I created Databricks workspace using Azure CLI:
az databricks workspace create
--name myprj-t-dbx
--location canadacentral
--resource-group rg-myprj-t
--managed-resource-group myprj-t-dbx-mrg
--sku Premium
--private-subnet /subscriptions/2208da08-xxxxxxxxxxx27/resourceGroups/rg-da-t-vnet/providers/Microsoft.Network/virtualNetworks/da-t-vnet/subnets/myprj-dbx-priv-t-snet
--public-subnet /subscriptions/2208da08-xxxxxxxxxxx27/resourceGroups/rg-da-t-vnet/providers/Microsoft.Network/virtualNetworks/da-t-vnet/subnets/myprj-dbx-publ-t-snet
The subnets are created in advance by our network engineers.
They want me to use private endpoints on vnet to connect to the workspace.
When I try to create it (using a third subnet):
az network private-endpoint create
--name myprj-t-dbx-pep
--connection-name myprj-t-dbx-pepc
--private-connection-resource-id /subscriptions/2208da08xxxxxxxxxx27/resourceGroups/rg-myprj-t/providers/Microsoft.Databricks/workspaces/myprj-t-dbx
--subnet /subscriptions/2208da08-xxxxxxxxxxx27/resourceGroups/rg-da-t-vnet/providers/Microsoft.Network/virtualNetworks/da-t-vnet/subnets/myprj-t-snet
--group-id web
--resource-group rg-myprj-t
I get:
ERROR: (NonVNetInjectedWorkspaceNotSupported) Call to Microsoft.Databricks/workspaces failed.
Error message: The workspace 'myprj-t-dbx' is not custom VNet injected.
Currently only custom VNet injected workspaces can create private endpoint connection
I think that you're missing the --vnet argument to the az databricks workspace create. You need to provide name of the VNet as well.
P.S. I would also recommend to pass --enable-no-public-ip to avoid having public IPs for the cluster nodes
I've changed the way that I am creating Databricks workspace.
Instead of regular Azure CLI that creates workspace
az databricks workspace create...
I've used a template with VNet injection from https://rajanieshkaushikk.com/2020/12/05/how-to-deploy-databricks-in-your-private-vnet-without-exposing-public-ip-address-vnet-injection/
also using CLI:
az deployment group create
--name DatabriksVNetInj
--resource-group rg-myprj-test
--template-file ./Databricks-ARM/azuredeploy.json
--parameters workspaceName=myproj-t-dbx...
Related
I am creating storage account where I need to use Connectivity method: Public endpoint(selected networks) where I have to provide Virtual network subscription and Virtual network.
How can I create it via Azure CLI or via Azure PowerShell module. I don't see there any parameter which I can use to provide such details.
One of the workarounds I did to create the storage account in the selected public networks using AZ CLI is:
Created the virtual network and a default subnet using AZ CLI:
az network vnet create --name myVNet --resource-group HariTestRG --subnet-name default
Created the service endpoint of Microsoft.Storage for the above created Virtual Network using AZ CLI:
az network vnet subnet update -g HariTestRG -n default --vnet-name myvnet --service-endpoints Microsoft.Storage
Then you can create the Azure Storage Account on the selected public networks using your VNet and subnet name from the AZ CLI:
az storage account create --name samplestorageaccount1204 --resource-group HariTestRG --vnet-name myvnet --subnet default --default-action Allow
Or
You can also add the network rule to move the storage account to the specified subnet in the virtual network:
az storage account network-rule add -g HariTestRG --account-name samplestorageaccount1205 --vnet-name myvnet --subnet default
Here the Network access is enabled for the specific subnet in the Virtual Network to Azure Storage account.
To allow or deny network access, add specific service endpoints to the specific Subnets or Virtual Networks and manage the firewall, refer this MSFT Document.
I'm attempting to create a new AKS cluster using Kubernetes version 1.19.7 and virtual machine scale sets and connect it to an existing on-prem vnet. On my first attempt, everything succeeded except for the creation of the actual ACI in Azure. The aci-connector node got created in Kubernetes but remained in a CrashLoopBackOff state, each time with the following error in the kubernetes logs:
Error: error initializing provider azure: error setting up network
profile: unable to delegate subnet 'xxxxxxxxx' to Azure Container
Instance since it references the route table
'/subscriptions/yyyyyyyy/resourceGroups/zzzzzzzz/providers/Microsoft.Network/routeTables/rrrrrrr'.
I tried recreating the cluster differently, according to limitations buried in MS documentation (using service principal, with empty subnet containing no other resources, with proper role permissions applied to the service account). Still no luck. Tried a few other tweaks on the networking side as well, but to no avail.
Here are the Azure CLI commands I used (names obfuscated) with/without service principal:
Using managed identity
az aks create -g yyyyyyyyy -n zzzzzzzz --aad-admin-group-object-ids 00000000-0000-0000-0000-000000000000 --aci-subnet-name myAciSubnet --assign-identity /subscriptions/xxxxxxx/resourcegroups/yyyyyyy/providers/Microsoft.ManagedIdentity/userAssignedIdentities/k8s-admin-qa --docker-bridge-address 172.17.0.1/16 --dns-service-ip 10.2.0.10 --enable-aad --enable-addons virtual-node --enable-managed-identity --generate-ssh-keys --kubernetes-version 1.19.7 --location eastus2 --network-plugin azure --service-cidr 10.2.0.0/16 --subscription xxxxxxx --vnet-subnet-id /subscriptions/xxxxxxx/resourceGroups/myNetworkResourceGroup/providers/Microsoft.Network/virtualNetworks/myVnet/subnets/mySubnet
Using Service Principal
az aks create -g yyyyyyy -n zzzzzzz --aad-admin-group-object-ids 00000000-0000-0000-0000-000000000000 --aci-subnet-name myAciSubnet --docker-bridge-address 172.17.0.1/16 --dns-service-ip 10.2.0.10 --enable-aad --enable-addons virtual-node --generate-ssh-keys --kubernetes-version 1.19.7 --location eastus2 --network-plugin azure --service-cidr 10.2.0.0/16 --subscription xxxxxxx --vnet-subnet-id /subscriptions/xxxxxxx/resourceGroups/myNetworkResourceGroup/providers/Microsoft.Network/virtualNetworks/myVnet/subnets/mySubnet --service-principal ppppppppp --client-secret SSSSSSSSSSS
If anyone out there has been able to successfully deploy/configure an AKS cluster using ACI with virtual machine scale sets, connected to an on-prem network, or can otherwise assist in troubleshooting or configuration, I'd love to hear from you!
The subnet for the ACI should have no other resources except the ACI and also no attached route table. Because Azure will attach a profile of the container group for it. And the error shows the subnet you want to use for the ACI already attached a routing table. So you can create a new subnet with nothing or just disassociate the routing table from the subnet.
I am attempting to create a private link service that can be reached from a different region. I am getting conflicting information from Azure documentation, with one link suggesting "global reach" and another link limiting that
Global reach
Limitations
In practice, I have one private-resource-vnet in westus and one vnet in eastus. After creating a load balancer per the documentation in the private-resource-vnet, I add a private link to that vnet and resource, and attempt to link it to a private endpoint. The below sample shows adding an endpoint in both eastus (where the private link is) and westus (where the vnet to reach the link is)
PS Azure:\> az network private-endpoint create --name privateEndpoint --resource-group MyResourceGroup --vnet-name clientVNet --subnet clientSubnet --private-connection-resource-id "/subscription/link/to/private/resource/in/eastus" --connection-name myPLS --location westus
This command is in preview. It may be changed/removed in a future release.
