I don't manage to get a working outgoing connection from my load-balanced VMs created in Azure Stack. I have scenario 2 of the documentation: "Public Load Balancer associated with a VM (no Instance Level Public IP address on the instance)". Only port 80 is working as an outgoing connection out of the box. I am behind an additional firewall and I ask myself whether I have to open any other specific ports to allow communication to the internet. Three questions:
Is it the problem, that the port I try to access from inside the VMs is translated to a different SNAT port by the load-balancer?
The documentation says something about the amount of used SNAT ports, but it does not say which SNAT ports are used? Which ports do I have to open in the outer firewall?
Why is port 80 working out of the box? I can per default access the web from within the VMs. This means, that it is possible to reach the public internet. I did not include any additional rule for port 80 myself.
I found the following in the incoming connection section of the Azure security group: There are explicitly mentioned ephemeral ports between 49152 and 65534. Unfortunately, opening these ports in the outgoing connections of our outer firewall didn't do the trick either. All VM internal firewalls are open on all ports.
I created the cluster using the following template. The SKU should be the default one "standard", since I did not specify anything else for the LoadBalancer.
{
"apiVersion": "[variables('lbApiVersion')]",
"type": "Microsoft.Network/loadBalancers",
"name": "[concat('LB','-', parameters('clusterName'),'-',variables('vmNodeType0Name'))]",
"location": "[variables('location')]",
"dependsOn": [
"[concat('Microsoft.Network/publicIPAddresses/',concat(variables('lbIPName'),'-','0'))]"
],
"properties": {
"frontendIPConfigurations": [
{
"name": "LoadBalancerIPConfig",
"properties": {
"publicIPAddress": {
"id": "[resourceId('Microsoft.Network/publicIPAddresses',concat(variables('lbIPName'),'-','0'))]"
}
}
}
],
"backendAddressPools": [
{
"name": "LoadBalancerBEAddressPool",
"properties": {}
}
],
"loadBalancingRules": [
{
"name": "LBRule",
"properties": {
"backendAddressPool": {
"id": "[variables('lbPoolID0')]"
},
"backendPort": "[variables('nt0fabricTcpGatewayPort')]",
"enableFloatingIP": "false",
"frontendIPConfiguration": {
"id": "[variables('lbIPConfig0')]"
},
"frontendPort": "[variables('nt0fabricTcpGatewayPort')]",
"idleTimeoutInMinutes": "5",
"probe": {
"id": "[variables('lbProbeID0')]"
},
"protocol": "tcp"
}
},
{
"name": "LBHttpRule",
"properties": {
"backendAddressPool": {
"id": "[variables('lbPoolID0')]"
},
"backendPort": "[variables('nt0fabricHttpGatewayPort')]",
"enableFloatingIP": "false",
"frontendIPConfiguration": {
"id": "[variables('lbIPConfig0')]"
},
"frontendPort": "[variables('nt0fabricHttpGatewayPort')]",
"idleTimeoutInMinutes": "5",
"probe": {
"id": "[variables('lbHttpProbeID0')]"
},
"protocol": "tcp"
}
},
{
"name": "AppPortLBRule1",
"properties": {
"backendAddressPool": {
"id": "[variables('lbPoolID0')]"
},
"backendPort": "[parameters('loadBalancedAppPort1')]",
"enableFloatingIP": "false",
"frontendIPConfiguration": {
"id": "[variables('lbIPConfig0')]"
},
"frontendPort": "[parameters('loadBalancedAppPort1')]",
"idleTimeoutInMinutes": "5",
"probe": {
"id": "[concat(variables('lbID0'),'/probes/AppPortProbe1')]"
},
"protocol": "tcp"
}
},
{
"name": "AppPortLBRule2",
"properties": {
"backendAddressPool": {
"id": "[variables('lbPoolID0')]"
},
"backendPort": "[parameters('loadBalancedAppPort2')]",
"enableFloatingIP": "false",
"frontendIPConfiguration": {
"id": "[variables('lbIPConfig0')]"
},
"frontendPort": "[parameters('loadBalancedAppPort2')]",
"idleTimeoutInMinutes": "5",
"probe": {
"id": "[concat(variables('lbID0'),'/probes/AppPortProbe2')]"
},
"protocol": "tcp"
}
}
],
"probes": [
{
"name": "FabricGatewayProbe",
"properties": {
"intervalInSeconds": 5,
"numberOfProbes": 2,
"port": "[variables('nt0fabricTcpGatewayPort')]",
"protocol": "tcp"
}
},
{
"name": "FabricHttpGatewayProbe",
