[Network] Support active-active VNet gateways

[tjprescott]

Closes #2050.

Adds support for active-active VNet gateways according to: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-activeactive-rm-powershell

Essentially these scenarios all boil down to the number of public IP addresses associated with the gateway. Active-standby gateways have only one, while active-active gateways have 2. So the CLI will accept 1 or 2 public IP addresses on create or update and enables or disables active-active mode accordingly. This simplifies the scenarios as they exist in Powershell with minimal expansion of the CLI command's surface area.

---

This checklist is used to make sure that common guidelines for a pull request are followed.

General Guidelines

• The PR has modified HISTORY.rst with an appropriate description of the change.

Command Guidelines

• Each command and parameter has a meaningful description.
• Each new command has a test.

(see Authoring Command Modules)

[codecov-io]

Codecov Report

Merging #2751 into master will decrease coverage by <.01%.
The diff coverage is 46.51%.

@@            Coverage Diff             @@
##           master    #2751      +/-   ##
==========================================
- Coverage   62.86%   62.86%   -0.01%     
==========================================
  Files         480      480              
  Lines       25855    25886      +31     
  Branches     3915     3923       +8     
==========================================
+ Hits        16254    16273      +19     
- Misses       8589     8603      +14     
+ Partials     1012     1010       -2

Impacted Files	Coverage Δ
...twork/azure/cli/command_modules/network/_params.py	92.49% <100%> (-0.04%)	⬇️
...network/azure/cli/command_modules/network/_help.py	100% <100%> (ø)	⬆️
...etwork/azure/cli/command_modules/network/custom.py	62.46% <21.05%> (-0.37%)	⬇️
...k/azure/cli/command_modules/network/_validators.py	63.97% <60%> (+0.34%)	⬆️
...twork/azure/cli/command_modules/network/_format.py	41.66% <0%> (+1.38%)	⬆️
...e/cli/command_modules/network/_template_builder.py	86.17% <0%> (+2.12%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 678b940...ed1066d. Read the comment docs.

[derekbekoe]

Code looks good to me.
Can you include help output also?

[tjprescott]

@derekbekoe

Command
    az network vnet-gateway create: Create a virtual network gateway.

Arguments
    --name -n             [Required]: Name of the VNet gateway.
    --public-ip-addresses [Required]: Specify a single public IP (name or ID) for an active-standby
                                      gateway. Specify two public IPs for an active-active gateway.
    --resource-group -g   [Required]: Name of resource group. You can configure the default group
                                      using 'az configure --defaults group=<name>'.
    --vnet                [Required]: Name or ID of an existing virtual network which has a subnet
                                      named 'GatewaySubnet'.
    --address-prefixes              : Space separated list of address prefixes to associate with the
                                      VNet gateway.
    --gateway-type                  : The gateway type.  Allowed values: ExpressRoute, Vpn.
                                      Default: Vpn.
    --location -l                   : Location. You can configure the default location using 'az
                                      configure --defaults location=<location>'.
    --no-wait                       : Do not wait for the long running operation to finish.
    --sku                           : VNet gateway SKU.  Allowed values: Basic, HighPerformance,
                                      Standard, UltraPerformance.  Default: Basic.
    --tags                          : Space separated tags in 'key[=value]' format. Use "" to clear
                                      existing tags.
    --vpn-type                      : VPN routing type.  Allowed values: PolicyBased, RouteBased.
                                      Default: RouteBased.

BGP Peering Arguments
    --asn                           : Autonomous System Number to use for the BGP settings.
    --bgp-peering-address           : IP address to use for BGP peering.
    --peer-weight                   : Weight (0-100) added to routes learned through BGP peering.

The relevant text for update is the same.

[derekbekoe]

@tjprescott Looking at the help for --public-ip-addresses, how do I know how to specify 2 ip addresses? Maybe say that it should be space separated?

[derekbekoe]

LGTM. Added 1 q.

[tjprescott]

@derekbekoe good point. It used to say space-separated. I'll add that back in.

