Add Azure network firewall rule with Bash - azure

I am creating new Azure network firewall rule with bash on Azure CLI. I put all information regarding Network rule. i.e., resource group, firewall name, collection name, etc. After this issue i am giving policy argument. But it did not accept.
Creating rule collection 'Local-Traffic-policy'.
(AzureFirewallPolicyAndRuleCollectionsConflict) Request parameter Firewall Policy FirewallPolicy and Rule Collection NetworkRuleCollections cannot coexist for the Azure Firewall /subscriptions/5ae002/resourceGroups/Admin_RGP/providers/Microsoft.Network/azureFirewalls/Azure-Firewall.
Code: AzureFirewallPolicyAndRuleCollectionsConflict
Message: Request parameter Firewall Policy FirewallPolicy and Rule Collection NetworkRuleCollections cannot coexist for the Azure Firewall /subscriptions/fd064/resourceGroups/Admin_RGP/providers/Microsoft.Network/azureFirewalls/Azure-Firewall.

I tried to reproduce the same in my environment I got the same error like below:
Note that: For the same Azure firewall resource, neither a firewall policy nor a rule collection can exist. Your error indicates that FirewallPolicy and Rule Collection NetworkRuleCollections cannot coexist for the Azure Firewall try to create firewall without policy like below:
az network firewall create \
--name <TEST> \
--resource-group <RGNAME> \
--location eastus
az network public-ip create \
--name fw-pip \
--resource-group <RGNAME> \
--location eastus \
--allocation-method static \
--sku standard
az network firewall ip-config create \
--firewall-name <Tes1> \
--name <config> \
--public-ip-address fw-pip \
--resource-group az network firewall \
--vnet-name Test-FW-VN
az network firewall update \
--name Test1 \
--resource-group <RGNAME>
az network public-ip show \
--name fw-pip \
--resource-group <RGNAME>
fwprivaddr="$(az network firewall ip-config list -g Test-FW-RG -f Test-FW01 --query "[?name=='FW-config'].privateIpAddress" --output tsv)"
Now I added Application rule collection , Network rule collection like below:
az network firewall application-rule create \
--collection-name <Coll01> \
--firewall-name <Test-FW01> \
--name Allow-Google \
--protocols Http=80 Https=443 \
--resource-group <RGNAME> \
--target-fqdns www.google.com \
--source-addresses 10.0.2.0/24 \
--priority 200 \
--action Allow
Output:
Network Firewall Rule
az network firewall network-rule create \
--collection-name <Net-Coll01> \
--destination-addresses 209.244.0.3 209.244.0.4 \
--destination-ports 53 \
--firewall-name <Test-FW01> \
--name Allow-DNS \
--protocols UDP \
--resource-group <RGNAME> \
--priority 200 \
--source-addresses 10.0.2.0/24 \
--action Allow
Output:
Reference:
Deploy and configure Azure Firewall using Azure CLI | Microsoft Learn

