal ->Resource group -> Access Control (IAM) -> Add Role assignment. -> Select network Contributor -> Add

Access is given at VNet, Resource group and Subscription level. Tried with network contributor role, and also contributor role. Still getting the same error. — Subha_26, May 24 '22 at 07:29

score 1 · Answer 2 · answered Jul 04 '22 at 22:52

1

If I understand you correctly you want to connect resources that reside in two separate VNETs.

Have you set up any VNET peering between the two networks (tutorial)?

answered Jul 04 '22 at 22:52

FinneVirta

374
1
4
14

VNet peering is not an option for us due to security reasons – Subha_26 Jul 13 '22 at 12:22

VNet whitelisting for Azure SQL Server across azure tenants

2 Answers2