Home > Enterprise >  Must Azure NSGs be in the same resource group as NICs which attach to the subnet protected by the NS
Must Azure NSGs be in the same resource group as NICs which attach to the subnet protected by the NS

Time:11-05

I'm having some trouble attaching a NIC (in resource group A) to a subnet belonging to a Vnet and NSG in a different resource group (say B). I have Contributor role in resource group A, but only Reader role in resource group B. Is this possible? If so, what am I doing wrong? Here's what it looks like (with UIDs shortened).

% az network nic create --resource-group A --name bastion-nic --vnet-name VN-B --subnet SubnetB

(InvalidResourceReference) Resource /subscriptions/40ef-b75f-c05a034bf2ff/resourceGroups/A/providers/Microsoft.Network/virtualNetworks/VN-B/subnets/SubnetB referenced by resource /subscriptions/b75f-c05a034bf2ff/resourceGroups/A/providers/Microsoft.Network/networkInterfaces/bastion-nic was not found. Please make sure that the referenced resource exists, and that both resources are in the same region. Code: InvalidResourceReference

CodePudding user response:

I tested the same scenario in my environment .

Scenario: I created a user , 2 resource groups i.e. contributorTest with Contributor access for the user and readerTest with Reader access for the user.

If I use the command you are using then it gives me the same error message as you. To describe the issue when you are using vnet-name, the command thinks that the vnet is also present in the same resource which has been mentioned in the command.

az network nic create --resource-group contributorTest --name bastion-nic --vnet-name ansumantest-vnet --subnet default

So , for example in the above command resource group is contributorTest and we have just provided vnet name and subnet name , which it thinks is present in the same group. So it throws the error as below:

enter image description here

As a Solution you can use the below command to create NIC if the VNet is in different resource group:

az network nic create --resource-group contributorTest --name bastion-nic --subnet /subscriptions/subID/resourceGroups/readerTest/providers/Microsoft.Network/virtualNetworks/ansumantest-vnet/subnets/default

In the above command , we are not providing vnet name & subnet name , as a alternative we have provided the resourceID of the subnet.

Note: The above solution should work only if you have contributor access on both the resource group , in your case you will be getting the below error:

enter image description here

To describe the issue here, while you are creating a NIC it requires to join that NIC to the Subnet which you have specified but as you have reader access only on the VNET resource group it doesn't allow you to join the NIC and subnet.

So , Final solution can be :

  • Either have the VNET and subnet in the same resource group you are creating NIC on and have a Contributor access on it and use the command you are using .
  • Grant Contributor Access to the user for the second resource group and use the second Command that I have mentioned as a solution.

Output for the second command after providing contributor access for both the resource groups:

enter image description here

Page link:https//www.codepudding.com/Enterprise/179473.html

Prev:How to upload big files to Azure Blob Storage (.NET Core)
Next:Azure devops pipeline terraform error - 403 when attempting role assignment
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding