Nat Gateway simplification (#599)

* bicep bumps * ui * overlay not preview * deploy logic glitch * purge rest of NatGateway mentions * nice meta * deployment name issue
Azure · Jun 30, 2023 · 5e360b5 · 5e360b5
1 parent 7595d0d
commit 5e360b5
Show file tree

Hide file tree

Showing 12 changed files with 31 additions and 39 deletions.
diff --git a/.github/workflows/AKSC_Deploy.yml b/.github/workflows/AKSC_Deploy.yml
@@ -10,7 +10,7 @@ on:
       templateVersion:
         description: 'Template Version'
         required: false
-        default: '0.9.13b'
+        default: '0.10.0-preview'
         type: string
       rg:
         description: 'Resource Group name'

diff --git a/.github/workflows/StandardCI.yml b/.github/workflows/StandardCI.yml
@@ -31,7 +31,7 @@ on:
     - cron: "0 23 * * 2"
 env:
   RG: "AksBicepAcc-Ci-BasicCluster" #The resource group we're deploying to.
-  ParamFilePath: "https://raw.githubusercontent.com/Azure/AKS-Construction/main/.github/workflows_dep/AksDeploy-Basic.parameters.json" # ".github/workflows_dep/AksDeploy-Basic.parameters.json" #Path to parameter file
+  ParamFilePath: "https://raw.githubusercontent.com/Azure/AKS-Construction/0.10.0-preview/.github/workflows_dep/AksDeploy-Basic.parameters.json" # ".github/workflows_dep/AksDeploy-Basic.parameters.json" #Path to parameter file
   RESNAME: "AksStan" #Used in Azure Resource Naming, overrides the default in the parameter file
   DEPNAME: "Dep${{ github.run_number }}" #Deployment Name
   AZCLIVERSION: 2.43.0 #Pinning to a specific AZ CLI version

diff --git a/.github/workflows_dep/AksDeploy-Basic.parameters.json b/.github/workflows_dep/AksDeploy-Basic.parameters.json
@@ -39,7 +39,7 @@
             "value": "Standard"
         },
         "aksOutboundTrafficType" : {
-            "value": "managedNATGateway"
+            "value": "natGateway"
         }
     }
 }
diff --git a/.github/workflows_dep/AksDeploy-Private.parameters.json b/.github/workflows_dep/AksDeploy-Private.parameters.json
@@ -93,7 +93,7 @@
             "value": true
           },
           "aksOutboundTrafficType" : {
-              "value": "userAssignedNATGateway"
+              "value": "natGateway"
           },
           "createNatGateway" : {
               "value": true

diff --git a/.github/workflows_dep/regressionparams/managedNatGw.json b/.github/workflows_dep/regressionparams/managedNatGw.json
@@ -9,7 +9,7 @@
       "value": "Standard_DS3_v2"
     },
     "aksOutboundTrafficType" : {
-      "value": "managedNATGateway"
+      "value": "natGateway"
     },
     "natGwIpCount" : {
       "value": 3

diff --git a/bicep/main.bicep b/bicep/main.bicep
@@ -1059,8 +1059,7 @@ param AutoscaleProfile object = {
 
 @allowed([
   'loadBalancer'
-  'managedNATGateway'
-  'userAssignedNATGateway'
+  'natGateway'
   'userDefinedRouting'
 ])
 @description('Outbound traffic type for the egress traffic of your cluster')
@@ -1121,6 +1120,9 @@ var serviceMeshProfileObj = {
   mode: 'Istio'
 }
 