Related

Azure: VM in another spoke virtual network cannot be accessed via RDP

I have the following Vnets
vnet-hub-poc-hubspoke is the Hub Vnet
it has the following subnets
with a firewall
and peered with Prod & Dev Vnets
Prod Vnet is configured as shown below
Dev Vnet is configured as shown below
I have following VMs created - one in each Vnet
with the below rules
I have the following Route tables
with the below configuration
I am able ping to the Firewall from both the VMs, however I am not able to RDP
What am I missing?
Update:: I guess the request is to going Firewall (10.11.253.4) but getting timed out.
C:\Users\kavija>tracert 10.13.2.4
Tracing route to 10.13.2.4 over a maximum of 30 hops
Update#2: I have used the below script
# Define Variable
rgName=SpokeToSpoke
location=eastus
hubVNetName=vnet-hub
prodVnetName=vnet-prod
devVnetName=vnet-dev
myFirewallPublicIPName="firewallPublicIP"
azFirewallName="azFirewallName"
azureworkloadRG="AzureProdWorkLoad"
azureDevWorkloadRG="AzureDevWorkLoad"
VmUser="demouserXXX"
VmName1="ProdSever"
VmName2="DevSever"
fwRouteTableProdName=prod-route-table
fwRouteTableDevName=dev-route-table
bastionName="MyBastion"
bastionPIPName="bastionpip"
rdpRuleName=AllowRDP
priority=200
rgroup=prod-ukw-core-rg
access=Allow
description="Allow RDP from office IP address"
destPort=3389
direction=Inbound
protocol=TCP
# Create Resource Group
az group create --name $rgName --location $location
# Create Azure Hub VNET
az network vnet create -g $rgName --name $hubVNetName --address-prefixes 10.11.0.0/16 --location $location
az network vnet subnet create -g $rgName --vnet-name $hubVNetName --name Management --address-prefix 10.11.1.0/24
az network vnet subnet create -g $rgName --vnet-name $hubVNetName --name AppGatewaySubnet --address-prefix 10.11.252.0/26
az network vnet subnet create -g $rgName --vnet-name $hubVNetName --name AzureBastionSubnet --address-prefix 10.11.252.64/27
az network vnet subnet create -g $rgName --vnet-name $hubVNetName --name AzureFirewallSubnet --address-prefix 10.11.253.0/26
az network vnet subnet create -g $rgName --vnet-name $hubVNetName --name GatewaySubnet --address-prefix 10.11.254.0/27
# Create Azure Dev VNET
az network vnet create -g $rgName --name $devVnetName --address-prefixes 10.12.0.0/16 --location $location
az network vnet subnet create -g $rgName --vnet-name $devVnetName --name Management --address-prefix 10.12.1.0/24
az network vnet subnet create -g $rgName --vnet-name $devVnetName --name Workload1 --address-prefix 10.12.2.0/24
# Create Azure Prod VNET
az network vnet create -g $rgName --name $prodVnetName --address-prefixes 10.13.0.0/16 --location $location
az network vnet subnet create -g $rgName --vnet-name $prodVnetName --name Management --address-prefix 10.13.1.0/24
az network vnet subnet create -g $rgName --vnet-name $prodVnetName --name Workload1 --address-prefix 10.13.2.0/24
# Dev Subnet NSG
az network nsg create -g $rgName -n Dev-Management-subnet -l $location -o table
az network nsg create -g $rgName -n Dev-Workload1-subnet -l $location -o table
az network vnet subnet update -g $rgName --vnet-name $devVnetName --name Management --network-security-group Dev-Management-subnet
az network vnet subnet update -g $rgName --vnet-name $devVnetName --name Workload1 --network-security-group Dev-Workload1-subnet
# Prod Subnet NSG
az network nsg create -g $rgName -n Prod-Management-subnet -l $location -o table
az network nsg create -g $rgName -n Prod-Workload1-subnet -l $location -o table
az network vnet subnet update -g $rgName --vnet-name $prodVnetName --name Management --network-security-group Prod-Management-subnet
az network vnet subnet update -g $rgName --vnet-name $prodVnetName --name Workload1 --network-security-group Prod-Workload1-subnet
# Enable RDP at NSG Level for Dev Workload
az network nsg rule create --name $rdpRuleName --nsg-name Dev-Workload1-subnet --priority $priority --resource-group $rgName --access $access --description "$description" --destination-port-ranges $destPort --direction $direction --protocol $protocol --source-address-prefixes "*"
# Enable RDP at NSG Level for Prod Workload
az network nsg rule create --name $rdpRuleName --nsg-name Prod-Workload1-subnet --priority $priority --resource-group $rgName --access $access --description "$description" --destination-port-ranges $destPort --direction $direction --protocol $protocol --source-address-prefixes "*"
# Create Firewall
az network public-ip create --name $myFirewallPublicIPName --resource-group $rgName --sku Standard --allocation-method Static
az network firewall create -g $rgName -n $azFirewallName --vnet-name $hubVNetName --sku AZFW_VNet --tier Standard
az network firewall ip-config create --firewall-name $azFirewallName --name FW-config1 --public-ip-address $myFirewallPublicIPName --resource-group $rgName --vnet-name $hubVNetName
az network firewall update --name $azFirewallName --resource-group $rgName
fwprivaddr="$(az network firewall ip-config list -g $rgName -f $azFirewallName --query "[?name=='FW-config1'].privateIpAddress" --output tsv)"
# Hub-Spoke-Hub Peering
az network vnet peering create -g $rgName --name HUBtoProd --vnet-name $hubVNetName --remote-vnet $prodVnetName --allow-vnet-access --allow-forwarded-traffic --allow-gateway-transit
az network vnet peering create -g $rgName --name HUBtoDEV --vnet-name $hubVNetName --remote-vnet $devVnetName --allow-vnet-access --allow-forwarded-traffic --allow-gateway-transit
az network vnet peering create -g $rgName --name ProdtoHUB --vnet-name $prodVnetName --remote-vnet $hubVNetName --allow-vnet-access --allow-forwarded-traffic --allow-gateway-transit
az network vnet peering create -g $rgName --name DEVtoHUB --vnet-name $devVnetName --remote-vnet $hubVNetName --allow-vnet-access --allow-forwarded-traffic --allow-gateway-transit