"properties": {
"intervalInSeconds": 5,
"numberOfProbes": 2,
"port": "[variables('nt0fabricHttpGatewayPort')]",
"protocol": "tcp"
}
},
{
"name": "AppPortProbe1",
"properties": {
"intervalInSeconds": 5,
"numberOfProbes": 2,
"port": "[parameters('loadBalancedAppPort1')]",
"protocol": "tcp"
}
},
{
"name": "AppPortProbe2",
"properties": {
"intervalInSeconds": 5,
"numberOfProbes": 2,
"port": "[parameters('loadBalancedAppPort2')]",
"protocol": "tcp"
}
}
],
"inboundNatPools": [
{
"name": "LoadBalancerBEAddressNatPool",
"properties": {
"backendPort": "3389",
"frontendIPConfiguration": {
"id": "[variables('lbIPConfig0')]"
},
"frontendPortRangeEnd": "4500",
"frontendPortRangeStart": "3389",
"protocol": "tcp"
}
}
]
},
"tags": {
"resourceType": "Service Fabric",
"clusterName": "[parameters('clusterName')]"
}
},
To make it short? How to realize outgoind connections from Azure VMs.
For your issue, I will tell you all I know. Hope it will help you.
Is it the problem, that the port I try to access from inside the VMs
is translated to a different SNAT port by the load-balancer?
No, use SNAT rules, you can translate access flow from the Internet to a different port or not, all as you want. Azure Load Balancer SNAT rules mean you can connect to the VM
port A inside from the Internet with port B. Port A and port B can be the same or not.
The documentation says something about the amount of used SNAT ports,
but it does not say which SNAT ports are used? Which ports do I have
to open in the outer firewall?
As I test, you even can use port 1 in Load Balancer NAT rules. So I assume that the document means how many ports can be used per IP configuration. I suggest you can read the document again and understand carefully.
Why is port 80 working out of the box? I can per default access the
web from within the VMs. This means, that it is possible to reach the
public internet. I did not include any additional rule for port 80
myself.
For this issue, you should make sure for some things. First, if you have a public IP associated to your VM except the Load Balancer. Second, you should take a look in the Azure portal if there are any other NAT rules. Or you can use cli command az network lb inbound-nat-rule list.
Related
I'm starting to use Pulumi for container deployment in Azure cloud.
At the moment I am facing problems because I need to load some configuration files to a container of Traefik but I cannot find the correct way. The idea is that Traefik works as a reverse proxy for the other containers in the group.
My problem is that no matter how much I specify the creation of a volume and try to connect it to the container, when I go to the Azure dashboard, it appears that the container does not have any connected volume.
import pulumi
import pulumi_azure_nextgen as azure
data_rg = azure.resources.latest.ResourceGroup(
"data-rg",
resource_group_name="data-rg",
location="West Europe")
datahike_group = azure.containerinstance.latest.ContainerGroup(
"data-group",
location="West Europe",
container_group_name="data-cg",
resource_group_name=data_rg.name,
containers=[{
"name":"data",
"image": "wordpress:latest",
"resources": {
"requests": { "cpu": 0.5, "memory_in_gb": 1.5}
},
},
{
"name": "proxy",
"image": "traefik:latest",
"resources": {
"requests": { "cpu": 0.5, "memory_in_gb": 1.5}
},
"ports": [{
"port": 80,
"protocol": "TCP",
}],
"VolumeMount": [{
"mount_path": "/etc/traefik/config_base.yml",
"name": "traefik-volume",
}],
"environment_variables": [{
"name": "TRAEFIK_CONFIG_FILE",
"value": "file"
},{
"name": "TRAEFIK_CONFIG_PATH",
"value": "/etc/traefik/config_base.yml"
}
],
},
],
ip_address={
"dnsNameLabel": "dnsnamelabel1",
"ports": [{
"port": 80,
"protocol": "TCP",
}],
"type": "Public",
},
volumes=[
{
"emptyDir": {},
"name": "datahike-volume",
},
{
"name": "traefik-volume",
"secret": {
"secretKey1": "SecretValue1InBase64",
},
},
],
os_type="Linux",
tags={
"environment": "testing",
})
pulumi.export("data_ip", data_group.ip_address)
Does anyone know why its failing?