+@description('This resolves the friendly natGateway to the actual outbound traffic type value used by AKS')
+var outboundTrafficType = aksOutboundTrafficType=='natGateway' ? ( custom_vnet ? 'userAssignedNATGateway' : 'managedNATGateway' )  : aksOutboundTrafficType
+
 @description('System Pool presets are derived from the recommended system pool specs')
 var systemPoolPresets = {
   CostOptimised : {
@@ -1291,7 +1293,7 @@ var aksProperties = union({
     serviceCidr: serviceCidr
     dnsServiceIP: dnsServiceIP
     dockerBridgeCidr: dockerBridgeCidr
-    outboundType: aksOutboundTrafficType
+    outboundType: outboundTrafficType
     ebpfDataplane: networkPlugin=='azure' ? ebpfDataplane : ''
   }
   disableLocalAccounts: AksDisableLocalAccounts && enable_aad
@@ -1326,14 +1328,14 @@ var aksProperties = union({
     restrictionLevel: restrictionLevelNodeResourceGroup
   }
 },
-aksOutboundTrafficType == 'managedNATGateway' ? managedNATGatewayProfile : {},
+outboundTrafficType == 'managedNATGateway' ? managedNATGatewayProfile : {},
 defenderForContainers && createLaw ? azureDefenderSecurityProfile : {},
 keyVaultKmsCreateAndPrereqs || !empty(keyVaultKmsByoKeyId) ? azureKeyVaultKms : {},
 !empty(managedNodeResourceGroup) ? {  nodeResourceGroup: managedNodeResourceGroup} : {},
 !empty(serviceMeshProfile) ? { serviceMeshProfile: serviceMeshProfileObj } : {}
 )
 
-resource aks 'Microsoft.ContainerService/managedClusters@2023-03-02-preview' = {
+resource aks 'Microsoft.ContainerService/managedClusters@2023-04-01' = {
   name: 'aks-${resourceName}'
   location: location
   properties: aksProperties
@@ -1373,7 +1375,7 @@ param osSKU string = 'Ubuntu'
 var poolName = osType == 'Linux' ? nodePoolName : take(nodePoolName, 6)
 
 module userNodePool '../bicep/aksagentpool.bicep' = if (!JustUseSystemPool){
-  name: 'userNodePool'
+  name: take('${deployment().name}-userNodePool',64)
   params: {
     AksName: aks.name
     PoolName: poolName

diff --git a/bicep/network.bicep b/bicep/network.bicep
@@ -393,7 +393,7 @@ resource bastionHost 'Microsoft.Network/bastionHosts@2022-11-01' = if(bastion) {
   }
 }
 
-resource log 'Microsoft.OperationalInsights/workspaces@2021-06-01' existing = if(networkSecurityGroups && !empty(workspaceName)) {
+resource log 'Microsoft.OperationalInsights/workspaces@2022-10-01' existing = if(networkSecurityGroups && !empty(workspaceName)) {
   name: workspaceName
   scope: resourceGroup(workspaceResourceGroupName)
 }
@@ -520,7 +520,7 @@ resource natGw 'Microsoft.Network/natGateways@2021-08-01' = if(natGateway) {
   sku: {
     name: 'Standard'
   }
-  zones: !empty(availabilityZones) ? availabilityZones : []
+  zones: !empty(availabilityZones) ? first(availabilityZones) : []
   properties: {
     publicIpAddresses: [for i in range(0, natGatewayPublicIps): {
       id: natGwIp[i].id

diff --git a/helper/.playwrighttests/helper-test-managednatgw.spec.js b/helper/.playwrighttests/helper-test-managednatgw.spec.js
@@ -14,7 +14,7 @@ test('managed-natgw-option-is-now-the-prod-default', async ({ page }) => {
   //Check default value
   const dropdown = await page.waitForSelector('[data-testid="net-aksEgressType"]')
   await expect(dropdown).toBeVisible()
-  await expect(dropdown).toMatchText('Assigned NAT Gateway')
+  await expect(dropdown).toMatchText('NAT Gateway')
 
   // Click the 1st Tab in the portal Navigation Pivot (network)
   await page.click('[data-testid="portalnav-Pivot"] > button:nth-child(1)');
@@ -23,6 +23,6 @@ test('managed-natgw-option-is-now-the-prod-default', async ({ page }) => {
   await page.waitForSelector('[data-testid="deploy-deploycmd"]')
   const clitextbox = await page.$('[data-testid="deploy-deploycmd"]')
   await expect(clitextbox).toBeVisible()
-  await expect(clitextbox).toContainText('aksOutboundTrafficType=userAssignedNATGateway')
+  await expect(clitextbox).toContainText('aksOutboundTrafficType=natGateway')
 