InvalidResourceReference - Resource /subscriptions/[...]/CLIENTVNET referenced by resource /subscriptions/[...]/privateEndpoint was not found. Please make sure that the referenced resource exists, and that both resources are in the same region.
PS Azure:\> az network private-endpoint create --name privateEndpoint --resource-group MyResourceGroup --vnet-name clientVNet --subnet clientSubnet --private-connection-resource-id "/subscription/link/to/private/resource/in/eastus" --connection-name myPLS --location eastus
This command is in preview. It may be changed/removed in a future release.
Deployment failed. Correlation ID: [...]. Resource /subscriptions/[...]/myPLS not found.
I would greatly appreciate some insight on what I'm missing here!
Cross-region works with Azure services (SQL, Storage) that are behind Private Link. Customer owned services are limited to same region. Cross-region will be supported in the future.
I have created a function app against a new consumption plan with the following command:
az functionapp create
--resource-group myresourcegroup
--storage-account mystorageaccount
--name myfunctionapp
--runtime node
--consumption-plan-location northeurope
This creates the function app correctly, but the app service plan is called NorthEuropePlan, which does not meet the naming guidelines I am following. I cannot see anything in the docs that will allow me to change this name.
Therefore, I would like to create the app service plan before, as a consumption plan (tier Y1 Dynamic), and then create a function app against this plan.
az resource create
--resource-group myresourcegroup
--name myconsumptionplan
--resource-type Microsoft.web/serverfarms
--is-full-object
--properties "{\"location\":\"northeurope\",\"sku\":{\"name\":\"Y1\",\"tier\":\"Dynamic\"}}"
That command works correctly, and creates me an app service plan. However, when I try to use that plan (substituting --consumption-plan-location northeurope for --plan myconsumptionplan), I get this error:
There was a conflict. AlwaysOn cannot be set for this site as the plan does not allow it.
Do I need to specify some more configuration when I make the app service plan?
When I run az appservice plan show against NorthEuropePlan and myconsumptionplan, the only difference in the object that comes back is the name.
When you are using --plan I believe the run time will think it is an App Service Plan and will configure Always ON which is not allowed in consumption plan so I guess you cannot do it like the way you are doing.
You can achieve it with ARM template though. Below is the example command:
az group create
--name ExampleGroup
--location "North Europe"
az group deployment create
--name ExampleDeployment
--resource-group ExampleGroup
--template-uri "https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/101-function-app-create-dynamic/azuredeploy.json"
The URL mentioned in the template-uri is sample template which will create consumption-pan, storage and functionapp.
Deployment will ask the name of parameters (appName) at runtime.
I've setup kubernetes in azure using the azure acs and the azure cli.
az account list
az account set --subscription foobar
az group create --name foobar --location westus
az acs create --orchestrator-type=kubernetes --resource-group foobar --master-count 1 --name=foobar --dns-prefix=foobar
I want to be able to setup a site to site vpn, so that kubernetes can reach internal services in my datacenter.
Unfortunatly azure acs sets up kubernetes on a 10.0.0.0 network which overlaps with other resources in azure and my datacenter.
I can't find any way to change which subnet kubernetes runs on in acs. Is there a way to change the prefered network?
There does not appear to be a way to choose network from the acs create command
az acs create --name
--resource-group
[--admin-password]
[--admin-username]
[--agent-count]
[--agent-vm-size]
[--client-secret]
[--dns-prefix]
[--generate-ssh-keys]
[--location]
[--master-count]
[--no-wait]
[--orchestrator-type {Custom, DCOS, Kubernetes, Swarm}]
[--service-principal]
[--ssh-key-value]
[--tags]
[--validate]
[--windows]
No, there's no way of doing that. There might be a way to create a new kubernetes to existing vnet, but I'm not aware of that.
Your another option would be to delete all vm's and recreate them in the new vnet. No guarantee it would work.
With ACS through its CLI you can specify subnet id so the acs is created in a particular VNET. However this is only available in certain regions