[aanandr]

Travis – I was OOF last week so couldn’t respond earlier. A few things to take care of when you implement Active-Active support. Maybe you have already taken care of some/all of them 1. SKU: this is only supported on HighPerformance SKU. Please add this check. 2. In PS there is a separate active-active parameter which has to be specified for enabling active-active config. I don’t see this flag in CLI. Unlike normal GWs where BGP is not enabled when creating the Gateway, in the case of active-active, BGP is enabled on the Gateway when it is setup for active-active. So this flag is important. Looks like the underlying NRP has a setting for this too. When BGP gets enabled an ASN and 2 BGP peering address (one for each gateway) automatically get assigned 3. We don’t need bgp-peering-address. We had discussed this for normal Gateway too. It gets assigned automatically. Looks like that fix has not been made. Can you remove that param? 4. Active-active supports 2 scenarios when connecting to on-prem a. Both Azure GWs connect to a single on-prem GW. So two connections. There is a single local network gateway and when adding a connection to this local network GW both these are automatically added. b. The two azure GWs connect to 2 on-prem GWs. So 4 connections. There are 2 local network GWs in this case and a connection is added to each of them to get 4 connections in total I think you don’t have to worry about this because it should all be handled in the layers below NRP but please check and ensure there are no checks at the NRP level 5. In the case of VNET-VNET active-active connections the steps differ for the connection addition. A connection is added from VNET1 to VNET2 and another from VNET2 to VNET1. At the end of these two steps you will have 4 connections, 1 each between each of the two GWs in the 2 VNETs 6. The output JSON should be modified accordingly to show the two public IPs, the two BGP peering IPs etc.

[tjprescott]

1. I'll look into this, but unless the service returns a junk error or takes a long time to error out, we would simply let the service error bubble through.

2. You are correct--there's no active-active flag in the CLI. The active-active status is determined solely by whether you specify 1 or 2 public IP addresses when creating/updating the gateway.

3. I can remove this.

4-5. I'll take a second look at the scenario tests and update accordingly.

6. If that information is not already displayed in the create output, we would not make additional REST calls to manufacture a customized output structure. However, there are a couple options: (1) add a convenience command to get this information or (2) add a convenience flag to the show/create commands which "opts-in" to this behavior.

[aanandr]

1. I don’t know what the current design is. Where do the checks happens? At Swagger and above or at NRP/GW and errors bubble up? You can decide accordingly 2. Using 1 vs. 2 public IPs to differentiate between A-A and other scenarios is a good idea but from a customer experience point of view it is better to provide a separate param. It is precisely for this reason that we added a separate param in PS too. Also, NRP has a separate param. Do you translate 2 IPs to setting that param then? 6. I agree. The object should automatically get updated.

[tjprescott]

1. Generally the errors bubble up from the service, especially since the SDKs (being autogenerated) have very little ability to add client side validation that is business logic relevant. We do this on the CLI side when the service fails to enforce its business logic and it creates a negative experience for customers. Another reason we tend to not do it on the CLI side is because it could artificially inhibit he service. For example, if we added this validation and later the service allows active-active mode with UltraPerformance SKU, then the CLI would be artificially constraining the behavior of the service.

2. Yes, you are correct:

   --public-ip-addresses [Required]: Specify a single public IP (name or ID) for an active-standby
                                      gateway. Specify two space-separated public IPs for an active-
                                      active gateway.

If you use the update command and change this, it will issue an info (visible with --verbose) that it is switching the gateway mode to active-standby or active-active accordingly. Also, the CLI handles the creation of the IP configs automatically so it cuts that step out of the PS scenario.

[blackhu269]

Hi
when modify the VPN GW from active-active to active-standby with the “az network vnet-gateway update“ there are the errors below， any suggestion about that ?

az network vnet-gateway update --name Internal-VPN --resource-group TestRG2 --public-ip-addresses Internal-ip
init() got multiple values for argument 'private_ip_allocation_method'
Traceback (most recent call last):
File "/opt/az/lib/python3.6/site-packages/azure/cli/main.py", line 36, in main
cmd_result = APPLICATION.execute(args)
File "/opt/az/lib/python3.6/site-packages/azure/cli/core/application.py", line 216, in execute
result = expanded_arg.func(params)
File "/opt/az/lib/python3.6/site-packages/azure/cli/core/commands/init.py", line 381, in call
return self.handler(*args, **kwargs)
File "/opt/az/lib/python3.6/site-packages/azure/cli/core/commands/arm.py", line 341, in handler
raise ex
File "/opt/az/lib/python3.6/site-packages/azure/cli/core/commands/arm.py", line 296, in handler
instance = custom_function(instance, **custom_func_args)
File "/opt/az/lib/python3.6/site-packages/azure/cli/command_modules/network/custom.py", line 2081, in update_vnet_gateway
private_ip_allocation_method='Dynamic', name='vnetGatewayConfig{}'.format(i))
TypeError: init() got multiple values for argument 'private_ip_allocation_method'