in this case, the error was due to a typo:
"volumeMounts": [{
"mount_path": "/etc/traefik/config_base.yml",
"name": "traefik-volume",
}],
How can I host an application in ACS (DCOS) on any other port except 80? Can I give any other URL instead of using port number to access?
{
"id": "/dockercloud-hello-world",
"cmd": null,
"cpus": 0.1,
"mem": 128,
"disk": 0,
"instances": 2,
"acceptedResourceRoles": [
"*"
],
"container": {
"type": "DOCKER",
"volumes": [],
"docker": {
"image": "dockercloud/hello-world",
"network": "BRIDGE",
"portMappings": [
{
"containerPort": 80,
"hostPort": 0,
"servicePort": 10000,
"protocol": "tcp",
"labels": {}
}
],
"privileged": false,
"parameters": [],
"forcePullImage": true
}
},
"portDefinitions": [
{
"port": 10000,
"protocol": "tcp",
"name": "default",
"labels": {}
}
]
}
Application is available on port 4170 according to Marathon.
I am unable to access from agents fqn:portnumber
Yes, it is possible.
Firstly, you need modify hostPort value to 4170 and acceptedResourceRoles to slave_public.
Then you need open port 4170 on agent node NSG.
Then you also need open port on agent node LB.
1.Add Health probes
2.Load balancing rules
More information about this please check this link.
I have an ARM template where I set up a load balancer and I want to add a number of port openings by adding rules and probes to the LB.
This is the template I have so far:
{
"type": "Microsoft.Network/loadBalancers",
"name": "LB-front",
"apiVersion": "2016-03-30",
"location": "westeurope",
"tags": { },
"properties": {
"frontendIPConfigurations": [
{
"name": "LoadBalancerIPConfig",
"properties": {
"privateIPAllocationMethod": "Dynamic",
"publicIPAddress": {
"id": "[resourceId('Microsoft.Network/publicIPAddresses', parameters('publicIPAddresses_lbipdev_0_name'))]"
}
}
}
],
"backendAddressPools": [
{
"name": "LoadBalancerBEAddressPool"
}
],
"loadBalancingRules": [
{
"name": "AppPortLBRule1",
"properties": {
"frontendIPConfiguration": {
"id": "[parameters('loadBalancers_LB_dev_id_6')]"
},
"frontendPort": 80,
"backendPort": 80,
"enableFloatingIP": false,
"idleTimeoutInMinutes": 5,
"protocol": "Tcp",
"loadDistribution": "Default",
"backendAddressPool": {
"id": "[parameters('loadBalancers_LB_dev_id_7')]"
},
"probe": {
"id": "[parameters('loadBalancers_LB_dev_id_8')]"
}
}
},
{
"name": "AppPortLBRule2",
"properties": {
"frontendIPConfiguration": {
"id": "[parameters('loadBalancers_LB_dev_id_9')]"
},
"frontendPort": 81,
"backendPort": 81,
"enableFloatingIP": false,
"idleTimeoutInMinutes": 5,
"protocol": "Tcp",
"loadDistribution": "Default",
"backendAddressPool": {
"id": "[parameters('loadBalancers_LB_dev_id_10')]"
},
"probe": {
"id": "[parameters('loadBalancers_LB_dev_id_11')]"
}
}
},
{
"name": "AppPortLBRule3",
"properties": {
"frontendIPConfiguration": {
"id": "[parameters('loadBalancers_LB_dev_id_12')]"
},
"frontendPort": 82,
"backendPort": 82,
"enableFloatingIP": false,
"idleTimeoutInMinutes": 5,
"protocol": "Tcp",
"loadDistribution": "Default",
"backendAddressPool": {
"id": "[parameters('loadBalancers_LB_dev_id_13')]"
},
"probe": {
"id": "[parameters('loadBalancers_LB_dev_id_14')]"
}
}
}
],
"probes": [
{
"name": "AppPortProbe1",
"properties": {
"protocol": "Tcp",
"port": 80,
"intervalInSeconds": 5,
"numberOfProbes": 2
}
},
{
"name": "AppPortProbe2",
"properties": {
"protocol": "Tcp",
"port": 81,
"intervalInSeconds": 5,
"numberOfProbes": 2
}
},
{
"name": "AppPortProbe3",
"properties": {
"protocol": "Tcp",
"port": 82,
"intervalInSeconds": 5,
"numberOfProbes": 2
}
}
],
