Cross-Tenant Secure Integration of Azure Resources Based on Logic App Standard and Virtual WAN
In today's interconnected world, enterprise-level systems often need to integrate resources across different Azure tenants securely. This blog will explore how to achieve cross-tenant secure integration of Azure resources using Logic App Standard and Azure Virtual WAN.
Introduction
Cross-tenant integration is essential for organizations that operate in multiple Azure tenants or need to collaborate with partners and customers. By leveraging Azure Logic Apps and Virtual WAN, you can create secure, scalable, and efficient integrations across tenant boundaries.
Why Cross-Tenant Integration?
Cross-tenant integration allows organizations to:
- Collaborate with partners and customers securely through Azure private network;
- Centralize management and monitoring of resources
- Enhance security by using role-based access control (RBAC) and cross-tenant access control in Azure Entra ID
Architecture Overview
In this article, we'll demonstrate the private integration that moves the file from the provider-tenant storage account to consumer-tenant storage account as an example.
The architecture for cross-tenant integration involves several key components:
- Azure Logic App Standard: A PaaS Service that provides an automate workflow which can integrate services across tenants. Its v-net integration networking feature and in-app connector can make sure the secure, private traffic throughput.
- Virtual WAN: Provide a unified and secure network architecture. You can connect cross-tenant VNets to a Virtual WAN hub.
- Private Endpoints: This network interface connects you privately and securely to a service that's powered by Azure Private Link. By enabling a private endpoint, you're bringing the service (such as the storage account) into your virtual network.
Setting Up Cross-Tenant Integration
Step 1: Configure Virtual WAN
Please set up a Virtual WAN in the provider tenant. Specifically, we need to create a virtual hub and build the V-net connection to the provider tenant's virtual network:
Please refer to the document for more details: https://learn.microsoft.com/en-us/training/modules/design-implement-hybrid-networking/6-connect-remote-resources-by-using-azure-virtual-wans
Step 2: Allow Tenant Access
Let's allow the cross-tenant access resources from the consumer tenant's Entra ID settings. This eliminates the need to manage credentials and enhances security:
Please follow the configuration in the consumer's tenant:
- Microsoft Entra ID->Manage->External Identities->Cross-tenant access settings->Organizational Settings->Add Organization:
Add the provider Tenant ID as below:
2. Configure the inbound access and outbound access to allow B2B direct connect as below:
Step 3: Implement RBAC
In the subscription of the virtual network in the consumer tenant, add the Contributor role assignment to the administrator (the user who administers the provider tenant's virtual hub). Contributor permissions will enable the administrator to modify and access the virtual networks in the consumer tenant.
You can use either Azure CLI or the Azure portal to assign this role. See the following articles for steps:
https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-cli
https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal
Step 4: Connect the consumer-tenant's V-Net to the provider-tenant‘s hub
In the following steps, you'll use commands to switch between the context of the two subscriptions as you link the consumer's virtual network to the provider's virtual WAN hub:
Replace the example values to reflect your own environment.
(We take the Azure CLI command as the example, please kindly install the Azure CLI to the local machine https://learn.microsoft.com/en-us/cli/azure/install-azure-cli-windows?tabs=azure-cli. From our test, we found there's some bugs on Azure Cloud Shell to conduct these commands )
1. Run the following command to add the remote tenant subscription and the parent tenant subscription to the current session of console. If you're signed in to the parent, you need to run the command for only the remote tenant:
az login --tenant "[tenant ID]"
2. Verify that the role assignment is successful. Sign in to Azure CLI (if not already) by using the parent credentials and run the following command:
az account list -o table
If the permissions have successfully propagated to the parent and have been added to the session, the subscriptions owned by the parent and the remote tenant will both appear in the output of the command.
3. Make sure you're in the context of your virtual hub account:
az account set --subscription "[virtual hub subscription]"
4. Connect the virtual network to the hub:
(just use my personal environment as an example, please replace the detailed information with your info):
az network vhub connection create --resource-group "SerenaGroup" --name "test1225" --vhub-name "SerenaVirtualHub" --remote-vnet "/subscriptions/8ce89da3-601d-4349-9c84-c374bcfbf3ed/resourceGroups/NetworkingDirection/providers/Microsoft.Network/virtualNetworks/Cross-Tenant-Network"
A successful build should be as below:
From the provider-tenant virtual WAN side:
From the consumer-tenant V-NET side:
5.Check if the routes have been propagated from this connection successfully across both tenants:
Provider-tenant V-Net range: 10.0.0.0/16
Provider-tenant V-Net range: 172.0.0.0/16
Consumer-tenant V-Net range: 192.168.0.0/16
We can check the effective routes on the Azure VM hosted in the consumer-tenant's V-net:
Step 5: Connect Both Storage Accounts into Virtual Networks by Private Endpoints
In this use case, we enabled the private endpoints for the storage's blob service from both provider and consumer tenant. Specifically, the PE is integrated with a Private DNS zone that ensure the correct DNS resolution.
For more details, please refer to https://learn.microsoft.com/en-us/azure/private-link/tutorial-private-endpoint-storage-portal?tabs=dynamic-ip
Step 6: Add the DNS record for consumer-tenant's PE from the provider-tenant's private DNS zone:
Since we can't add the V-NET link of private DNS's zone to the Azure virtual WAN/virtual network in other tenants, it's suggested to manually add the DNS record for consumer-tenant's PE in provider's private DNS zone, or configure the custom DNS.
Step 7: Create the Logic App and enable V-Net integration
1.Start by creating a Logic App standard in the provider tenant and integrate it to the provider-tenant's V-NET:
2.Try to resolve the consumer's tenant's blob PE from logic app's Kudu site. Please ensure the PE can be resolved to the correct private IP:
3.Please use the built-in blob connector which works in the logic app's runtime. This logic app will move the blob file from provide-tenant's storage to the consumer-tenant's storage through private network:
Conclusion
Cross-tenant secure integration of Azure resources using Logic App Standard and Virtual WAN provides a robust and scalable solution for organizations. By following best practices and leveraging Azure's capabilities, you can achieve seamless and secure integrations across tenant boundaries.
References
https://learn.microsoft.com/en-us/azure/logic-apps/logic-apps-overview
https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-overview
https://learn.microsoft.com/en-us/azure/virtual-wan/virtual-wan-site-to-site-portal#vnet
https://learn.microsoft.com/en-us/entra/external-id/cross-tenant-access-overview
https://learn.microsoft.com/en-us/azure/virtual-wan/cross-tenant-vnet-az-cli
Microsoft