Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Deployments failing on App GW NSG rule validation after initial deployment #22434

Open
biggles007 opened this issue May 13, 2022 · 7 comments
Open

Deployments failing on App GW NSG rule validation after initial deployment #22434

biggles007 opened this issue May 13, 2022 · 7 comments
Assignees
@zhoxing-ms
Labels
ARM az resource/group/lock/tag/deployment/policy/managementapp/account management-group Auto-Assign Auto assign by bot customer-reported Issues that are reported by GitHub users external to the Azure organization. Service Attention This issue is responsible by Azure service team.
Milestone
Backlog

Comments

@biggles007
Copy link

biggles007 commented May 13, 2022
edited
Loading

This is autogenerated. Please review and update as needed.

Describe the bug

After initial greenfield deployment, future deployments fail on Application Gateway NSG validation, previously reported in #21256 and was seemingly working again in a previous version.

Command Name
az deployment group create

Errors:

{"status":"Failed","error":{"code":"DeploymentFailed","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.","details":[{"code":"Conflict","message":"{\r\n  \"status\": \"Failed\",\r\n  \"error\": {\r\n    \"code\": \"ResourceDeploymentFailure\",\r\n    \"message\": \"The resource operation completed with terminal provisioning state 'Failed'.\",\r\n    \"details\": [\r\n      {\r\n        \"code\": \"DeploymentFailed\",\r\n        \"message\": \"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.\",\r\n        \"details\": [\r\n          {\r\n            \"code\": \"BadRequest\",\r\n            \"message\": \"{\\r\\n  \\\"error\\\": {\\r\\n    \\\"code\\\": \\\"ApplicationGatewaySubnetInboundTrafficBlockedByNetworkSecurityGroup\\\",\\r\\n    \\\"message\\\": \\\"Network security group /subscriptions/xxx/resourceGroups/rg-weu-aksaccelerator-1/providers/Microsoft.Network/networkSecurityGroups/appgw blocks incoming internet traffic on ports 65200 - 65535 to subnet /subscriptions/xxxx/resourceGroups/rg-weu-aksaccelerator-1/providers/Microsoft.Network/virtualNetworks/vnet-weu-aksaccel/subnets/appgw, associated with Application Gateway /subscriptions/xxx/resourceGroups/rg-weu-aksaccelerator-1/providers/Microsoft.Network/applicationGateways/appgw-weu-aksaccel. This is not permitted for Application Gateways that have V2 Sku.\\\",\\r\\n    \\\"details\\\": []\\r\\n  }\\r\\n}\"\r\n          }\r\n        ]\r\n      }\r\n    ]\r\n  }\r\n}"}]}}

To Reproduce:

Steps to reproduce the behaviour. Note that argument values have been redacted, as they may contain sensitive information.

Run the deployment a second time

Expected Behaviour

Deployment should succeed

Environment Summary

Windows-10-10.0.19043-SP0
Python 3.10.4
Installer: MSI

azure-cli 2.36.0

Additional Context
@ghost ghost added customer-reported Issues that are reported by GitHub users external to the Azure organization. Auto-Assign Auto assign by bot ARM az resource/group/lock/tag/deployment/policy/managementapp/account management-group labels May 13, 2022
@ghost ghost assigned zhoxing-ms May 13, 2022
@ghost ghost added this to the Backlog milestone May 13, 2022
@yonzhan
Copy link
Collaborator

yonzhan commented May 13, 2022

ARM

@zhoxing-ms
Copy link
Contributor

Network security group /subscriptions/xxx/resourceGroups/rg-weu-aksaccelerator-1/providers/Microsoft.Network/networkSecurityGroups/appgw blocks incoming internet traffic on ports 65200 - 65535 to subnet /subscriptions/xxxx/resourceGroups/rg-weu-aksaccelerator-1/providers/Microsoft.Network/virtualNetworks/vnet-weu-aksaccel/subnets/appgw, associated with Application Gateway /subscriptions/xxx/resourceGroups/rg-weu-aksaccelerator-1/providers/Microsoft.Network/applicationGateways/appgw-weu-aksaccel. This is not permitted for Application Gateways that have V2 Sku.

@bigglesuk69 Could you see if this error message is helpful to you?

@biggles007
Copy link
Author

@zhoxing-ms the rules are on the NSG, I have validated they are correct, so the error message is wrong. The issue is somewhere in the validation. To test I did the following.