"inboundNatRules": [],
"outboundNatRules": [],
"inboundNatPools": []
},
"resources": [],
"dependsOn": [
"[resourceId('Microsoft.Network/publicIPAddresses', parameters('publicIPAddresses_lbipdev_1_name'))]"
]
},
(some details omitted)
What I would like to do is to have an array of the port numbers I want to create rules and probes for and loop over those instead of explicitly having to write each rule and probe as a property for the resource.
Basically I would like a parameter or variable in my template like this:
"ports": [ 80, 81, 82, ...]
and that I could loop over this similar to this: https://learn.microsoft.com/en-us/azure/azure-resource-manager/resource-group-create-multiple.
Indeed you can! Copy does work with properties!
Create a parameter or variable like this (this example will use parameter array):
"lbRules": {
"type": "array",
"defaultValue": [
{
"name": "httpPort",
"frontendPort": "80",
"backendPort": "80",
"protocol": "tcp"
},
{
"name": "customAppPort",
"frontendPort": "8080",
"backendPort": "8888",
"protocol": "tcp"
},
{
"name": "httpsPort",
"frontendPort": "443",
"backendPort": "443",
"protocol": "tcp"
}
]
}
Use this parameter in the Loadbalancer resource using copy like this that will create that many probes and rules that you defined in your parameter array:
{
"apiVersion": "[variables('lbApiVersion')]",
"type": "Microsoft.Network/loadBalancers",
"name": "[parameters('myLoadBalancer')]",
"location": "[parameters('computeLocation')]",
"dependsOn": [
"[concat('Microsoft.Network/publicIPAddresses/',concat(parameters('lbIPName'),'-','0'))]"
],
"properties": {
"frontendIPConfigurations": [
{
"name": "LoadBalancerIPConfig",
"properties": {
"publicIPAddress": {
"id": "[resourceId('Microsoft.Network/publicIPAddresses',concat(parameters('lbIPName'),'-','0'))]"
}
}
}
],
"backendAddressPools": [
{
"name": "LoadBalancerBEAddressPool",
"properties": {}
}
],
"copy": [
{
"name": "probes",
"count": "[length(parameters('lbRules'))]",
"input": {
"name": "[concat(parameters('lbRules')[copyIndex('probes')].name,'Probe')]",
"properties": {
"intervalInSeconds": 5,
"numberOfProbes": 2,
"port": "[parameters('lbRules')[copyIndex('probes')].backendPort]",
"protocol": "[parameters('lbRules')[copyIndex('probes')].protocol]"
}
}
},
{
"name": "loadBalancingRules",
"count": "[length(parameters('lbRules'))]",
"input": {
"name": "[parameters('lbRules')[copyIndex('loadBalancingRules')].name]",
"properties": {
"frontendIPConfiguration": {
"id": "[concat(resourceId('Microsoft.Network/loadBalancers', parameters('myLoadBalancer')),'/frontendIPConfigurations/LoadBalancerIPConfig')]"
},
"frontendport": "[parameters('lbRules')[copyIndex('loadBalancingRules')].frontendport]",
"backendport": "[parameters('lbRules')[copyIndex('loadBalancingRules')].backendport]",
"enableFloatingIP": false,
"idleTimeoutInMinutes": "5",
"protocol": "[parameters('lbRules')[copyIndex('loadBalancingRules')].protocol]",
"backendAddressPool": {
"id": "[concat(resourceId('Microsoft.Network/loadBalancers', parameters('myLoadBalancer')),'/backendAddressPools/LoadBalancerBEAddressPool')]"
},
"probe": {
"id": "[concat(variables('lbID0'),'/probes/', parameters('lbRules')[copyIndex('loadBalancingRules')].name,'Probe')]"
}
}
}
}
],
"inboundNatPools": []
},
}
}
More info can be found here:
https://learn.microsoft.com/en-us/azure/azure-resource-manager/resource-group-create-multiple#property-iteration
https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/copy-properties
You can only apply the copy object to a top-level resource.
