Unable to move Cloud Service (Extended Support) to another resource group - azure

we have problem to move Cloud Service (Extended Support) from 1 resource group to another resource group in the same subscription. Both resource groups are in the same location.
Picture with status of the move validation
Error code in validation window is:
{ "code": "ResourceMoveNotSupported", "target": "/subscriptions/123456-xxxx-yyyy-zzzz-123456/resourceGroups/AAAAA-BBBBB-Migrated/providers/Microsoft.Compute/cloudServices/AAAAA-BBBBB",
"message": "Resource move is not supported for resource types
'Microsoft.Compute/cloudServices'." }
Additional information:
Source resource group was created automatically after successful in-place migration from Cloud Service (Classic) to Cloud Service (Extended Support). Now we need to move all resources created by migration back to the original resource group, where Cloud Service (Classic) was previously located. Cloud Service (Classic) was automatically deleted after migration.
The main reason why we migrated from Cloud Service (Classic) to Cloud Service (Extended Support) was ability to move between subscriptions, but we are unable to move it even inside the same subscription :(
Any ideas how to proceed with this problem?

Best course of action is to create an Azure Support Ticket.
These type of operations are deep internal to azure, and reasons why these fail range from config errors, failed internal transactions to straight up bugs for a scenario they did not consider.
Note: it might take some time and patience on your side to get the desired results reached from Azure support, as these type of tickets are usually low priority.

We finally managed to contact Azure Support.
This move is not supported :(
Since the Cloud Service extended support is a new published product,
we are sorry that currently it does not support migration from one
subscription to another. We are sorry that moving “Cloud Service
extended support” among resource groups in the same subscription is
also unsupported.

Related

Azure free account - does it cover SQL Managed Instance?

I have started using my free Azure account and I found out that I cannot create SQL Managed Instance. I get a cryptic error message telling me to change subscription or region, no clear information. The list of free services does not include SQL MI but it does not mean much. SQL Dedicated Pool or Synapse are also not listed but I tried to create them and the Portal does not complain yet even though I did not click the final Create button yet.
So SQL Managed Instances are only available on certain subscription types. See:
You probably have an Azure Trial subscription. If not, you might also want to check your region as there are region limitations as mentioned in the article above.

Azure Batch within a VNET that has a Service endpoint policy for Storage

I am struggling to get my Azure batch nodes to start within a Pool that is configured to use a virtual network. The virtual network has been configured with a service endpoint policy that has a "Microsoft.Storage" policy definition and it points at a single storage account. Without the service endpoints defined on the virtual network the Azure batch pool works as expected, but with it the following error occurs and the node never starts.
I have tried creating the Batch account in both Pool allocation modes. This did not seem to make a difference, the pool resizes successfully and then the nodes are stuck in "Starting" mode. In the "User Subscription" mode I found the start-up error because I can see the VM instance in my account:
VM has reported a failure when processing extension 'batchNodeExtension'. Error message: "Enable failed: processing file downloads failed: failed to download file[0]: failed to download file: unexpected status code: actual=403 expected=200" More information on troubleshooting is available at https://aka.ms/VMExtensionCSELinuxTroubleshoot
From what I can determine this is an Azure VM extension that is running to configure the VM for Azure Batch. My base image is Canonical, ubuntuserver, 18.04-lts (batch.node.ubuntu 18.04). I can see that the extensions is attempting to download from:
https://a52a7f3c745c443e8c2cac69.blob.core.windows.net/nodeagentpackage-version9-22-0-2/Ubuntu-18.04/batch_init-ubuntu-18.04-1.8.7.tar.gz (note I removed the SAS token from this URL for posting here)
there are 8 further files that are downloaded and it looks like this is configuring the Batch agent on the node.
The 403 error indicates that the node cannot connect to this storage account, which makes sense given the service endpoint policy. It does not include this storage account within it and this storage account is external to my Azure subscription. I thought that I might be able to add it to the service endpoint policy, but I have no way of determining what Azure subscription it is part of it. If I knew this I thought I could add it like:
Endpoint policy allows you to add specific Azure Storage accounts to allow list, using the resourceID format. You can restrict access to all storage accounts in a subscription
E.g. /subscriptions/subscriptionId (from https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoint-policies-overview)
I tried adding security group rules using service tags for Azure storage, but this did not help. The node still cannot connect and this makes sense given the description of service endpoint policies.
The reason for my interest in this is the following post:
[https://github.com/Azure/Batch/issues/66][1]
I am trying to minimise the bandwidth charges from my storage account by using service endpoints.
I have also tried to create my own VM, but I am not sure whether the "batchNodeExtension" script is run automatically for VMs that you're using with Batch.
I would really appreciate any pointers because I am running out of ideas to try!
Batch requires a generic rule for all of Storage (can be regional variant) as specified at https://learn.microsoft.com/en-us/azure/batch/batch-virtual-network#network-security-groups-specifying-subnet-level-rules. Currently it is mainly used to download our agent and maintain state/get information needed to run tasks.
I am facing the same problem with Azure Machine Learning. We are trying to fight data exfiltration by using the SP Policies in order to prevent sending the data to any non-subscription storage accounts.
Since Azure ML Computes depends on the Batch service, we were unable to run any ML compute if the SP policy is associated to the compute subnet.
Microsoft stated the follwoing:
Filtering traffic on Azure services deployed into Virtual Networks: At this time, Azure Service Endpoint Policies are not supported for any managed Azure services that are deployed into your virtual network.
https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoint-policies-overview#scenarios
I understand from this kind of restriction, that any service that use Azure Batch (which almost all services in Azure?) cannot use the SP Policy which make it useless freature...
Finally we endup by removing the SP policy completly from our network architecture and considered it only for scenarios where you to want to restrict customers to access specific storage accounts.

