Deploying Virtual Networks Across Tenants Using Azure Virtual Network Manager IP Address Management

Overview

In this guide, you will learn how to deploy a virtual network in a managed tenant (Tenant B) that draws from an Azure Virtual Network Manager (AVNM) IP Address Management (IPAM) pool maintained in a management tenant (Tenant A). This process demonstrates how a parent organization can centrally manage IP address allocations across multiple child organizations that exist in different Azure tenants.

Key Concepts:

• Azure Tenants and Entra ID: Each Azure subscription is associated with an Entra ID tenant. Entra ID provides identity and authentication services, while Azure RBAC handles authorization.
• AVNM IPAM Pools: In AVNM, “pools” are collections of IP CIDR blocks. Pools can have hierarchical relationships (parent and child pools), allowing large IP ranges to be divided into smaller segments for virtual networks or external resources.
• Multi-Tenant Service Principals: A service principal represents a non-human identity used for non-interactive authentication. To enable cross-tenant resource management programmatically, a multi-tenant service principal can be used in one tenant and then represented as a stub (enterprise application) in the other tenant.

Tutorial 1: Using the Azure Portal to Deploy Cross-Tenant IPAM

Architectural Overview

The cross-tenant deployment scenario presented below will illustrate how a user within the central management tenant can associate a virtual network in a target managed tenant with an IPAM pool in the central management tenant.

1. Central Management Tenant (Tenant A):
• Hosts the Azure Virtual Network Manager instance.
• Contains the authoritative IPAM pools.
2. Target Managed Tenant (Tenant B):
• Hosts the resources (for example, a virtual network) that consume the IPAM pools from Tenant A.

Prerequisites

1. Azure Virtual Network Manager is created in the central management tenant (Tenant A).
   Make sure you have an AVNM deployed in Tenant A and you have created your IPAM pools as needed.
2. AVNM has established a cross-tenant connection to Tenant B. See here for instructions on adding a remote tenant scope in Azure Virtual Network Manager for central network management across tenants and subscriptions.
3. Permissions:
• You must have an IPAM pool user role in Tenant A (the management tenant).
• You need to have the Network Contributor role assigned appropriately in the target managed tenant. For instance, this role could be applied at the subscription level or on the specific virtual network resource in the managed tenant (Tenant B) where you plan to associate the IPAM pool.

Portal Steps

1. Create an IPAM Allocation in the Central Management Tenant

• • In the Azure Portal, navigate to Azure Virtual Network Manager under Tenant A.
  • Locate your IPAM pool where you want to create a new allocation.
  • Create an allocation by associating a resource. During this process, you can specify that the resource to be associated lives in a different (foreign) tenant.

 

2. Select the Foreign Tenant to be Managed

• • When prompted to associate a resource from another tenant, you will select or specify the tenant ID of Tenant B in the Tenant filter.

3. Authenticate to the Cross-Tenant

• • The portal will prompt you to sign in with credentials that have appropriate permissions in Tenant B.
  • Once authenticated, you can proceed to select which VNet (or other network resources) in Tenant B you wish to associate with the IPAM pool in Tenant A.

 

 

4. Select the Resource to Manage

• • In the portal workflow, choose the Tenant B subscription and the target resource (for example, a VNet or the resource group in which a new VNet will reside).
  • Confirm that you have sufficient role-based access (e.g., Network Contributor) at the subscription or resource level in Tenant B.

 

 

5. Verify Cross-Tenant Association

• • After you complete the association steps, the cross-tenant resource should appear under the list of resources associated with your IPAM pool in Tenant A.
  • You can also switch to Tenant B’s portal view and verify that the VNet recognizes an allocated prefix from the IPAM pool in Tenant A.

 

 

6. Remove Association (if needed)

• • To remove an association, you must again authenticate the other tenant (Tenant B) in the Azure Portal.
  • From the IPAM pool allocation details in Tenant A, remove the association to the foreign resource.
  • The resource in Tenant B will lose its assigned prefix from the AVNM IPAM pool.

Tutorial 2: Detailed Implementation Steps with Non-Portal /CLI and REST

Architectural Overview

The cross-tenant deployment scenario involves the following primary components:

1. Central Management Tenant (Tenant A):
• Hosts the AVNM instance.
• Contains the authoritative IPAM pools.
• Receives the stub service principal representing the managed tenant’s service principal.
• Provides Azure RBAC role assignments for IPAM operations.
2. Target Managed Tenant (Tenant B):
• Hosts the resources (for example, a virtual network) that consume the IPAM pools from Tenant A.
• Contains the original multi-tenant service principal used to authenticate the deployment.

The architecture requires the following sequence:

• Step 1: Create an AVNM instance in Tenant A.
• Step 2: Configure the cross-tenant AVNM feature in both tenants.
• Step 3: Create or update a service principal in Tenant B to be multi-tenant.
• Step 4: Provision a stub service principal in Tenant A using the same application ID.
• Step 5: Grant the stub service principal the IPAM Pool User role via Azure RBAC in Tenant A.
• Step 6: Deploy a virtual network in Tenant B that references an IPAM pool in Tenant A.

