The following section can be used to configure Azure access when Cloud Resolver is
deployed in the following environment:
- Cloud Resolver is deployed on-premises
- Cloud Resolver is deployed in Azure
- Cloud Resolver is deployed in another cloud environment.
To configure permissions to remote tenants:
- Create an Application Registration for Cloud Resolver in each remote tenant to discover and resolve queries for data located in remote tenants or subscriptions.
- Generate a Client Secret for each Application. The Client Secret will be stored either in Azure Vault or HashiCorp Vault.
- In the remote tenant AAD, create an App Role for the Application with Allowed Member type set to Applications
- In the remote tenant, create a Custom Role for Cloud Resolver with the following
permissions:
Microsoft.Network/privateDnsZones/read
Microsoft.Network/virtualNetworks/read
Microsoft.Network/virtualNetworks/privateDnsZoneLinks/read
Microsoft.Network/privateDnsZones/virtualNetworkLinks/read
Microsoft.Network/privateDnsZones/ALL/read
Microsoft.Network/privateDnsZones/recordsets/read
Microsoft.Network/privateEndpoints/read
Microsoft.Network/privateEndpoints/privateDnsZoneGroups/read
Microsoft.Resources/subscriptions/providers/read
Microsoft.Resources/subscriptions/read
- In the remote tenant, create a Role Assignment for the Service Principal and the Application Role.