Azure created DefaultResourceGroup-EAU resource group

Today I am noticing that the Azure Group, I dont know when Azure created the
"DefaultResourceGroup-EAU" resource group, and in this group two item is placed
I am not using any Azure Container Registry service and AKS, should I remove this group because it paying in my invoice, I just only have Azure Web Apps and Azure SQL databases and one VM only, should its impact on my above mentioned services after deletion?
certainly not in terms of how those services function, but monitoring might be impaired if you delete those.
Those resources look like they were created alongside AKS cluster. Doesn't mean that they were only being used for that, but highly likely.

How to move classic resources to a new location?

I have a cloud service and a storage account deployed using the classic resource manager in the East US region; there is also a classic backup vault in the West Europe region.
Due to high latency, I want to move all of these resources to the UK South region, which is the closest one to me and others using these services. I have created a new resource group in the UK South region, however, when I try to move my existing classic resources to the new resource group, it says:
Classic resources must be moved separately and aren't displayed below.
Reading the article it linked to, it says that to move classic resources when experiencing this limitation, I need to contact support to have this operation done manually.
I do not have a support plan and am hoping not to buy one for this single task. Is there any other way around this limitation?
I think that you can walk around it by:
1. Create a new blank cloud service in your new resource group in UK South region.
2. Modify the deployment process to deploy the code to the newly created cloud service.
I hope this helps.
As you mentioned that it is limited by Azure. The following is snippet from the official document.
When moving resources from one resource group to another resource group within the same subscription, the following restrictions apply:
Virtual networks (classic) cannot be moved.
Virtual machines (classic) must be moved with the cloud service.
Cloud service can only be moved when the move includes all its virtual machines.
Only one cloud service can be moved at a time.
Only one storage account (classic) can be moved at a time.
Storage account (classic) cannot be moved in the same operation with a virtual machine or a cloud service.
As Toan nguyen mentioned that we need to redeploy it if you don't want to call Azure Support.

What about Azure Cloud Services in the new "Resource Manager world"

I just read a small post of #pierreroman with the title Azure Cloud Service VS Azure Resource Manager. Unfortunately I was not able to comment his post (There was an error saving your comment. (Cannot create comment - access denied.)). Therefore and because I think this topic is interesting for many folks who are using azure cloud services right now, I write my "comment" here and send him a tweet. Maybe he or someone else can answer my questions.
I think that more interesting than the "what is the difference between cloud services and resource groups" is the question "should we plan to move from cloud services to azure resource groups?". Is it even possible? Or are we comparing apples to oranges?
What about scaling (for example adding new instances of a worker role with a simple slider or with auto scaling)?
The comparison is kind of apples(Cloud Service) and grocery(ARM) where can manage fruits, meats, and fishes.
But, very first concept of Cloud Service was similar to the ARM. That's why sometimes confusing.
Below quote is from free ebook Azure Web Apps for Developers (download), page 12 and 13.
An Azure Resource Group is a logical container for grouping Azure resources.
Grouping resources this way helps simplify the implementation, deployment, management, and monitoring of resources in the resource group. From a billing perspective, it gives you a way to view costs for the resource group rather than for individual resources, eliminating the need to figure out which resources are related. You can think of an Azure Resource Group as a unit of management.
The last line helps to understand clearly, Azure Resource Group is a unit of management.

Resources