1. Configure the Multi-Tenant Service Principal

a. Update the Service Principal in Tenant B to Support Multi-Tenancy

Log in to Tenant B and update your service principal’s signInAudience attribute from a single-tenant to a multi-tenant configuration:

bash

Copy

az login --tenant <TENANTB_ID>

az ad app update --id "your-app-id" --set signInAudience=AzureADMultipleOrgs

Note: The appid property of the service principal is used to identify the application across tenants.

b. Provision a Stub Service Principal in Tenant A

After updating the service principal in Tenant B, log in to Tenant A and create a stub service principal using the same appid:

bash

Copy

az login --tenant <TENANTA_ID>

az ad sp create --id "your-app-id"

The creation of this stub service principal in Tenant A enables the cross-tenant representation of the managed tenant’s service principal. In Tenant A, you should then grant the appropriate Azure RBAC role (IPAM Pool User) to this service principal.

Administrative consent is not required in this scenario, as the service principal acts solely with its directly assigned permissions against the ARM API.

 

2. Deploy the Virtual Network in Tenant B

After configuring the multi-tenant service principals and role assignments, proceed to deploy a virtual network in Tenant B that references an IPAM pool from Tenant A. There are several approaches to achieve this; below are two methods that were explored:

a. Using Terraform

• AzureRm Provider: The current version of the AzureRm provider (e.g., 4.21.1) does not yet support the ipamPoolPrefixAllocations property required for this deployment.
• AzApi Provider: Although the AzApi provider provides a light overlay on the ARM REST API, there have been known issues with the handling of auxiliary tenant authentication (via the x-ms-authorization-auxiliary header).

If you choose to use Terraform, you may need to monitor updates to the providers that support cross-tenant IPAM functionality.

b. Using Direct REST API Calls via the Azure CLI

When Terraform support is limited, you can directly call the ARM API using the az rest command. This requires obtaining access tokens for both tenants and including the auxiliary token in your API request.

Steps

1. Authenticate to Both Tenants:

Log in to both Tenant B (for deployment) and Tenant A (for obtaining the auxiliary token):

bash

Copy

az login --service-principal --username "your-app-id" --password "CLIENT_SECRET" --tenant "<TENANTB_ID>"

az login --service-principal --username "your-app-id" --password "CLIENT_SECRET" --tenant "<TENANTA_ID>"

 

2. Obtain an Access Token from Tenant A:

Retrieve the access token for Tenant A to be used as the auxiliary token:

bash

Copy

auxiliaryToken=$(az account get-access-token \

  --resource=https://management.azure.com/ \

  --tenant "<TENANTA_ID>" \

  --query accessToken -o tsv)

3. Deploy the Virtual Network via the ARM REST API:

Execute the REST API call with the x-ms-authorization-auxiliary header that includes the token from Tenant A:

bash

Copy

az rest --method put \

  --uri "https://management.azure.com/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP>/providers/Microsoft.Network/virtualNetworks/<VNET_NAME>?api-version=2022-07-01" \

  --headers "x-ms-authorization-auxiliary=Bearer ${auxiliaryToken}" \

  --body '{

    "location": "centralus",

    "properties": {

      "addressSpace": {

        "ipamPoolPrefixAllocations": [

          {

            "numberOfIpAddresses": "100",

            "pool": {

              "id": "/subscriptions/<MANAGEMENT_SUBSCRIPTION_ID>/resourceGroups/<MANAGEMENT_RG>/providers/Microsoft.Network/networkManagers/<NETWORK_MANAGER_NAME>/ipamPools/<POOL_NAME>"

            }

          }

        ]

      }

    }

  }'

A successful execution returns a 200 status code, confirming that the virtual network has been created in Tenant B and associated with the IPAM pool in Tenant A.

Summary and Key Points

To deploy resources across multiple Azure tenants using AVNM IPAM, follow these summarized steps:

1. Create a Multi-Tenant Service Principal
• Update your service principal in the managed tenant (Tenant B) to be multi-tenant.
2. Provision a Stub Service Principal in the Management Tenant (Tenant A)
• Create the stub using the same application ID.
3. Assign Appropriate Permissions
• Grant the stub service principal the IPAM Pool User role via Azure RBAC in Tenant A.
4. Deploy the Resource
• Portal Approach: Use the Azure Portal steps to create an allocation in your IPAM pool, authenticate to the managed tenant, and associate the VNet.
• CLI/REST Approach: Obtain access tokens from both tenants and use the x-ms-authorization-auxiliary header in your REST API call (or alternative deployment method) to successfully create resources referencing cross-tenant IPAM pools.

By following these instructions—either using the Azure Portal or using CLI/REST—you can centralize IP addressing and streamline cross-tenant network deployments with Azure Virtual Network Manager IPAM.