I am trying to implement a strategy where I can create a NSG in one Azure subscription and use the same NSG resource to attach to any VMs or NICs created in other subscriptions and resource groups.
How can this implementation work via Terraform where I want to attach a single (default) NSG (created in a separate subscription) to multiple VMs and NICs in other subscriptions?
Default NSG for all Azure Subscriptions via Terraform:
Rules defined for a certain network security group with some network security rules will only apply to that resource group. As a result of this limitation for network security groups, it is not feasible to access an NSG in subscriptions other than the existing ones.
You cannot access an NSG that exists in one subscription in another, even though it is provided in the same region.
If you need to add network security in other subscriptions, you can consider the following methods:
Add multiple subscriptions in provider using alias while deploying Terraform code, as mentioned article by #Jeff Brown.
provider "azurerm"{
alias = "xx"
subscription = "subscription1"
features{}
}
provider "azurerm"{
alias = "xxdev"
subscription = "subscription2"
features{}
}
resource "azurerm_network_security_group" "example"{
//Add configuration
}
Note: Include azurerm providers to deploy the same NSG or any Azure resource across multiple subscriptions provided by subscription Ids.
terraform import can be used to import existing resources from anywhere.
terraform import azurerm_network_security_group.<NSG> <ResourceID>
Output:
Related
While creating aks cluster by using terraform and using existing values like resource group, vnet, subnet, network security group,
Deployment creating additional resource group, network security group, dns zone.
Do you have any idea how to stop that or disable?
Creating new RG with name MC_RG_XXXXXXXX
Good things:
Cluster getting created by using existing Vnet, subnet, cluster linked with existing RG but its creating network security Group and DNS Zones with new RG.
Any idea?
This is an automatic resource group created to house the cluster https://learn.microsoft.com/en-us/azure/aks/faq#why-are-two-resource-groups-created-with-aks , there is an option in preview to specify the name of this resource group using Azure CLI and within an ARM template https://learn.microsoft.com/en-us/azure/aks/faq#can-i-provide-my-own-name-for-the-aks-node-resource-group.
I'm not sure how this will map in Terraform though.
I have created an instance of Azure Kubernetes Service (AKS) and have discovered that apart from the resource group I created the AKS instance in, one more resource group is created for me.
Eg:
My AKS Resource Group: Production_MyAKSInstance
Additional Resource Group: MC_MyResourceGroup-Production_MyAKSInstance_westeurope
Is there a way to rename the Additional Resource Group something like Production_MyAKSInstance_Supportive?
You can't rename it however you can specify a name when you create the cluster.
https://learn.microsoft.com/en-us/azure/aks/faq
By default, AKS will name the node resource group
MC_resourcegroupname_clustername_location, but you can also provide
your own name.
To specify your own resource group name, install the aks-preview Azure
CLI extension version 0.3.2 or later. When you create an AKS cluster
by using the az aks create command, use the --node-resource-group
parameter and specify a name for the resource group. If you use an
Azure Resource Manager template to deploy an AKS cluster, you can
define the resource group name by using the nodeResourceGroup
property.
The secondary resource group is automatically created by the Azure
resource provider in your own subscription. You can specify a custom
resource group name only when you're creating the cluster. As you work
with the node resource group, keep in mind that you cannot:
Specify an existing resource group for the node resource group.
Specify a different subscription for the node resource group. Change
the node resource group name after the cluster has been created.
Specify names for the managed resources within the node resource
group. Modify or delete Azure-created tags of managed resources within
the node resource group.
#provider azurem.mgmt is Subscription A.
#prodiver azurem.corpapps is Subscription B.
I am trying to create nsg rule in Subscription A with Provider azurerm.mgmt. Here the destination application security group is in Subscription B with Provider azurerm.corpapps in this subscription.
provider "azurerm" {
client_id = "${var.client_id}"
client_secret = "${var.client_secret}"
tenant_id = "${var.tenant_id}"
subscription_id = "${var.subscription}"
alias = "mgmt"
}
provider "azurerm" {
client_id = "${var.client_id}"
client_secret = "${var.client_secret}"
tenant_id = "${var.tenant_id}"
subscription_id = "${var.subscription_B}"
alias = "corpapps"
}
Then i use the provider to get my asg from Subscription B as shown:
Then i use that reference in my nsg rule
However, i get error - saying the ASG is not found:
But, in azure portal the resource is already there as shown:
I have tried to assign the SP which has owner role on both subscriptions or using Azure account with CLI but it's no luck. Also, as the comment points out, there is a limitation that NSG does not reference ASG in different location. After my validation, you can not add the ASG from another subscription even it's in the same region as the NSG or targets VNet.
Moreover, when you add this ASG as the target source or destination in the NSG rules, you will see
Select an application security group (ASG) as the security rule
source. ASGs enable fine-grained network security policies based on
workloads or applications instead of IP addresses or CIDR blocks.
Rules specifying an application security group are only applied to
network interfaces that are members of the application security group
on the same virtual network.
I am having one resource group in my azure subscription name "demoterraform"
Now I would like to create one windows VM in this resource group, So I don't deploy new VM in existing resource group.
Use the azurerm_resource_group data source.
data "azurerm_resource_group" "demo" {
name = "demoterraform"
}
in the rest of the code you can refer to it with a similar expression data.azurerm_resource_group.demo.id.
I am working on building a multitenant application in Azure and though resources groups would be a good way to separate the tenants but could not find a way to add eventhub or service bus queues to a resource group. Is it possible?
As of today, No. From what I understand there's a concept of a resource provider for each resource type and a resource type must have a resource provider in order to be added to resource group (rather support Azure Resource Manager) and as of today there's no resource provider for Service Bus.