Getting cannot parse the request exceptions when trying to create an NSG

[piter50]

I have been trying to create an NSG with the API, but for some reason, I am getting the CloudError: cannot parse the request.

I have a function to read and display existing NSGs in the subscription which works fine so I know it's not an authentication issue.
My API user has the Network Contributor role, but I also tested with it as owner so I don't think it's a permissions issue.

First i set up some security rules and append them to a list:

def security_rule_creation(security_list, name, source_subnet, destination_subnet, protocol,          
                           direction, ports, action, priority):
    security_rule = SecurityRule(
        protocol=protocol,
        source_address_prefix=source_subnet,
        destination_address_prefix=destination_subnet, access=action, 
        direction=direction, id=name,
        destination_port_range=ports, 
        source_port_range="*",
        priority=priority)
    security_list.append(security_rule)
    return

The subnets used whilst i test are just CIDR notated strings like "10.10.10.0/24".
A security rule example looks like

    security_rule_creation(security_list, "Allow-subnet-Out", source_subnet, 
                          destination_subnet, "*", "Outbound", "*", "Allow", 101)

Then I try to create the NSG:

network_security_group_create(network_client, location, rg_name, sec_gr_name, security_list)

def network_security_group_create(client, location, rg, name, rules):

    nsg = NetworkSecurityGroup(
        location=location,
        security_rules=rules,
        )

    try:
        nsg_result = client.network_security_groups.create_or_update(
            rg,
            name,
            nsg
        )
        nsg_result.wait()
   except CloudError as ce:
        print "Request Body: {}\n".format(ce.response.request.body)
        print "Request Headers: {}\n".format(ce.response.request.headers)
        print "Request URL: {}\n".format(ce.response.request.url)
        print
        print "Headers {}".format(ce.response.headers)
        print "Reason {}".format(ce.response.reason)
        print "URL {}".format(ce.response.url)
        print "text {}".format(ce.response.text)
        print "CloudError: {}".format(ce.error)

    return

I'm currently doing a try except to get a better idea of the headers which seem to look ok.
The Request body using example IPs looks like this:

Request Body: {"properties": {"securityRules": [{
    "properties": {
        "access": "Allow",
        "priority": 101,
        "direction": "Outbound",
        "protocol": "*",
        "sourceAddressPrefix": "10.1.2.0/24",
        "destinationPortRange": "*",
        "destinationAddressPrefix": "10.2.0.0/16",
        "sourcePortRange": "*"
}, "id": "Allow-subnet-Out"}]}, "location": "someplace"}

The Request URL:

Request URL: https://management.azure.com/subscriptions/111111-1111-1111-1111-111111111111/resourceGroups/RGNAME/providers/Microsoft.Network/networkSecurityGroups/NSGName?api-version=2016-06-01

Am I doing it wrong?

[lmazuel]

Hi @piter50

I tried exactly your parameters, and I'm not able to reproduce it (on azure-mgmt-network 0.30.0rc6). Could you confirm which version of azure-mgmt-network + msrest + msrestazure you use?

Also, CloudError has a message attribute, could you output the content of it?

FYI @annatisch

[piter50]

The message attribute is also
Message Cannot parse the request.

azure-mgmt-network (0.30.0rc6)
msrest (0.4.3)
msrestazure (0.4.2)

[lmazuel]

I copied/pasted your code and called it this way:

        security_list=[]
        source_subnet = '10.1.2.0/24'
        destination_subnet = '10.2.0.0/16'
        security_rule_creation(security_list, "Allow-subnet-Out", source_subnet, 
                               destination_subnet, "*", "Outbound", "*", "Allow", 101)
        network_security_group_create(
            self.network_client,
            'westus',
            self.group_name, "NSGName", security_list)

and I am still unable to reproduce it :(

[lmazuel]

The error you got is a denied from the RestAPI, so this is unlikely a Python problem, but it does not mean I can't help you to figure out the problem :)
Could check here:
https://azure.microsoft.com/documentation/articles/virtual-networks-nsg/

If you follow all instructions (naming convention, conflict, etc.). You might have just a bad error message from the RestAPI for a simple problem.

[piter50]

The NSG name is unique per the subscription (which is a new Subscription), no funny characters. I even tested changing the name of the NSG and security rules to short all caps names and still the error persists. The API access as mentioned is Network Contributor. location is northeurope.

[piter50]

I figured it out. In my create security rule function, I was doing id=name, but should have been doing name=name. Once I amended that it created right away.