# Create Route table from Dev to Hub
az network route-table create --name $fwRouteTableDevName -g $rgName -l $location --disable-bgp-route-propagation true
az network route-table route create -g $rgName --name DevToProdSubnet-Route --route-table-name $fwRouteTableDevName --address-prefix 10.13.0.0/16 --next-hop-type VirtualAppliance --next-hop-ip-address $fwprivaddr
az network vnet subnet update -g $rgName --vnet-name $devVnetName -n Workload1 --address-prefixes 10.12.2.0/24 --route-table $fwRouteTableDevName
# Create Route table from Prod to Hub
az network route-table create --name $fwRouteTableProdName -g $rgName -l $location --disable-bgp-route-propagation true
az network route-table route create -g $rgName --name ProdToHubSubnet-Route --route-table-name $fwRouteTableProdName --address-prefix 10.12.0.0/16 --next-hop-type VirtualAppliance --next-hop-ip-address $fwprivaddr
az network vnet subnet update -g $rgName --vnet-name $prodVnetName -n Workload1 --address-prefixes 10.13.2.0/24 --route-table $fwRouteTableProdName
# Create Azure Bastion for Azure
az network public-ip create --resource-group $rgName --name $bastionPIPName --sku Standard --location $location
az network bastion create --name $bastionName --public-ip-address $bastionPIPName --resource-group $rgName --vnet-name $hubVNetName --location $location
# Create VM in Dev Vnet - Workload1 Subnet to test Spoke-to-Spoke communication
az group create --name $azureDevWorkloadRG --location $location
devWorkLoadSubNetID=$(az network vnet subnet show --resource-group $rgName --name "Workload1" --vnet-name $devVnetName --query id -o tsv)
az vm create --resource-group $azureDevWorkloadRG --name $VmName --image win2016datacenter --admin-username $VmUser --admin-password $AdminPassword --size Standard_B1s --use-unmanaged-disk --storage-sku Standard_LRS --subnet $devWorkLoadSubNetID --nsg "" --public-ip-address ""
# Create VM in Prod VNet - Workload1 Subnet
az group create --name $azureworkloadRG --location $location
prodWorkLoadSubNetID=$(az network vnet subnet show --resource-group $rgName --name "Workload1" --vnet-name $prodVnetName --query id -o tsv)
az vm create --resource-group $azureworkloadRG --name $VmName1 --image win2016datacenter --admin-username $VmUser --admin-password $AdminPassword --size Standard_B1s --use-unmanaged-disk --storage-sku Standard_LRS --subnet $prodWorkLoadSubNetID --nsg "" --public-ip-address ""
Update#3: I tried creating the Gateway as well
# Azure VNET Gateway
az network public-ip create -g $rgName --name pip-hub-gateway --allocation-method dynamic --dns-name $hubVNetName
az network vnet-gateway create -g $rgName --name vgw --vnet $hubVNetName --public-ip-address pip-hub-gateway --gateway-type vpn --client-protocol SSTP --sku Basic
az network vnet peering create -g $rgName --name ProdtoHUB --vnet-name $prodVnetName --remote-vnet $hubVNetName --allow-vnet-access --allow-forwarded-traffic --allow-gateway-transit --use-remote-gateways
az network vnet peering create -g $rgName --name DEVtoHUB --vnet-name $devVnetName --remote-vnet $hubVNetName --allow-vnet-access --allow-forwarded-traffic --allow-gateway-transit --use-remote-gateways
az network route-table route create -g $rgName --name DevToProdSubnet-Route --route-table-name $fwRouteTableDevName --address-prefix 10.13.0.0/16 --next-hop-type VirtualNetworkGateway
az network route-table route create -g $rgName --name ProdToHubSubnet-Route --route-table-name $fwRouteTableProdName --address-prefix 10.12.0.0/16 --next-hop-type VirtualNetworkGateway
Remote Desktop can't connect to the remote computer for one of these reasons:
Remote access to the service is not enabled
The remote computer is turned off Verified through the Azure Portal it is turned on because Start is faded, while Restart and Stop are not
The remote computer is not available on the network.
To resolve this issue please check your vm resource health are available in healthy state this may impact connectivity to the Vm in azure platform. if it's not in healthy you can diagnose and solve problem.
Try to Reset password configuration only this will help to prevent the RDP configuration when Remote Connections is deactivated, or RDP is being blocked by Windows Firewall rules. And try to access the RDP
Make sure you have configured Boot diagnostics try to enable diagnostics, you can see the screenshot of the boot diagnostics and download the screenshot of serial log and investigate the issue of console log and verify the console log of additional information to determine why RDP is not functioning in your situation.
Try to reset your user credentials and provide username and password and update. it reset a local administrator password and try to access the RDP
Orelse, in virtual machine -> networking under setting -> click on your network interface as (web server) -> in network intterface -> ip configuration click on private ip address
Try to change Assignment as static and provide different static ip address and save and try to access VM through RDP once RDP is connected changed to Dynamic
Suppose you are not able to access RDP try to Redeploy as below. it will redeploy the virtual machine in another host within the azure if any underlying issue or networking issue by redeploying we can resolve this issue and ephemeral disk data will lost and dynamic IP addresses that are associated with the VM are updated.
What kind of firewall rules do you have?
I have three more suggestion:
1) check if you have NSG attached to VM NICs
Using both subnet-attached and NIC-attached NSG rules is not recommended. Not sure from the screenshot if subnet-attached NSG is the only NSG
Default rule 65000 should allow access from peered VNet anyway
Unless you have a specific reason to, we recommend that you associate a network security group to a subnet, or a network interface, but not both. Since rules in a network security group associated to a subnet can conflict with rules in a network security group associated to a network interface, you can have unexpected communication problems that require troubleshooting.
