Azure Arc over private endpoint with multiple subscriptions

I’ve recently been playing around with the preview of private endpoint connections for Azure Arc. While doing so I’ve encountered a strange behavior when generating onboarding scripts for new servers. If you want the Azure Arc server object to appear in a subscription different than the one where your Azure Arc Private link scope is located you’ll get stuck.

If the target subscription is not the same as your private link scope the interface will cause grief.

This environment contains multiple subscriptions but the subscriptions are generally integrated through peered VNETs and share the same DNS set up. Just creating a new Azure Arc Private link scope won’t do anything as it can’t be associated with the already existing private endpoint. Creating a private endpoint would mean that the service would consume multiple IP-addresses in our private networks, that just seemed strange.

I decided to change the settings in the portal back to the same subscription as the private link scope just to have it generate the script and see if I could just modify it.

Turns out that if you just modify the “run connect command” section of the script a bit it will work just fine to have the resources appear in a different subscription. As the script is likely to be updated the below example should only be used as a reference. The properties you want to change are “–resoruce-group” and “–subscription-id”

# Run connect command
& "$env:ProgramW6432\AzureConnectedMachineAgent\azcmagent.exe" connect --resource-group <target resoruce group> --tenant-id <azure ad tenant id (no need to change this)> --location <Azure DC location (no need to change this)> --subscription-id <target subscription id> --cloud "AzureCloud" --private-link-scope <private link scope resource id (no need to change this)> --correlation-id <correlation id (no need to change this)>

An alternative approach would be to connect the servers to a resource group in the same subscription as the private link scope and then move the resources to their desired location.

As private endpoints for Azure Arc is currently preview functionality I would expect this to be fixed before this is GA. Meanwhile I hope somebody finds this useful.

Leave a Reply

Your email address will not be published.