You cannot apply it to a property on a resource type, or to a child resource.
"resources": [
{
"type": "{provider-namespace-and-type}",
"name": "parentResource",
"copy": {
/* yes, copy can be applied here */
},
"properties": {
"exampleProperty": {
/* no, copy cannot be applied here */
}
},
"resources": [
{
"type": "{provider-type}",
"name": "childResource",
/* copy can be applied if resource is promoted to top level */
}
]
}
]
Source of Quotation: Deploy multiple instances of resources in Azure Resource Manager templates
You can loop over properties in ARM Template ONLY IF the copy object is applied to a top-level resource, which is in your case the "Microsoft.Network/loadBalancers", but that will also create multiple copy of the said resource.
If this is not what you want to achieve, I would recommend you to keep your existing way until ARM Template support copy object to property on a resource type in the future.
It is now possible to loop on properties or on child resources as stated in https://learn.microsoft.com/en-us/azure/azure-resource-manager/resource-group-create-multiple#property-iteration or in
https://learn.microsoft.com/en-us/azure/azure-resource-manager/resource-group-create-multiple#create-multiple-instances-of-a-child-resource
You can a child resource extension (e.g. WebSite/Extension) as a top-level resource by following the format for the type:
{resource-provider-namespace}/{parent-resource-type}/{child-resource-type}.
For instance
Microsoft.Web/sites/siteextensions
You have also to reference the parent resource in the child resource by a concat. For instance:
"name": "[concat('mywebsite', '/', 'myextension', copyIndex())]"
What you want to achieve is possible with the take function.
You linked the proper documentation site yourself. Go to the link you posted and check out the section "Create multiple instances when copy won't work".
in your case this would look like this:
"variables": {
"probeArray": [
{
"name": "AppPortProbe1",
"properties": {
"protocol": "Tcp",
"port": 80,
"intervalInSeconds": 5,
"numberOfProbes": 2
}
},
{
"name": "AppPortProbe2",
"properties": {
"protocol": "Tcp",
"port": 81,
"intervalInSeconds": 5,
"numberOfProbes": 2
}
},
{
"name": "AppPortProbe3",
"properties": {
"protocol": "Tcp",
"port": 82,
"intervalInSeconds": 5,
"numberOfProbes": 2
}
}
],
You then create an parameter specifying how many probes you want
"parameters": {
...
"numProbes": {
"type": "int",
"maxValue": 3,
"metadata": {
"description": "This parameter allows you to select the number of probes you want"
}
}
Finally you use take inside the resource:
"resources": [
...
{
"type": "Microsoft.Network/loadBalancers",
"properties": {
...
"probes": "[take(variables('probeArray'),parameters('numProbes'))]"
},
...
}
...
}
]
If you continue the through the documentation you will see that you can get even more crazy and combine copy and take with linked templates.
I am trying to modify an ARM template that I have which deploys some VMs and defines some autoscale rules (you can see the full template at https://gist.github.com/jinky32/d80e0ab2137236ff262484193f93c946, it is based on the template at https://github.com/gbowerman/azure-myriad/tree/master/vmss-ubuntu-scale).
