Improve Cloud Shell onboarding for advanced scenario with VNET isolation

[drumsta]

When onboarding Cloud Shell with VNET isolation the user's experience could be improved by clarifying the documentation for advanced scenario and relaxing some requirements:

• Expand the documentation at https://docs.microsoft.com/en-us/azure/cloud-shell/private-vnet with step by step installation guide, in particular the chapter "Deploy network resources". Currently it references two Quickstart ARM templates, but it takes additional time by investigating what needs to be done if some Azure resources are already in place, e.g. VNET with subnets.
• Clarify a requirement about how many different subnets are required (three according to the Quickstart ARM templates) and what requirements each subnet has if any, e.g. service endpoints, delegations, etc. Are three (3) subnets required, or could Private Endpoints be created within already defined subnets?
• Clarify requirements about RBAC permissions for different resources and service principals.
• Allow the storage account, relay namespace, virtual network and private endpoints be defined in different resource groups. As an example, networking resources could be managed by different teams and stay in different resource groups.
• Clarify best practices adopting Cloud Shell in multi-admin scenario. e.g., could one Storage Account with different File shares and RBAC access permissions be shared in multi-admin scenario? Are Relay namespace and Network profiles required to be created for each Cloud Shell user separately?

You did already a great job! Just an experience in higly governed and secured environment needs improvement.

[edyoung]

Thanks @drumsta ! @maertendMSFT can you look into this?