ref: https://learn.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works
2) Check RDP setting
I personally had to run reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v MaxOutstandingConnectionsx /t REG_DWORD /d 10000 on serial console for few installations to get RDP working
3) Capture network traffic
Capture network traffic on destination subnet to see
if traffic goes through firewall
and to see if destination VM sends back ACK packets for initial SYN segments
Then compare captured traffic with firewall rules, statistics and log to find out if firewall is blocking access.
Using the script below, I was able to establish communication between the spoke networks
Reference:
https://github.com/jillesca/azure/tree/main/hub%20%26%20spoke
az group create --name techTalk --location eastus
az network vnet create \
--name hub-vnet \
--resource-group techTalk \
--subnet-name hub-subnet \
--address-prefixes 10.0.0.0/16 \
--subnet-prefixes 10.0.1.0/24
az network vnet create \
--name spoke1-vnet \
--resource-group techTalk \
--subnet-name spoke1-subnet \
--address-prefixes 10.1.0.0/16 \
--subnet-prefixes 10.1.1.0/24
az network vnet create \
--name spoke2-vnet \
--resource-group techTalk \
--subnet-name spoke2-subnet \
--address-prefixes 10.2.0.0/16 \
--subnet-prefixes 10.2.1.0/24
az network vnet subnet create \
--vnet-name hub-vnet \
--name GatewaySubnet \
--resource-group techTalk \
--address-prefix 10.0.255.0/27
az network public-ip create \
--name gateway-ip-address \
--resource-group techTalk \
--allocation-method Dynamic \
--sku Basic
az network vnet-gateway create \
--name vnet-Gateway \
--location eastus \
--public-ip-address gateway-ip-address \
--resource-group techTalk \
--vnet hub-vnet \
--gateway-type Vpn \
--sku Standard \
--vpn-type RouteBased \
--no-wait
az network route-table create \
--resource-group techTalk \
--name spoke1RouteTable
az network route-table route create \
--name spoke1ToSpoke2 \
--resource-group techTalk \
--route-table-name spoke1RouteTable \
--address-prefix 10.2.1.0/24 \
--next-hop-type VirtualNetworkGateway
az network vnet subnet update \
--vnet-name spoke1-vnet \
--name spoke1-subnet \
--resource-group techTalk \
--route-table spoke1RouteTable
az network route-table create \
--resource-group techTalk \
--name spoke2RouteTable
az network route-table route create \
--name spoke2ToSpoke1 \
--resource-group techTalk \
--route-table-name spoke2RouteTable \
--address-prefix 10.1.1.0/24 \
--next-hop-type VirtualNetworkGateway
az network vnet subnet update \
--vnet-name spoke2-vnet \
--name spoke2-subnet \
--resource-group techTalk \
--route-table spoke2RouteTable
az network vnet peering create \
--resource-group techTalk \
--name spoke1-Peering \
--vnet-name hub-vnet \
--remote-vnet spoke1-vnet \
--allow-vnet-access \
--allow-gateway-transit \
--allow-forwarded-traffic
az network vnet peering create \
--resource-group techTalk \
--name spoke1-hub-Peering \
--vnet-name spoke1-vnet \
--remote-vnet hub-vnet \
--allow-vnet-access \
--use-remote-gateways
az network vnet peering create \
--resource-group techTalk \
--name spoke2-Peering \
--vnet-name hub-vnet \
--remote-vnet spoke2-vnet \
--allow-vnet-access \
--allow-gateway-transit \
--allow-forwarded-traffic
az network vnet peering create \
--resource-group techTalk \
--name spoke2-hub-Peering \
--vnet-name spoke2-vnet \
--remote-vnet hub-vnet \
--allow-vnet-access \
--use-remote-gateways
az network nsg create -g techTalk -n spoke1-subnet-ng -l eastus
az network nsg create -g techTalk -n spoke2-subnet-ng -l eastus
az network vnet subnet update \
--vnet-name spoke1-vnet \
--name spoke1-subnet \
--resource-group techTalk \
--route-table spoke1RouteTable \
--network-security-group spoke1-subnet-ng
az network vnet subnet update \
--vnet-name spoke2-vnet \
--name spoke2-subnet \
--resource-group techTalk \
--route-table spoke2RouteTable \
--network-security-group spoke2-subnet-ng
az network nsg rule create --name rdpRule --nsg-name spoke1-subnet-ng --priority 200 --resource-group techTalk --access Allow --description "Allow RDP" --destination-port-ranges 3389 --direction Inbound --protocol TCP --source-address-prefixes "*"
az network nsg rule create --name rdpRule --nsg-name spoke2-subnet-ng --priority 200 --resource-group techTalk --access Allow --description "Allow RDP" --destination-port-ranges 3389 --direction Inbound --protocol TCP --source-address-prefixes "*"
az network vnet subnet create -g techTalk --vnet-name hub-vnet --name AzureBastionSubnet --address-prefix 10.0.252.64/27
az network public-ip create --resource-group techTalk --name bastionpip --sku Standard --location eastus
az network bastion create --name MyBastion --public-ip-address bastionpip --resource-group techTalk --vnet-name hub-vnet --location eastus --no-wait
# Create VM in Dev Vnet - Workload1 Subnet to test Spoke-to-Spoke communication
devWorkLoadSubNetID=$(az network vnet subnet show --resource-group techTalk --name spoke1-subnet --vnet-name spoke1-vnet --query id -o tsv)
az vm create --resource-group techTalk --name VM1 --image win2016datacenter --admin-username $VmUser --admin-password $AdminPassword --size Standard_B1s --use-unmanaged-disk --storage-sku Standard_LRS --subnet $devWorkLoadSubNetID --nsg "" --public-ip-address "" --no-wait
# Create VM in Prod VNet - Workload1 Subnet
prodWorkLoadSubNetID=$(az network vnet subnet show --resource-group techTalk --name spoke2-subnet --vnet-name spoke2-vnet --query id -o tsv)
az vm create --resource-group techTalk --name VM2 --image win2016datacenter --admin-username $VmUser --admin-password $AdminPassword --size Standard_B1s --use-unmanaged-disk --storage-sku Standard_LRS --subnet $prodWorkLoadSubNetID --nsg "" --public-ip-address "" --no-wait