I am trying to add in some load balancer rules so that traffic is spread across the new VMs as they are generated in reponse to the autoscale rules that are defined.
When I run this template via Azure CLI I get no errors in terminal but the deployment fails. Digging into the error events I see two:
statusCode:BadRequest serviceRequestId:ef42ec66-600e-4fb9-b4e2-dc2c06dda79c statusMessage:{"error":{"code":"InvalidRequestFormat","message":"Cannot parse the request.","details":[{"code":"InvalidJsonReferenceFormat","message":"Reference Id cc2bepool is not formatted correctly. The Id is expected to reference resources of type loadBalancers/backendAddressPools. Path properties.loadBalancingRules[0].properties.backendAddressPool."}]}} responseBody:{"error":{"code":"InvalidRequestFormat","message":"Cannot parse the request.","details":[{"code":"InvalidJsonReferenceFormat","message":"Reference Id cc2bepool is not formatted correctly. The Id is expected to reference resources of type loadBalancers/backendAddressPools. Path properties.loadBalancingRules[0].properties.backendAddressPool."}]}}
and
statusCode:BadRequest statusMessage:{"error":{"code":"InvalidRequestFormat","message":"Cannot parse the request.","details":[{"code":"InvalidJsonReferenceFormat","message":"Reference Id cc2bepool is not formatted correctly. The Id is expected to reference resources of type loadBalancers/backendAddressPools. Path properties.loadBalancingRules[0].properties.backendAddressPool."}]}}
I've put some of the relevant variables below and have also included my loadbalancer object but I believe that the issue is related to how I am referencing backendAddressPool:
"loadBalancingRules": [
{
"name": "LBRule",
"properties": {
"frontendIPConfiguration": {
"id": "[variables('frontEndIPConfigID')]"
},
"backendAddressPool": {
"id": "[variables('bePoolName')]"
},
but I'm confused because I refer to it the same way elsewhere. Any advice on how to do this correctly much appreciated.
"variables": {
....
"loadBalancerName": "[concat(parameters('vmssName'), 'lb')]",
"lbProbeID": "[concat(variables('lbID'),'/probes/tcpProbe')]",
"publicIPAddressID": "[resourceId('Microsoft.Network/publicIPAddresses',variables('publicIPAddressName'))]",
"lbID": "[resourceId('Microsoft.Network/loadBalancers',variables('loadBalancerName'))]",
"natPoolName": "[concat(parameters('vmssName'), 'natpool')]",
"bePoolName": "[concat(parameters('vmssName'), 'bepool')]",
....
....
}
.....
.....
{
"type": "Microsoft.Network/loadBalancers",
"name": "[variables('loadBalancerName')]",
"location": "[variables('location')]",
"apiVersion": "[variables('networkApiVersion')]",
"dependsOn": [
"[concat('Microsoft.Network/publicIPAddresses/', variables('publicIPAddressName'))]"
],
"properties": {
"frontendIPConfigurations": [
....
],
"backendAddressPools": [
{
"name": "[variables('bePoolName')]"
}
],
"inboundNatPools": [
{
"name": "[variables('natPoolName')]",
...
},
{
"name": "natpooltileserver",
....
},
{
"name": "natpool2",
....
],
"loadBalancingRules": [
{
"name": "LBRule",
"properties": {
"frontendIPConfiguration": {
"id": "[variables('frontEndIPConfigID')]"
},
"backendAddressPool": {
"id": "[variables('bePoolName')]"
},
"protocol": "tcp",
"frontendPort": 80,
"backendPort": 80,
"enableFloatingIP": false,
"idleTimeoutInMinutes": 5,
"probe": {
"id": "[variables('lbProbeID')]"
}
}
}
],
"probes": [
{
"name": "tcpProbe",
"properties": {
"protocol": "tcp",
"port": 80,
"intervalInSeconds": 5,
"numberOfProbes": 2
}
}
]
}
},
please go to the portal and open a support request to see what's wrong with your template edits.
Is there any way to create a virtual machine without Public IP address in Windows Azure?
Even if you are creating a VM in virtual network we cannot control the Public IP assigned by Azure. Is there any way to disable or delete the public IP assigned by Azure?
This is incorrect as of 11/29/2016 You can now choose in the provisioning stage through Azure portal to set the public IP Address as NONE. This will allow only communication within the virtual network that the VM is living in.
No. A VM will always have Public IP Address. But you can not assign any Endpoints (leave the VM without any Endpoints defined) - this will effectively block all and any Internet traffic for your VM before it event reaches the Internal Data Centre network.
There will always be a Public IP address assigned to any Cloud Service with something deployed. It is up to you to decide whether to allow Internet traffic to your VM or not. And this decision is made via defining Endpoints.
EDIT
Using Azure Resource Manager you can create a VM without Public IP. You can control this setting on the Network Adapter. Within the IP Configurations for your Network Adapter in Azure Resource Manager you mus specify NONE for the Public IP Address setting.
With the Resource Groups approach you can assign the public ip as None.
It'll still have a network interface, which can be used to access it within the virtual network.
I stumbled across this question via a post on Twitter and saw there wasn't a recent, complete, answer.
Nowadays it's possible to create a virtual machine in Azure without a Public IP address. Check out the sample below. It'll create a VM, a NIC, and a VNet where the VM will be created in.
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"outputs": {},
"parameters": {
"my-super-secure-password": {
"type": "securestring"
}
},
"variables": {
},
"resources": [
{
"apiVersion": "2018-10-01",
"dependsOn": [
"my-project-prefix-nic"
],
"location": "westeurope",
"name": "my-project-prefix",
"properties": {
"diagnosticsProfile": {
"bootDiagnostics": {
"enabled": false
}
},
"hardwareProfile": {
"vmSize": "Standard_D8ds_v4"
},
"networkProfile": {
"networkInterfaces": [
{
"id": "[resourceId('Microsoft.Network/networkInterfaces','my-project-prefix-nic')]"
}
]
},
"osProfile": {
"adminPassword": "[parameters('my-super-secure-password')]",
"adminUsername": "jan",
"computerName": "my-project-prefix"
},
"storageProfile": {
"dataDisks": [
{
"createOption": "Empty",
"diskSizeGB": 512,
"lun": 0,
"managedDisk": {
"storageAccountType": "StandardSSD_LRS"
},
"name": "my-project-prefix-datadisk-0"
}
],
"imageReference": {
"publisher": "MicrosoftWindowsDesktop",
"offer": "Windows-10",
"sku": "20h1-pro-g2",
"version": "latest"
},
"osDisk": {
"createOption": "FromImage",
"diskSizeGB": 256,
"managedDisk": {
"storageAccountType": "StandardSSD_LRS"
},
"name": "my-project-prefix-osdisk"
}
}
},
"type": "Microsoft.Compute/virtualMachines"
},
{
"apiVersion": "2018-11-01",
"dependsOn": [
"my-project-prefix-vnet"
],
"location": "westeurope",
"name": "my-project-prefix-nic",
"properties": {
"ipConfigurations": [
{
"name": "ipconfig1",
"properties": {
"privateIPAllocationMethod": "Dynamic",
"subnet": {
"id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', 'my-project-prefix-vnet', 'my-project-prefix-subnet')]"
}
}
}
]
},
"type": "Microsoft.Network/networkInterfaces"
},
{
"apiVersion": "2018-11-01",
"location": "westeurope",
"name": "my-project-prefix-vnet",
"properties": {
"addressSpace": {
"addressPrefixes": [
"10.0.0.0/16"
]
},
"subnets": [
{
"name": "my-project-prefix-subnet",
"properties": {
"addressPrefix": "10.0.0.0/24",
"delegations": []
}
}
]
},
"type": "Microsoft.Network/virtualNetworks"
}
]
}
As you can see, I'm omitting the publicIPAddress property on creation of the VM. Seeing it's not a mandatory property, it's still a valid resource.