Deleted the App GW, ran the deployment, successful
Run the deployment a second time, error is shown.
At all times the NSG has the correct rule.

NSG is deployed with no rules, then we inject in the pre-requisite rules using the Microsoft.Network/networkSecurityGroups/securityRules resource. If the validation only checking the Microsoft.Network/networkSecurityGroups resource for the rules? If so, that is a bug.

@biggles007
Copy link
Author

Some further information on this issue. I have a master bicep template that calls child modules for the deployments. So the vnet/NSG is deployed in one deployment, and the app GW in another. So what is happening is:

  • vnet deployment runs first time and succeeds (no AppGW deployed)
  • AppGW deployment runs successfully once the vnet deployment has completed
  • vnet deployment fails on all further runs

@zhoxing-ms
Copy link
Contributor

This error message is returned by the REST service, so this is a service issue

@zhoxing-ms zhoxing-ms added the CXP Attention This issue is handled by CXP team. label May 14, 2022
@ghost
Copy link

ghost commented May 14, 2022

Thank you for your feedback. This has been routed to the support team for assistance.

@RakeshMohanMSFT RakeshMohanMSFT added Service Attention This issue is responsible by Azure service team. and removed CXP Attention This issue is handled by CXP team. labels Jul 15, 2022
@ghost
Copy link

ghost commented Jul 15, 2022

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @josephkwchan, @jennyhunter-msft.

Issue Details

This is autogenerated. Please review and update as needed.

Describe the bug

After initial greenfield deployment, future deployments fail on Application Gateway NSG validation, previously reported in #21256 and was seemingly working again in a previous version.

Command Name
az deployment group create

Errors:

{"status":"Failed","error":{"code":"DeploymentFailed","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.","details":[{"code":"Conflict","message":"{\r\n  \"status\": \"Failed\",\r\n  \"error\": {\r\n    \"code\": \"ResourceDeploymentFailure\",\r\n    \"message\": \"The resource operation completed with terminal provisioning state 'Failed'.\",\r\n    \"details\": [\r\n      {\r\n        \"code\": \"DeploymentFailed\",\r\n        \"message\": \"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.\",\r\n        \"details\": [\r\n          {\r\n            \"code\": \"BadRequest\",\r\n            \"message\": \"{\\r\\n  \\\"error\\\": {\\r\\n    \\\"code\\\": \\\"ApplicationGatewaySubnetInboundTrafficBlockedByNetworkSecurityGroup\\\",\\r\\n    \\\"message\\\": \\\"Network security group /subscriptions/xxx/resourceGroups/rg-weu-aksaccelerator-1/providers/Microsoft.Network/networkSecurityGroups/appgw blocks incoming internet traffic on ports 65200 - 65535 to subnet /subscriptions/xxxx/resourceGroups/rg-weu-aksaccelerator-1/providers/Microsoft.Network/virtualNetworks/vnet-weu-aksaccel/subnets/appgw, associated with Application Gateway /subscriptions/xxx/resourceGroups/rg-weu-aksaccelerator-1/providers/Microsoft.Network/applicationGateways/appgw-weu-aksaccel. This is not permitted for Application Gateways that have V2 Sku.\\\",\\r\\n    \\\"details\\\": []\\r\\n  }\\r\\n}\"\r\n          }\r\n        ]\r\n      }\r\n    ]\r\n  }\r\n}"}]}}

To Reproduce:

Steps to reproduce the behaviour. Note that argument values have been redacted, as they may contain sensitive information.

Run the deployment a second time

Expected Behaviour

Deployment should succeed

Environment Summary

Windows-10-10.0.19043-SP0
Python 3.10.4
Installer: MSI

azure-cli 2.36.0

Additional Context

Author: bigglesuk69
Assignees: zhoxing-ms
Labels:

Service Attention, ARM, customer-reported, Auto-Assign
Milestone: Backlog

Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@zhoxing-ms zhoxing-ms

Labels
ARM az resource/group/lock/tag/deployment/policy/managementapp/account management-group Auto-Assign Auto assign by bot customer-reported Issues that are reported by GitHub users external to the Azure organization. Service Attention This issue is responsible by Azure service team.
Projects
None yet
Milestone
Backlog
Development

No branches or pull requests
4 participants
@zhoxing-ms @biggles007 @RakeshMohanMSFT @yonzhan