将跨租户 VNet 连接到某个虚拟 WAN 中心Connect cross-tenant VNets to a Virtual Wan hub
本文介绍了如何使用虚拟 WAN 将 VNet 连接到另一租户中的虚拟中心。This article helps you use Virtual WAN to connect a VNet to a virtual hub in a different tenant. 如果你的客户端工作负荷必须连接到同一网络,但它们位于不同的租户上,则此体系结构非常有用。This architecture is useful if you have client workloads that must be connected to be the same network, but are on different tenants. 例如,如下图所示,可以将非 Contoso VNet(远程租户)连接到 Contoso 虚拟中心(父租户)。For example, as shown in the following diagram, you can connect a non-Contoso VNet (the Remote Tenant) to a Contoso virtual hub (the Parent Tenant).
在本文中,学习如何:In this article, you learn how to:
- 添加另一个租户作为你的 Azure 订阅上的参与者。Add another tenant as a Contributor on your Azure subscription.
- 将跨租户 VNet 连接到某个虚拟中心。Connect a cross tenant VNet to a virtual hub.
此配置的步骤是混合使用 Azure 门户和 PowerShell 执行的。The steps for this configuration are performed using a combination of the Azure portal and PowerShell. 但是,此功能本身仅通过 PowerShell 和 CLI 提供。However, the feature itself is available in PowerShell and CLI only.
开始之前Before You Begin
先决条件Prerequisites
若要使用本文中的步骤,你必须已在环境中设置以下配置:To use the steps in this article, you must have the following configuration already set up in your environment:
- 父订阅中的虚拟 WAN 和虚拟中心。A virtual WAN and virtual hub in your parent subscription.
- 在另一(远程)租户中的订阅中配置的虚拟网络。A virtual network configured in a subscription in a different (remote) tenant.
- 请确保远程租户中的 VNet 地址空间不与已连接到父虚拟中心的任何其他 VNet 中的任何其他地址空间重叠。Make sure that the VNet address space in the remote tenant does not overlap with any other address space within any other VNets already connected to the parent virtual hub.
分配权限Assign permissions
为了使具有虚拟中心的父订阅能够修改和访问远程租户中的虚拟网络,需要从远程租户订阅为父订阅分配 参与者 权限。In order for the parent subscription with the virtual hub to modify and access the virtual networks in the remote tenant, you need to assign Contributor permissions to your parent subscription from the remote tenant subscription.
将 参与者 角色分配添加到父帐户(包含虚拟 WAN 中心的帐户)。Add the Contributor role assignment to the parent account (the one with the virtual WAN hub). 可以使用 PowerShell 或 Azure 门户来分配此角色。You can use either PowerShell, or the Azure portal to assign this role. 有关步骤,请参阅下面的 添加或删除角色分配 文章:See the following Add or remove role assignments articles for steps:
接下来,将远程租户订阅和父租户订阅添加到 PowerShell 的当前会话。Next, add the remote tenant subscription and the parent tenant subscription to the current session of PowerShell. 运行以下命令。Run the following command. 如果你已登录到父租户,则只需针对远程租户运行此命令。If you are signed into the parent, you only need to run the command for the remote tenant.
Add-AzAccount -Environment AzureChinaCloud -SubscriptionId "xxxxx-b34a-4df9-9451-4402dcaecc5b"验证角色分配是否成功,方法是使用父凭据登录 Azure PowerShell 并运行以下命令:Verify that the role assignment is successful by logging into Azure PowerShell using the parent credentials, and running the following command:
Get-AzSubscription如果权限已成功传播到父租户并已添加到会话中,则远程租户所拥有的订阅会显示在该命令的输出中。If the permissions have successfully propagated to the parent and have been added to the session, the subscription owned by the remote tenant will show up in the output of the command.
将 VNet 连接到中心Connect VNet to hub
在下面的步骤中,将虚拟网络链接到虚拟中心时,需在两个订阅的上下文之间进行切换。In the following steps, you will switch between the context of the two subscriptions as you link the virtual network to the virtual hub. 根据你自己的环境替换示例值。Replace the example values to reflect your own environment.
运行以下命令,确保处于远程帐户的上下文中:Make sure you are in the context of your remote account by running the following command:
Select-AzSubscription -SubscriptionId "[remote ID]"创建一个本地变量,用于存储要连接到中心的虚拟网络的元数据。Create a local variable to store the metadata of the virtual network that you want to connect to the hub.
$remote = Get-AzVirtualNetwork -Name "[vnet name]" -ResourceGroupName "[resource group name]"切换回父帐户。Switch back over to the parent account.
Select-AzSubscription -SubscriptionId "[parent ID]"将 VNet 连接到中心。Connect the VNet to the hub.
New-AzVirtualHubVnetConnection -ResourceGroupName "[parent resource group name]" -VirtualHubName "[virtual hub name]" -Name "[name of connection]" -RemoteVirtualNetwork $[local variable name]可以在 PowerShell 或 Azure 门户中查看新连接。You can view the new connection in either PowerShell, or the Azure portal.
- PowerShell: 如果连接已成功建立,则新建立的连接中的元数据会显示在 PowerShell 控制台中。PowerShell: The metadata from the newly formed connection will show in the PowerShell console if the connection was successfully formed.
- Azure 门户: 导航到虚拟中心 >“连接性”->“虚拟网络连接”。Azure portal: Navigate to the virtual hub, Connectivity -> Virtual Network Connections. 你可以查看指向连接的指针。You can view the pointer to the connection. 若要查看实际资源,你需要适当的权限。To see the actual resource you will need the proper permissions.
疑难解答Troubleshooting
- 验证 $remote 中的元数据(来自前面的节)是否与 Azure 门户中的信息相匹配。Verify that the metadata in $remote (from the preceding section) matches the information from the Azure portal.
- 可以使用远程租户资源组的标识和访问管理设置或使用 Azure PowerShell 命令 (Get-AzSubscription) 来验证权限。You can verify permissions using the IAM settings of the remote tenant resource group, or using Azure PowerShell commands (Get-AzSubscription).
- 请确保将资源组的名称或任何其他特定于环境的变量用引号引起来(例如Make sure quotes are included around the names of resource groups or any other environment-specific variables (eg. "VirtualHub1" 或 "VirtualNetwork1")。"VirtualHub1" or "VirtualNetwork1").
后续步骤Next steps
有关虚拟 WAN 的详细信息,请参阅:For more information about Virtual WAN, see: