I am attempting to create a private link service that can be reached from a different region. I am getting conflicting information from Azure documentation, with one link suggesting "global reach" and another link limiting that
Global reach
Limitations
In practice, I have one private-resource-vnet in westus and one vnet in eastus. After creating a load balancer per the documentation in the private-resource-vnet, I add a private link to that vnet and resource, and attempt to link it to a private endpoint. The below sample shows adding an endpoint in both eastus (where the private link is) and westus (where the vnet to reach the link is)
PS Azure:\> az network private-endpoint create --name privateEndpoint --resource-group MyResourceGroup --vnet-name clientVNet --subnet clientSubnet --private-connection-resource-id "/subscription/link/to/private/resource/in/eastus" --connection-name myPLS --location westus
This command is in preview. It may be changed/removed in a future release.
InvalidResourceReference - Resource /subscriptions/[...]/CLIENTVNET referenced by resource /subscriptions/[...]/privateEndpoint was not found. Please make sure that the referenced resource exists, and that both resources are in the same region.
PS Azure:\> az network private-endpoint create --name privateEndpoint --resource-group MyResourceGroup --vnet-name clientVNet --subnet clientSubnet --private-connection-resource-id "/subscription/link/to/private/resource/in/eastus" --connection-name myPLS --location eastus
This command is in preview. It may be changed/removed in a future release.
Deployment failed. Correlation ID: [...]. Resource /subscriptions/[...]/myPLS not found.
I would greatly appreciate some insight on what I'm missing here!
Cross-region works with Azure services (SQL, Storage) that are behind Private Link. Customer owned services are limited to same region. Cross-region will be supported in the future.
Related
I created Databricks workspace using Azure CLI:
az databricks workspace create
--name myprj-t-dbx
--location canadacentral
--resource-group rg-myprj-t
--managed-resource-group myprj-t-dbx-mrg
--sku Premium
--private-subnet /subscriptions/2208da08-xxxxxxxxxxx27/resourceGroups/rg-da-t-vnet/providers/Microsoft.Network/virtualNetworks/da-t-vnet/subnets/myprj-dbx-priv-t-snet
--public-subnet /subscriptions/2208da08-xxxxxxxxxxx27/resourceGroups/rg-da-t-vnet/providers/Microsoft.Network/virtualNetworks/da-t-vnet/subnets/myprj-dbx-publ-t-snet
The subnets are created in advance by our network engineers.
They want me to use private endpoints on vnet to connect to the workspace.
When I try to create it (using a third subnet):
az network private-endpoint create
--name myprj-t-dbx-pep
--connection-name myprj-t-dbx-pepc
--private-connection-resource-id /subscriptions/2208da08xxxxxxxxxx27/resourceGroups/rg-myprj-t/providers/Microsoft.Databricks/workspaces/myprj-t-dbx
--subnet /subscriptions/2208da08-xxxxxxxxxxx27/resourceGroups/rg-da-t-vnet/providers/Microsoft.Network/virtualNetworks/da-t-vnet/subnets/myprj-t-snet
--group-id web
--resource-group rg-myprj-t
I get:
ERROR: (NonVNetInjectedWorkspaceNotSupported) Call to Microsoft.Databricks/workspaces failed.
Error message: The workspace 'myprj-t-dbx' is not custom VNet injected.
Currently only custom VNet injected workspaces can create private endpoint connection
I think that you're missing the --vnet argument to the az databricks workspace create. You need to provide name of the VNet as well.
P.S. I would also recommend to pass --enable-no-public-ip to avoid having public IPs for the cluster nodes
I've changed the way that I am creating Databricks workspace.
Instead of regular Azure CLI that creates workspace
az databricks workspace create...
I've used a template with VNet injection from https://rajanieshkaushikk.com/2020/12/05/how-to-deploy-databricks-in-your-private-vnet-without-exposing-public-ip-address-vnet-injection/
also using CLI:
az deployment group create
--name DatabriksVNetInj
--resource-group rg-myprj-test
--template-file ./Databricks-ARM/azuredeploy.json
--parameters workspaceName=myproj-t-dbx...
I am creating storage account where I need to use Connectivity method: Public endpoint(selected networks) where I have to provide Virtual network subscription and Virtual network.
