Azure connector not working as intended. Only accessing one Resource Group under Subscription

[Blake Hill]

ELM version 22.2.0.1013.

 

I have created a connector out to our Azure Tenant. After putting in the necessary information it passes the test connection with no issues. I go to package a new platform layer and it spins up just fine. I click on the link from app layering which takes me to the Azure Custom Deployment of the packaging VM. From here the issue shows up. My virtual network choices are only limited to one Resource Group only. I have tested this thoroughly by creating and trying to target networks from different resource groups. It will not detect any Virtual Network from any other Resource Groups.

 

Well sounds like its an issue with Azure but I figured I better test some more before engaging Microsoft. I decide want to target a different storage account in another Resource Group.  I go to edit my connection and choose a different storage account under the same subscription. The connection fails. I create another storage account under the same Resource Group and it works just fine. 

 

At this point the connector only works within anything under one Resource Group. This is not what the Citrix documentation says. Per this article: "Storage Can be located in any resource group, as long as the resource group’s location is the same as the account’s location."

 

I even went so far as to create another connector from scratch and it wont work. I can only get an Azure connector to work now if resources exist in one specific resource group.

 

Any ideas what could be causing this?  

[Rob Zylowski]

Is the service principal you are using a contributor for all if the resource groups and networks you are trying to use? 

[Blake Hill]

 

On 4/18/2022 at 5:42 PM, Rob Zylowski1709158051 said:

Is the service principal you are using a contributor for all if the resource groups and networks you are trying to use? 

 

Hi Rob,

 

Thank you for the response. I believe this was the answer I was looking for and I have opened up the permissions on the app. Another issue is now showing up. Let me know if I need to create another post from scratch. 

 

I have verified that the Azure app communicating with the App Layering connector has the correct permissions. It is contributor for all the necessary resources. Now no matter what is done the platform layer creation process fails. It says "No networks were found in the Azure subscription - at least 1 is needed". There are multiple networks under the current Subscription. I have counted at least 3 networks that have the app scoped to them as Subscription(inherited). The role is Contributor.  

 

I dont understand how the Virtual networks are not being detected. When the app had more limited permissions it was able to detect networks even though it was the wrong one. 

 

Any ideas on what would be preventing the connector from detecting the Virtual Networks?

[Rob Zylowski]

Permission on networks are separate from resource groups.  Did you also assign your service principal as a contributor on the networks.

[Blake Hill]

3 minutes ago, Rob Zylowski1709158051 said:

Permission on networks are separate from resource groups.  Did you also assign your service principal as a contributor on the networks.

 

Yes. I have gone into 3 different networks and confirmed that they have the correct permissions. Here is a pic of my main network's access control. The app my connector is communicating with is CitrixStudio. I have no idea why the connector does not see this network. 

 

 

 

[Rob Zylowski]

That looks fine.  I think you'll need to open a  case.  It could be something to do with Azure Endpoints and whether you have them secured or not.