1

I work in a large distributed org, and several divisions have purchased their own subscription to Azure.

I am a co-administrator to all the accounts, and can see all the resources in all subscriptions.

Is there a per-resource description of what can (and can't) be shared among subscriptions?

For example, the DBA team purchased their own tenant, as did the networking team. My goal is to

  • Configure the application gateway so that it routes correctly among all the resources
  • Connect websites on premise, and other websites in a different subscription to the DBA tenant
  • etc... (Redis)

It seems that some resources are tightly coupled to the tenant, however others less so.

Is there any resource, guideline, or rule of thumb that I can use to understand what can, and what can't be shared amongst Azure Subscriptions/ Tenants?

makerofthings7
  • 8,821
  • 28
  • 115
  • 196
  • Is your question "Can a VM in subscription 1 talk to an Azure SQL Database in subscription 2?" Assuming the firewall had the default setting to allow Azure traffic then the answer is yes. Most things in Azure work like that. VNETs are a main counter example so you need VNET peering to talk across subscriptions/VNETs – GregGalloway Jan 05 '17 at 12:27

1 Answers1

1

About the Administrative role(AA,SA,CA), refer to the link.
The relationship about subscription and Azure AD, refer to the link.
Here a article about Accounts/Tenants/Subscriptions, maybe can add some sense to the whole Azure account.

Jason Ye
  • 2,399
  • 1
  • 8
  • 10
  • Thank you. The complexity of this I think will cause security vulnerabilities, due to ignorance, difficulty, etc. To this end, I posted another question here: http://security.stackexchange.com/q/147391/396 – makerofthings7 Jan 05 '17 at 18:07