How can I create it via Azure CLI or via Azure PowerShell module. I don't see there any parameter which I can use to provide such details.
One of the workarounds I did to create the storage account in the selected public networks using AZ CLI is:
Created the virtual network and a default subnet using AZ CLI:
az network vnet create --name myVNet --resource-group HariTestRG --subnet-name default
Created the service endpoint of Microsoft.Storage for the above created Virtual Network using AZ CLI:
az network vnet subnet update -g HariTestRG -n default --vnet-name myvnet --service-endpoints Microsoft.Storage
Then you can create the Azure Storage Account on the selected public networks using your VNet and subnet name from the AZ CLI:
az storage account create --name samplestorageaccount1204 --resource-group HariTestRG --vnet-name myvnet --subnet default --default-action Allow
Or
You can also add the network rule to move the storage account to the specified subnet in the virtual network:
az storage account network-rule add -g HariTestRG --account-name samplestorageaccount1205 --vnet-name myvnet --subnet default
Here the Network access is enabled for the specific subnet in the Virtual Network to Azure Storage account.
To allow or deny network access, add specific service endpoints to the specific Subnets or Virtual Networks and manage the firewall, refer this MSFT Document.
I have a resource group for my vnet (rg-private-vnet) and one for my webapp and sql server (rg-webapp). Now I want to create a private endpoint for my SQl server in the rg-webapp.
This works in case the private endpoint is created in the resource group from he vnet. But I want it to be located in the resource group of the sql server.
I used:
az network private-endpoint create --name $sqlPrivateEndpoint --resource-group $resourceGroupVnet --vnet-name $vnetName --subnet $sqlSubnetName --private-connection-resource-id $id --connection-name mySqlConnection --group-id sqlServer
In case I use the rg-webapp I got the error:
(InvalidResourceReference) Resource /subscriptions/XXX/[...} referenced by resource /subscriptions/XXX/[...] was not found. Please make sure that the referenced resource exists, and that both resources are in the same region.
with the rg-private-vnet it works. In the azure portal it is no problem to create the endpoint in the rg-webapp resource group. I don't see any more parameters to create it in a diffrent rg.
According to the documentation you need to provide the resource id of the subnet to the --subnet parameter (instead of the subnet name) and skip the --vnet-name parameter if the subnet resides in a different resource group:
--subnet Name or ID of an existing subnet. If name specified, also specify --vnet-name. If you want to use an existing subnet in other resource group or subscription, please provide the ID instead of the name of the subnet and do not specify the --vnet-name. (az network private-endpoint | Microsoft Docs)
I created a new Azure container instance (ACI) with a new vnet and subnet by Azure CLI
I deleted ACI from Azure portal and now Im trying to delete subnet but gives me the following errors:
Failed to delete subnet 'SubnetNAme'. Error: Subnet SubnetNAme is in use by aci-network-profile-VNETNAME-SubnetNAme/eth0/ipconfigprofile and cannot be deleted. In order to delete the subnet, delete all the resources within the subnet. See aka.ms/deletesubnet.
If I tried to access aci-network-profile-VNETNAME-SubnetNAme/eth0/ipconfigprofile, it tells me that doesnt exist this resource:
Details
The resource was not found, it may have been deleted. If this was launched from a pinned tile on the dashboard, it should be removed.
For your issue, instead of finding the aci-network-profile-VNETNAME-SubnetNAme/eth0/ipconfigprofile in the portal, you need to delete the Network Profile through Azure CLI command like this:
NETWORK_PROFILE_ID=$(az network profile list --resource-group yourResourceGroup --query [0].id --output tsv)
az network profile delete --id $NETWORK_PROFILE_ID -y
After you delete the Network Profile, then you can delete the subnet as you want. For mor details, see Delete network resources.
well, i'd assume your best bet is to try and find the lingering resource and delete it (rest api would work best here, probably). another option is to recreate the ACI with the same name and remove the binding to the network before deleting it.
And your last option would be to contact support ;)
I had the same issue and me help below steps to remove aci subnet and vnet with trash container nic:
1st - find name of problem network profile by command - > az network profile list --query [].name -o tsv
2nd - create resource by terraform -> resource "azurerm_network_profile" "example" with the same network profile name and problem subnet id.
