Sharing ADF, SQL server and VM across 2 resource groups

Question

Hello,

Under the same Azure subscription I have two resource groups RG1 and RG2.
RG1 was previously created and populated with the resources needed for the PROJECT1.

Now I work on the separate PROJECT2 and I want to create separate resource group RG2 for this project, but also want to share some resources from the already existing in RG1. The purpose is to use ADF, SQL server and VM existing already in RG1. In RG2 I plan to create Azure Batch, Web Apps and do not create duplicated ADF, SQL and VM.

Questions:
[1] Will the above design scenario of sharing ADF, SQL server and VM from RG1 and RG2 work?

[2] Can resources from RG1 connect to resources from R2 and vice versa?

[3] What are the mayor risks/concerns?

[4] I know it might not go along with the 'best design practices' of independent scalability, monitoring, DevOps CI/CD but is it even doable?

Thanks,
SP

Answer 1

@Stanislaw Piekarczyk Apologies for the delay in response and all the inconvenience caused because of the issue.

As mentioned here A resource group is just a logical grouping of resources, it doesn't prevent services to use only resources within one resource group.

However, a resource can only belong to a single resource group. There is a one-to-many relationship between a resource group and a resource. A resource group can have multiple resources but each resource can only belong to a single resource group.

This is the answer to your first query that the already existing resource can't be duplicated as such to another resource group.

Now one such solution is that if you don't want these resources in your Project1 and you need them specifically on Project 2 then you can move these resources simply across resource group as mentioned here step by step.

Another part is you can for sure share these resource implying that Resource in one resource group can access resource in another resource group if you have the proper access and permission on the mentioned resource group. As mentioned here

As long as you have access keys/passwords/etc. to your resources, you can use your resources no matter what resource group they're in. This includes ssh keys, vm usernames/passwords, redis cache keys, storage keys, cosmos db keys, sql database logins, etc.

The only thing access-specific, with resource groups, is granted user permissions. That is: if you add someone as a contributor to resource group A, and not to resource group B, they won't be able to manipulate the settings in resource group B via the portal or any of the Management APIs. Still, they'd be able to work with all of the resources in resource group B, assuming they had the login details / keys / etc.

For example you might need your Web Apps in Resource Group1 to access or make use of SQL in resource group2 you can do that very easily considering the above permission part is there. This has been very well explainer here as well.

Same will be the case with other resources available in your Resource Group depending on scenario you need them for.

You need to pay attention in case you're using Managed Identity to make sure the identity will have access on the other resource too.

Also, pay attention to group resources in the same region to avoid network out traffic.

There are no risk involved in sharing of resource considering the fact that only user or Service Principle with required set of permission would be able to do any task.

Hope it helps!!!

Please "Accept as Answer" if it helped so it can help others in community looking for help on similar topics.