I connected an Application Gateway as a frontend for the services in the kubernetes cluster. I created a subnet on the k8s-vnet-<id> with address space 10.0.0.0/29 and connected the Application Gateway to that subnet.
I followed instrucions from https://fizzylogic.nl/2017/06/16/how-to-connect-azure-api-management-to-your-kubernetes-cluster/
When I try to scale the ContainerServices I get the following error:
Operation name: Write VirtualNetworks
Error code: InUseSubnetCannotBeDeleted
Message:
Subnet api-gateway-subnet is in use by /subscriptions/cdf495e8-6232-4a61-a661-716fec93f8b5/resourceGroups/KuberGoPlay/providers/Microsoft.Network/applicationGateways/ngaz-appgw-play/gatewayIPConfigurations/appGatewayIpConfig and cannot be deleted.
Why is the container service trying to delete the subnet when it scales?
Or am I connecting the Application Gateway the wrong way ?
/Martin
Why is the container service trying to delete the subnet when it
scales?
When we try to scale up or scale down (update a resource) Azure container service, the request is processed by deleting and creating the resource.
You may encounter this error when attempting to update a resource, but
the request is processed by deleting and creating the resource. Make
sure to specify all unchanged values.
More information about InUseSubnetCannotBeDeleted, please refer to that link.
Here a article talk about how to use template to update resource, please refer to it.
Related
I'm facing an error - "Subnet must only have application gateway" while creating an Application Gateway for in my azure network.
I'm following the steps from thid document: https://learn.microsoft.com/en-us/azure/application-gateway/create-url-route-portal
Tried to look around but could not find any solution.
Tested in my environment working fine for me , You need to create a seperate subnet for application gateway. you cannot use the subnet that is accomplished with other resources. Like wise you can see in below i selected AzureBastionSubnet ie already using with bastion.
Once i created seperate subnet for AppGtw it is working fine.
Note : If you are using the subnet that is already accomplished with other reources for that subnet you need to Select NSG None.
We have private AKS cluster create under a virtual network (MC resource group). We also have an APIM crated under the same virtual network. A few services are deployed in K8 and exposed via internal loadbalancer of K8. when we do kubectl get svc get a cluster IP and an external IP.
I've used the external IP to connect to APIM. but its failing with the following error
Unable to download specified file. Please ensure the URL is valid and the file is publicly accessible.
The error of unable to download ... might be from the URL of the IP address, because when the field is filled with a azure blob storage url, no errors should come.
I think you can try to add api instance by uploading json file from localhost.
In the Network Security Groups, you should also add a new Inbound Security Rule.
Change the label in the Source service tag by selecting Service Tag from the dropdown menu that appears. There is an option for ApiManagement in this dropdown.
You must select an IP address from the drop-down list and type the API Management Service's IP address.
For more information to resolve this error, refer here and also this SO Thread.
I am just practicing the azure. And I created a virtual network and subnets.
Now I am not able to delete the subnet. I have disconnected all connected devices from the virtual network.
Here is the error getting while deleting subnet
Please help me to clean up the subnet and virtual network.
Thanks
Additional details
All resources in my account
And here is the subnets tab and error getting while deletion:
Subnet configuration:
As the error shows the subnet PrivateSubnet should be in use. And you can see it's delegated to the service Microsoft.Web/serverfarms. So you need to remove the delegated service first. Do it follow the steps here. When the delegated service list is empty, then you can delete the subnet as you want.
Update:
According to my experience, your subnet is in use network/PrivateSubnet/AppLink, it means there is a Web App integrate with your subnet at least. And I didn't see the Web App in your resource group. So I guess there someone else uses your subnet and his Web App still exists. You need to check it yourself.
I am deploying an API application on an existing application AKS cluster which uses the Azure CNI plugin. The deployment manifest are native k8s with kustomize. The resources getting deployed are API deployment with an NGINX Ingress controller and couple ingress routes for API itself and grafana and prometheus(through prom operator). I have on 1 ingress route added so far which just for accessing the API.
When I deploy the resources all of them get successfully deployed and a Public IP get assigned to the controller. However, when I try to hit public IP to fetch the response for the endpoint. And I am looking for some help to troubleshoot the issue.
After looking at setup a little but I realized a couple of things:
Load Balancer's resource group and the nodes in the agent pools have different resource groups.
The NSG inbound and outbound rules are not in the same resource group.
I am not sure what piece is missing. I tried changing the resource group of the load balancer it didn't do that failing with a validation error. I also ran the same setup with the default kubenet network plugin and it worked successfully. Any help on this will be greatly appreciated.
Q1: Load Balancer's resource group and the nodes in the agent pools have different resource groups.
The Azure AKS is an individual resource, but its components are not. You need to create the AKS cluster in a resource group. When creating the AKS cluster, Azure will create another resource group to put the components of the AKS. So there will be two resource groups when the AKS is created. Here are the details to help you better understand it.
And I guess you want to assign a static public IP address to the Ingress controller and create the static public IP in the resource group which the AKS resource in, not the components. If I'm right, then you need to assign the service principal of the AKS with a network role. Here are the steps that how to create a static public IP in another resource group.
Q2: The NSG inbound and outbound rules are not in the same resource group.
You do not need to care about the NSG inbound and outbound rules for AKS, Azure manage them itself. You just need to focus on the things that how to deploy applications in the AKS cluster.
I have a private network (10.0.0.0/16) which has multiple subnets. I have an Application Gateway configured in the 10.0.0.0/24 subnet and I would like to expose Container Instances from the 10.0.2.0/24 subnet to the internet via HTTP.
The gateway has only one HTTP rule simply mapping 80:80 from the internet to the backend pool. In the "Backend Health" section the status of my container (added via IP address) is unknown and the following error is displayed:
Unable to retrieve health status data. Check presence of NSG/UDR blocking access to ports 65503-65534 from Internet to Application Gateway.
Initially I had no NSG set but after setting one (and even allowing any:any) is not solving the status check problem.
When opening the url in the browser I get an 502 Bad Gateway error.
Note: I have added a container isntance which is not part of the VNet to the Application Gateway and despite also showing unknonw status in the Backend Pool the requests actually got redirected to the container, so I am almost certain I am misconfiguring someting in the VNet.
Note2: I have pushed a test container and the test container can reach the container I am trying to expose in the same subnet, so something goes wrong between the container and the application gateway.
My questions is what NSG rules I have to set to
make the container visible to the health check
make the redirect work between the Application Gateway and the Container
there is really nothing to misconfigure, you can create a vm in one of the subnets (create a third one) and test if it can access the container instance? if it can 0 this might be a platform limitation, tbh.
But looking at the error: you should detach all NSG\User Defined routes from the Vnet (for simplicity) and do several other checks: https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-backend-health-troubleshooting#backend-health-status-unknown