 });
diff --git a/helper/src/components/deployTab.js b/helper/src/components/deployTab.js
@@ -86,6 +86,9 @@ export default function DeployTab({ defaults, updateFn, tabValues, invalidArray,
     ...(addons.azurepolicy !== "none" && { azurepolicy: addons.azurepolicy }),
     ...(addons.azurepolicy !== "none" && addons.azurePolicyInitiative !== defaults.addons.azurePolicyInitiative && { azurePolicyInitiative: addons.azurePolicyInitiative }),
     ...(net.networkPlugin !== defaults.net.networkPlugin && {networkPlugin: net.networkPlugin}),
+    ...(net.networkPlugin === 'azure' && {
+        ...(net.networkPluginMode && {networkPluginMode: 'Overlay'}),
+        }),
     ...(net.vnet_opt === "custom" && net.networkPlugin === 'kubenet' && defaults.net.podCidr !== net.podCidr && { podCidr: net.podCidr }),
     ...((net.vnet_opt === "custom" || net.vnet_opt === "byo") && defaults.net.cniDynamicIpAllocation !== net.cniDynamicIpAllocation && { cniDynamicIpAllocation: true }),
     ...(net.vnet_opt === "custom" && net.cniDynamicIpAllocation && defaults.net.podCidr !== net.podCidr && { podCidr: net.podCidr }),
@@ -109,9 +112,7 @@ export default function DeployTab({ defaults, updateFn, tabValues, invalidArray,
         ...(addons.appgwKVIntegration && addons.csisecret === 'akvNew' && { appgwKVIntegration: true })
       })
     }),
-    ...(net.vnet_opt !== "default" && {
-      ...(net.aksOutboundTrafficType !== defaults.net.aksOutboundTrafficType && {aksOutboundTrafficType: net.aksOutboundTrafficType})
-    }),
+    ...(net.aksOutboundTrafficType !== defaults.net.aksOutboundTrafficType && {aksOutboundTrafficType: net.aksOutboundTrafficType}),
     ...(cluster.keyVaultKms !== defaults.cluster.keyVaultKms && {
       ...(cluster.keyVaultKms === "public" && {keyVaultKmsCreate: true, keyVaultKmsOfficerRolePrincipalId: "$(az ad signed-in-user show --query id --out tsv)"}),
       ...(cluster.keyVaultKms === "byoprivate" && cluster.keyVaultKmsByoKeyId !== '' &&  cluster.keyVaultKmsByoRG !== '' && {keyVaultKmsByoKeyId: cluster.keyVaultKmsByoKeyId, keyVaultKmsByoRG: cluster.keyVaultKmsByoRG}),
@@ -134,12 +135,12 @@ export default function DeployTab({ defaults, updateFn, tabValues, invalidArray,
   const preview_params = {
     ...(addons.registry === "Premium" && addons.acrUntaggedRetentionPolicyEnabled !== defaults.addons.acrUntaggedRetentionPolicyEnabled && { acrUntaggedRetentionPolicyEnabled: addons.acrUntaggedRetentionPolicyEnabled}),
     ...(addons.registry === "Premium" && addons.acrUntaggedRetentionPolicyEnabled && addons.acrUntaggedRetentionPolicy !== defaults.addons.acrUntaggedRetentionPolicy && { acrUntaggedRetentionPolicy: addons.acrUntaggedRetentionPolicy}),
-    ...(net.vnet_opt === "default" && net.aksOutboundTrafficType === 'managedNATGateway' && {
+    ...(net.vnet_opt === "default" && net.aksOutboundTrafficType === 'natGateway' && {
       ...(net.aksOutboundTrafficType !== defaults.net.aksOutboundTrafficType && {aksOutboundTrafficType: net.aksOutboundTrafficType}),
       ...(net.natGwIpCount !== defaults.net.natGwIpCount && {natGwIpCount: net.natGwIpCount}),
       ...(net.natGwIdleTimeout !== defaults.net.natGwIdleTimeout && {natGwIdleTimeout: net.natGwIdleTimeout})
     }),
-    ...(net.vnet_opt === "custom" && net.aksOutboundTrafficType === 'userAssignedNATGateway' && {
+    ...(net.vnet_opt === "custom" && net.aksOutboundTrafficType === 'natGateway' && {
       ...({createNatGateway: true}),
       ...(net.aksOutboundTrafficType !== defaults.net.aksOutboundTrafficType && {aksOutboundTrafficType: net.aksOutboundTrafficType}),
       ...(net.natGwIpCount !== defaults.net.natGwIpCount && {natGwIpCount: net.natGwIpCount}),
@@ -158,7 +159,6 @@ export default function DeployTab({ defaults, updateFn, tabValues, invalidArray,
     ...(defaults.addons.blobCSIDriver !== addons.blobCSIDriver && {blobCSIDriver: addons.blobCSIDriver }),
     ...(defaults.addons.workloadIdentity !== addons.workloadIdentity && {oidcIssuer: true, workloadIdentity: addons.workloadIdentity }),
     ...(net.networkPlugin === 'azure' && {
-      ...(net.networkPluginMode && {networkPluginMode: 'Overlay'}),
       ...(net.ebpfDataplane && {ebpfDataplane: 'cilium'})
     }),
     ...(urlParams.getAll('feature').includes('defender') && cluster.DefenderForContainers !== defaults.cluster.DefenderForContainers && { DefenderForContainers: cluster.DefenderForContainers }),