Thanks

[aanandr]

+Ali From: blackhu269 [mailto:notifications@github.com] Sent: Wednesday, December 20, 2017 8:08 PM To: Azure/azure-cli <azure-cli@noreply.github.com> Cc: Aanand Ramachandran <aanandr@microsoft.com>; Review requested <review_requested@noreply.github.com> Subject: Re: [Azure/azure-cli] [Network] Support active-active VNet gateways (#2751) Hi when modify the VPN GW from active-active to active-standby with the “az network vnet-gateway update“ there are the errors below， any suggestion about that ? az network vnet-gateway update --name Internal-VPN --resource-group TestRG2 --public-ip-addresses Internal-ip init() got multiple values for argument 'private_ip_allocation_method' Traceback (most recent call last): File "/opt/az/lib/python3.6/site-packages/azure/cli/main.py", line 36, in main cmd_result = APPLICATION.execute(args) File "/opt/az/lib/python3.6/site-packages/azure/cli/core/application.py", line 216, in execute result = expanded_arg.func(params) File "/opt/az/lib/python3.6/site-packages/azure/cli/core/commands/init.py", line 381, in call return self.handler(*args, **kwargs) File "/opt/az/lib/python3.6/site-packages/azure/cli/core/commands/arm.py", line 341, in handler raise ex File "/opt/az/lib/python3.6/site-packages/azure/cli/core/commands/arm.py", line 296, in handler instance = custom_function(instance, **custom_func_args) File "/opt/az/lib/python3.6/site-packages/azure/cli/command_modules/network/custom.py", line 2081, in update_vnet_gateway private_ip_allocation_method='Dynamic', name='vnetGatewayConfig{}'.format(i)) TypeError: init() got multiple values for argument 'private_ip_allocation_method' Thanks — You are receiving this because your review was requested. Reply to this email directly, view it on GitHub<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FAzure%2Fazure-cli%2Fpull%2F2751%23issuecomment-353253304&data=02%7C01%7Caanandr%40microsoft.com%7C77710df1ed914964db0408d548286299%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636494260650267693&sdata=ADeJDytEApRKxm%2BTBci%2Bk2R%2FAjdD4cIv8MldjZOHTpI%3D&reserved=0>, or mute the thread<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAV3chQjZipxEjplp_Qpm3dLckql4RZ_Cks5tCdmOgaJpZM4MzMgN&data=02%7C01%7Caanandr%40microsoft.com%7C77710df1ed914964db0408d548286299%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636494260650267693&sdata=kWxtwnXV1TnqkPjJdtP1QSYCDaoeWP%2FOxTwHSOu26Eg%3D&reserved=0>.

[anzaman]

@blackhu269 Can you please post the exact command that you used? Also, are you able to set it to active-active using the portal or PowerShell? We'll check the CLI and post the results.

[blackhu269]

@anzaman

1. create the VPN GW with active-active through the Azure CLI.
   az group create --name TestRG2 --location chinanorth
   az network vnet create --name TestVNet1 --resource-group TestRG2 --address-prefix 10.11.0.0/16 --location chinanorth --subnet-name Subnet1 --subnet-prefix 10.11.0.0/24
   az network vnet subnet create --address-prefix 10.11.255.0/27 --name GatewaySubnet --resource-group TestRG2 --vnet-name TestVNet1
   az network public-ip create --name Internal-ip-2 --resource-group TestRG2 --allocation-method Dynamic
   az network public-ip create --name Internal-ip --resource-group TestRG2 --allocation-method Dynamic
   az network vnet-gateway create --name Internal-VPN --resource-group TestRG2 --vnet TestVNet1 --public-ip-addresses Internal-ip Internal-ip-2 --gateway-type Vpn --sku VpnGw1

2. then update the VPN GW to active-standby.
   az network vnet-gateway update --name Internal-VPN --resource-group TestRG2 --public-ip-addresses Internal-ip

[anzaman]

@blackhu269

Did you try to set it to active-standby using the portal or PowerShell? and what was the result? I am trying to isolate the issue and this would help narrow it.

[anzaman]

@blackhu269

Seems like powershell is the only way to successfully change the mode of the gateway https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-activeactive-rm-powershell#a-name-aaupdateapart-4---update-existing-gateway-between-active-active-and-active-standby . We are looking into the issues wit CLI and the portal.

[blackhu269]

@anzaman
Thanks for your feedback. the portal or PowerShell are both already tested to change from Active-Active to Active-standby, and only the PowerShell worked well.