Send Azure Blob Storage event notifications to Event Hubs on another account

Question

In Azure, I'm trying to send event notifications from a Storage Account in one Active Directory to an Event Hub in another Active Directory.

I'm having trouble figuring out how to share/link the resource.

In AWS, I was able to accomplish this by creating a role in the receiver account, adding the source account by ID, adding the SQS Writer resource permission, and adding the SQS Queue ARN as the bucket notification destination. I'm guessing something similar is possible in Azure..

At the moment, I am looking at Active Directory IAM, which appears to have the EventGrid EventSubscription Contributor property. In the destination account I have added the source account as a contributor, and I received a notification in the source account that I had permissions in the destination account, but when I try to create an event subscription in the source account, the Event Hubs in the destination account don't show as an option.

How can I write event notifications to Event Hubs in one account from a Storage Account in another?

Answer 1

Absolutely yes. I think there are many ways to do that across different subscriptions, such as the two below.

1. Solution 1 to use Azure Functions. You can use Azure Function with Blob Trigger to get the event notifications of blob changes, and then to request the other Azure Function with HttpTrigger via PUT/POST method to transfer the event message of blob information like blob url with SAS token for accessing in other subscriptions.

2. Solution 2 to use Azure Logic Apps. You can use the logic flow below to get the blob change events to send the notification message to EventHub in other subscriptions, because Azure Logic Apps allows to configure their connection information manually as below.

   Fig 1. The logic flow to get events from Blob Storage and send to EventHub

   Fig 2. Click the Manually enter connection information to configure for a service in other subscriptions.

   Fig 2-A.

   

   Fig 2-B.

   

Answer 2

Basically, there are supported two ways in the Azure Event Grid Pub/Sub model for delivery events across the multi-tenants environment, such as:

1. Tightly coupled delivery of the event messages to the subscriber resource based on the RBAC. At the subscriber (destination) resource, you can
   • add a built-in role assignment such as EventGrid EventSubscription Contributor for Azure AD user, etc.
   • or add co-administrator at the Azure subscription level

The following screen snippet shows an example of the case when I am a co-administrator two Azure subscriptions such as the Stage and Development.

Creating an Event Subscription for event driven blob storage topic in the AEG provider at the Stage azure account and delivery its notification events across the azure account boundary to the Subscriber such as an Event Hub located in the Development azure account is straightforward:

2. Loosely decoupled delivery of the event messages to the Subscribers across the multi-tenants boundary based on the WebHook event handler endpoint. For Pub/Sub integration across the tenant boundary can be used an EventGridTrigger function with an output binding to the Event Hub resource. The following screen snippet shows this example:

   

   The above solution is very straightforward with capability to mediate (pre-processing) an event message to the Event Hub resource.

   In the case for distributing the events to another subscribers, etc. in the Fan-Out pattern manner, the Azure Event Grids can be cascaded like is shown in the following screen snippet:

   

   In the above solution, each tenant has own Azure Event Grid provider and there are cascaded via the "plumbing" WebHook event handler endpoint and custom topic endpoint. More details about the AEG cascading implementation can be found here.