diff --git a/helper/src/components/networkTab.js b/helper/src/components/networkTab.js
@@ -92,20 +92,13 @@ export default function NetworkTab ({ defaults, tabValues, updateFn, invalidArra
                             label="Implement Dynamic Allocation of IPs" />
                     </Stack.Item>
                     <Stack.Item>
-                        <MessageBar messageBarType={MessageBarType.info}>Overlay is a <a target="_new" href="https://learn.microsoft.com/en-us/azure/aks/azure-cni-overlay#steps-to-set-up-overlay-clusters">preview feature</a> that leverages a private CIDR for Pod IP's. See if it's right for you:<a target="_new" href="https://learn.microsoft.com/en-us/azure/aks/azure-cni-overlay">docs</a> </MessageBar>
+                        <MessageBar messageBarType={MessageBarType.info}>Overlay is a feature that leverages a private CIDR for Pod IP's. See if it's right for you:<a target="_new" href="https://learn.microsoft.com/azure/aks/azure-cni-overlay">docs</a> </MessageBar>
                         <Checkbox
                             styles={{ root: { marginLeft: '50px', marginTop: '10px !important' } }}
                             disabled={net.networkPlugin!=='azure' || net.cniDynamicIpAllocation}
                             checked={net.networkPluginMode}
                             onChange={(ev, v) => UpdateCniOverlay(v)}
                             label="CNI Overlay Network" />
-                            {
-                                net.networkPluginMode &&
-                                (
-                                    <PreviewDialog previewLink={"https://learn.microsoft.com/en-us/azure/aks/azure-cni-overlay#steps-to-set-up-overlay-clusters"} />
-                                )
-
-                            }
                     </Stack.Item>
                     <Stack.Item>
                         <MessageBar messageBarType={MessageBarType.info}>Powered by Cilium is a <a target="_new" href="https://learn.microsoft.com/en-us/azure/aks/azure-cni-powered-by-cilium#prerequisites">preview feature</a> that leverages more efficient use of the linux kernel and other networking features.</MessageBar>
@@ -172,6 +165,9 @@ export default function NetworkTab ({ defaults, tabValues, updateFn, invalidArra
                 <Stack horizontal tokens={{ childrenGap: 50 }}>
                     <Stack.Item>
                         <MessageBar messageBarType={MessageBarType.info}>NAT Gateway allows more traffic flows than a Load Balancer.<a target="_target" href="https://docs.microsoft.com/azure/aks/nat-gateway">docs</a></MessageBar>
+                        {cluster.availabilityZones === "yes" &&
+                            <MessageBar messageBarType={MessageBarType.warning}>NAT Gateways are not a Zone Redundant resource</MessageBar>
+                        }
                         {net.aksOutboundTrafficType==='userDefinedRouting' && net.vnet_opt === 'byo' &&
                           <MessageBar styles={{ root: { width:'400px', marginTop: '10px !important'}}} messageBarType={MessageBarType.warning}>Ensure that the AKS Subnet is configured with a UDR and that your Virtual Network Appliance is <Link href="https://learn.microsoft.com/azure/aks/limit-egress-traffic">properly configured</Link> to allow necessary traffic</MessageBar>
                         }
@@ -185,8 +181,7 @@ export default function NetworkTab ({ defaults, tabValues, updateFn, invalidArra
                             data-testid="net-aksEgressType"
                             options={[
                                 { key: 'loadBalancer', text: 'Load Balancer'  },
-                                { key: 'managedNATGateway', text: 'Managed NAT Gateway' },
-                                { key: 'userAssignedNATGateway', text: 'Assigned NAT Gateway'},
+                                { key: 'natGateway', text: 'NAT Gateway' },
                                 { key: 'userDefinedRouting', text: 'User Defined Routing'}
                             ]}
                             onChange={(ev, { key }) => updateFn("aksOutboundTrafficType", key)}
@@ -195,7 +190,7 @@ export default function NetworkTab ({ defaults, tabValues, updateFn, invalidArra
                     <Stack.Item>
                         <Checkbox //simple "read-only" checkbox that derives its values from other settings
                             styles={{ root: { marginBottom: '10px' }}}
-                            checked={net.vnet_opt === 'custom' && net.aksOutboundTrafficType === 'userAssignedNATGateway'}
+                            checked={net.vnet_opt === 'custom' && net.aksOutboundTrafficType === 'natGateway'}
                             disabled={true}
                             label="Create NAT Gateway for AKS Subnet (Custom VNet Only)"
                         />