Azure - cannot get "Network Profile"

my Admin in Azure with full permissions runs the command to retrieve the network profile ID with deployed Virtual Network and Subnet which we are using but the command always returns the empty response:
az network profile list --resource-group myResourceGroup \
--query [0].id --output tsv
It has permissions, resourceGroup value is correct what should be the case?
Why it gets empty response? It is really essential for us to retrieve this value.
The output should contain value in this format:
/subscriptions/<Subscription ID>/resourceGroups/myResourceGroup/providers/Microsoft.Network/networkProfiles/aci-network-profile-aci-vnet-aci-subnet
Thank you
You could verify if you have deployed ACI in that VNet instead of only a standard VNet. When use az network profile, Currently, only Azure Container Instances are supported.
When you first use the az container create command to deploy a container group to a subnet (and thus a virtual network), Azure creates a network profile for you. You can then use that network profile for future deployments to the subnet.
For example, if you create a container group in a new VNet or an existing VNet referring to this.
az container create \
--name appcontainer \
--resource-group myResourceGroup \
--image mcr.microsoft.com/azuredocs/aci-helloworld \
--vnet aci-vnet \
--vnet-address-prefix 10.0.0.0/16 \
--subnet aci-subnet \
--subnet-address-prefix 10.0.0.0/24
Then you will list the network profile in that resource group.
Update
If you want to deploy a container in an existing VNet, you can deploy it like this with --vnet NAME --subnet NAME | --vnet ID --subnet NAME | --subnet ID:
az container create --name appcontainer --resource-group nancylab --image mcr.microsoft.com/azuredocs/aci-helloworld --vnet aci-vnet --subnet subnet1