3rd - after terraform successfully create network profile, remove it by -> az network profile delete --id ...(you can find id by az network profile list --query [].id -o tsv)
4th - go to portal and change subnet delegate from container to none, after save I could delete subnet and vnet.
Below is the solution. Sometime trying just delete doesn't work. Follow the below steps and which is tested and worked for me.
NETWORK_PROFILE_ID=$(az network profile list --resource-group yourResourceGroup --query [0].id --output tsv)
az network profile delete --id $NETWORK_PROFILE_ID -y
This is a known issue and Microsoft is working on it. The workaround that worked for me is to update the containerNetworkInterfaceConfigurations property in Network profile properties to an empty list
# Get network profile ID
NETWORK_PROFILE_ID=$(az network profile list --resource-group <reource-group-name> --query [0].id --output tsv)
az resource update --ids $NETWORK_PROFILE_ID --set properties.containerNetworkInterfaceConfigurations=[]
And then deleting it works
az network profile delete --id $NETWORK_PROFILE_ID -y
I was attempting to test the new VNet Integration for App Services so I connected my App Service to the subnet 'AppServicesSubnet'. It never worked, always was showing a loading message. So after a few days I then disconnected it, which it said failed but the status showed as 'not configured' regardless.
However I am unable to delete the subnet 'AppServicesSubnet'. It says
"Failed to delete subnet 'AppServicesSubnet'. Error: Subnet
AppServicesSubnet is in use by
AppGroup-DEV/providers/Microsoft.Web/serverfarms/AppServicePlan-DEV
and cannot be deleted."
So I then deleted the app service plan 'AppServicePlan-DEV' this took about 30 minutes and succeeded. However I can still not delete the subnet 'AppServicesSubnet' with the same error given above.
I also cannot delete the virtual network 'Network-DEV' as a similar message is reported:
"Failed to delete virtual network 'Network-DEV'. Error: Subnet
AppServicesSubnet is in use by
AppGroup-DEV/providers/Microsoft.Web/serverfarms/AppServicePlan-DEV
and cannot be deleted."
The app service plan 'AppServicePlan-DEV' doesn't even exist anymore so I'm not sure how to clean up this subnet.
Any help on how to just get rid of this lingering subnet would be much appreciated.
Background on the new App Service VNet Integration Preview can be found here:
https://blogs.msdn.microsoft.com/appserviceteam/2018/10/17/new-app-service-vnet-integration-feature/
and here:
https://learn.microsoft.com/en-us/azure/app-service/web-sites-integrate-with-vnet#new-vnet-integration
Was able to work around this error after it hit us this week. Wanted to test the preview vnet integration. Turned it on, decided it was what we were looking for, then deleted it (to go back and add to automation) only to have automation fail because of this error.
I worked around it by:
adding back the preview connection to the app service I had originally add/ deleted it from.
Then disconnected it again.
This time, however, I was able to delete the subnet as expected.
Definitely a bug somewhere. If you have gone so far as to delete the app service itself and are still having this error...that's a different story.
I had a similar issue. I wasn't able to delete a a subnet because it was in use by some resource that didn't exist (in my point of view)....
So i ran this cli script to delete my subnet and my vNet.
RES_GROUP={Replace to your rg}
VNET_NAME={Replace to your vnet}
SUBNET_NAME={Replace to your subnet}
NETWORK_PROFILE_ID=$(az network profile list --resource-group $RES_GROUP --query [0].id --output tsv)
az network profile delete --id $NETWORK_PROFILE_ID -y
SAL_ID=$(az network vnet subnet show --resource-group $RES_GROUP --vnet-name $VNET_NAME --name $SUBNET_NAME --query id --output tsv)/providers/Microsoft.ContainerInstance/serviceAssociationLinks/default
az resource delete --ids $SAL_ID --api-version 2018-07-01
az network vnet subnet update --resource-group $RES_GROUP --vnet-name $VNET_NAME --name $SUBNET_NAME--remove delegations 0
az network vnet subnet delete --resource-group $RES_GROUP --vnet-name $VNET_NAME --name $SUBNET_NAME
az network vnet delete --resource-group $RES_GROUP --name $VNET_NAME
I tried again after a month and was able to delete the subnet in question. I guess it just takes some time for the new App Service VNet Integration (Preview) to be unregistered after it is disconnected.