diff --git a/helper/src/components/portalnav.js b/helper/src/components/portalnav.js
@@ -394,13 +394,8 @@ export default function PortalNav({ config }) {
      :'Ensure to select Azure Firewall when using Custom Networking and User Defined Routing for Outbound Traffic Type')
 
   invalidFn('net', 'aksOutboundTrafficType',
-    (net.aksOutboundTrafficType === 'managedNATGateway' && net.vnet_opt !== "default") ||
-    (net.aksOutboundTrafficType === 'userAssignedNATGateway' && net.vnet_opt === "default") ||
     (net.aksOutboundTrafficType === 'userDefinedRouting' && net.vnet_opt === "default"),
-     net.aksOutboundTrafficType === 'userDefinedRouting' ?
-     'When using User Defined Routing, only custom and Bring your Own networking is supported.'
-     :
-     'When using Managed Nat Gateway, only default networking is supported. For other networking options, use Assigned NAT Gateway')
+     'When using User Defined Routing, only custom and Bring your Own networking is supported.')
   invalidFn('net', 'serviceCidr',  net.vnet_opt === "custom" && !isCidrValid(net.serviceCidr), invalidCidrMessage)
   invalidFn('net', 'podCidr', !isCidrValid(net.podCidr), invalidCidrMessage)
   invalidFn('net', 'dnsServiceIP', !isIPValid(net.dnsServiceIP), 'Enter a valid IP')

diff --git a/helper/src/configpresets/principals.json b/helper/src/configpresets/principals.json
@@ -463,7 +463,7 @@
                             },
                             "net": {
                                 "createNatGateway": true,
-                                "aksOutboundTrafficType": "userAssignedNATGateway"
+                                "aksOutboundTrafficType": "natGateway"
                             }
                         }
                     }