Unable to add spot node pool to Azure Kubernetes Cluster

Unable to add spot node pool to Azure Kubernetes Cluster
AWS-CLI
azure-cli 2.12.0
core 2.12.0
telemetry 1.0.6
Extensions:
aks-preview 0.4.63
Following the instructions on Microsoft site: https://learn.microsoft.com/en-us/azure/aks/spot-node-pool
Ran the following
# Create a resource group in East US
az group create --name myResourceGroup --location westus2
# Create a basic single-node AKS cluster
az aks create \
--resource-group myResourceGroup \
--name myAKSCluster \
--vm-set-type VirtualMachineScaleSets \
--node-count 1 \
--generate-ssh-keys \
--load-balancer-sku standard
az aks get-credentials --resource-group myResourceGroup --name myAKSCluster
az aks nodepool add \
--resource-group myResourceGroup \
--cluster-name myAKSCluster \
--name spotnodepool \
--priority Spot \
--spot-max-price -1 \
--eviction-policy Delete \
--node-vm-size Standard_D2as_v4 \
--node-count 1
Got the following error:
Error code:
ValidationError: Operation failed with status: 'Bad Request'. Details: Provisioning of resource(s) for Agent Pool spotnodepool failed. Error: {
"code": "InvalidTemplateDeployment",
"message": "The template deployment failed with error: 'The resource with id: '/subscriptions/REDACTED/resourceGroups/MC_myResourceGroup_myAKSCluster_westus2/providers/Microsoft.Compute/virtualMachineScaleSets/aks-REDACTED-vmss' failed validation with message: 'The requested size for resource '/subscriptions/REDACTED/resourceGroups/MC_myResourceGroup_myAKSCluster_westus2/providers/Microsoft.Compute/virtualMachineScaleSets/aks-REDACTED-vmss' is currently not available in location 'westus2' zones '' for subscription 'REDACTED'. Please try another size or deploy to a different location or zones. See https://aka.ms/azureskunotavailable for details.'.'."
}
I have tried other AZ region, useast, uswest2, etc but with no luck
If I run the following it will work:
az aks nodepool add \
--resource-group myResourceGroup \
--cluster-name myAKSCluster \
--name mynodepool \
--node-count 1
Is spot node pool not supported? It is in the official docs: https://learn.microsoft.com/en-us/cli/azure/ext/aks-preview/aks/nodepool?view=azure-cli-latest
I just realised that this is not a AKS or Spot issue. This is a subscription issue.
In the docs (https://learn.microsoft.com/en-us/azure/virtual-machines/spot-vms#limitations) it says that only Pay-As-You-Go subscription are allowed to use spot instances. I just recently upgraded to Pay-As-You-Go model but my offerID is still stuck as "Free Trial" - I just need to be patient for it to change over

