Skip to content

Cross-tenant support for Azure Load Balancer #28871

Description

@mahipdeora

Describe the bug

Azure Load balancer supports cross-subscription load balancing. with either the frontend IP address or the backend VNet residing in different subscriptions. However, CLI only supports cross-subscription load balancing within a single Microsoft Tenant. Cross-Tenant linkage is supported on Load balancer through ARM/rest API, and we would like to extend support to CLI.

Cross-tenant support should be enabled for both LB creates but also any LB updates as well (probes, rules, etc.)

Cross-tenant deployments needs to include x-ms-authorization-auxiliary tokens in the header of the payload.

https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/authenticate-multi-tenant

Related command

az network lb

Errors

(LinkedAuthorizationFailed) The client has permission to perform action 'Microsoft.Network/loadBalancers/backendAddressPools/join/action' on scope '/subscriptions/8ffb2cba-9d0c-4f5b-9465-24c6fd9954b1/resourceGroups/mahip3/providers/Microsoft.Network/networkInterfaces/test428_z1', however the current tenant 'ca4b3f71-9173-47df-baff-8538b81446b5' is not authorized to access linked subscription '6bb4a28a-db84-4e8a-b1dc-fabf7bd9f0b2'.
Code: LinkedAuthorizationFailed
Message: The client has permission to perform action 'Microsoft.Network/loadBalancers/backendAddressPools/join/action' on scope '/subscriptions/8ffb2cba-9d0c-4f5b-9465-24c6fd9954b1/resourceGroups/mahip3/providers/Microsoft.Network/networkInterfaces/test428_z1', however the current tenant 'ca4b3f71-9173-47df-baff-8538b81446b5' is not authorized to access linked subscription '6bb4a28a-db84-4e8a-b1dc-fabf7bd9f0b2'.

Issue script & Debug output

NA

Expected behavior

Cross-tenant deployments are supported on CLI

Environment Summary

azure-cli 2.40.0 *

core 2.40.0 *
telemetry 1.0.8 *

Dependencies:
msal 1.20.0b1
azure-mgmt-resource 21.1.0b1

Python location 'C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\python.exe'
Extensions directory 'C:\Users\mahipdeora.azure\cliextensions'

Python (Windows) 3.10.5 (tags/v3.10.5:f377153, Jun 6 2022, 15:58:59) [MSC v.1929 32 bit (Intel)]

Legal docs and information: aka.ms/AzureCliLegal

Additional context

please reach out to me on teams with any questions

Metadata

Metadata

Assignees

Labels

Auto-AssignAuto assign by botAuto-ResolveAuto resolve by botAzure CLI TeamThe command of the issue is owned by Azure CLI teamNetworkaz network vnet/lb/nic/dns/etc...act-quality-productivity-squadquestionThe issue doesn't require a change to the product in order to be resolved. Most issues start as that

Type

No type
No fields configured for issues without a type.

Projects

No projects

Relationships

None yet

Development

No branches or pull requests

Issue actions