Unable to deploy Azure Function with Premium Service Plan

When I try to create a FunctionApp Premium Plan using the following commands:
# Create a Resource Group
az group create \
--name $rg_name \
--location $az_loc
# Create a Function App Storage Account
az storage account create \
--name $fa_storage_name \
--resource-group $rg_name \
--location $az_loc \
--sku Standard_LRS
# Create a Premium plan
az functionapp plan create \
--name $fap_name \
--resource-group $rg_name \
--location $az_loc \
--sku P2v2
I receive an error:
The requested app service plan cannot be created in the current
resource group because it is hosting Linux apps. Please choose a
different resource group or create a new one.
I also tried the sku EP2 with same result. The SKU's are really hard to find in the docs(!). Does anyone know which sku's work with Linux Azure Functions and what I might be missing here?
This is common error.
The solution is to create a new Resourse Group and put the function app in.
The problem comes from the conflict between azure function plan based on windows and based on linux.
Create a new Resource group is the only way, and notice to separate function based on linux and windows in your development.
Here is what ended up working for me. Note the --is-linux true flag in az functionapp plan create and the --plan flag in az functionapp create:
# Create a Premium plan
az functionapp plan create \
--name $fap_name \
--is-linux true \
--resource-group $rg_name \
--location $az_loc \
--sku EP2
# Create Function App (container for Azure Function)
#--consumption-plan-location $az_loc \
az functionapp create \
--name $fa_name \
--resource-group $rg_name \
--storage-account $fa_storage_name \
--plan $fap_name \
--os-type Linux \
--runtime python \
--runtime-version 3.7 \
--subscription $az_sub \
--functions-version 2
There is a current limitation where Windows and Linux apps cannot exist in the same resource group.
https://learn.microsoft.com/en-us/azure/app-service/containers/app-service-linux-intro#limitations
Therefore, it was failing when deploying a Windows resource and worked when --is-linux was set to true

re-naming resources in Azure

Is there a way to rename resources in Azure? I create a VM and azure has created a number of resources with some unfriendly names. Specifically the NIC Azure named it Interlinkclone-nic-5a216a7b39ac47d3be6f9e6415221161, which is really a pain to type in the CLI.
I tried to create another NIC but I can find how to attach it the VM.
Currently, Azure does not support rename NIC. Please refer to this feedback.
But you could create NIC with specified name firstly, when you create VM then attach it to VM. You could use the following example.
##create NIC with specified name
az network nic create \
--resource-group myResourceGroup \
--name myNic \
--vnet-name myVnet \
--subnet mySubnet \
--public-ip-address myPublicIP \
--network-security-group myNetworkSecurityGroup
##create VM
az vm create \
--resource-group myResourceGroup \
--name myVM \
--location eastus \
--availability-set myAvailabilitySet \
--nics myNic \
--image UbuntuLTS \
--admin-username azureuser \
--generate-ssh-keys
More information about this please refer to this link.
If you want to add a new nic to your VM, you also could check this official document.

Resources