I've setup a load balancer in my resource-group with a backend pool and inbound nat rules for http and https.
Now when i try to create an auto-scale-set through a template, i have to reference to a "loadBalancerInboundNatPool". But this is, what i can decipher from the error messages, not the same as the InboundNatRules.
How do i create/find the name of my InboundNatPool, so i can reference it from my template and create my Auto-Scale-Set correctly?
The loadBalancerInboundNatPools is in vmss, you need to add this to vmss
You can take a look at existing examples doing exactly this thing:
https://github.com/Azure/azure-quickstart-templates/tree/master/201-2-vms-loadbalancer-natrules
https://github.com/Azure/azure-quickstart-templates/tree/master/201-vmss-linux-nat
and several others in that repo. I don't really understand your question, but those templates will let you do just what your goal is
Related
To create a VNET and subnets in Azure, we use:
resource symbolicname 'Microsoft.Network/virtualNetworks#2021-05-01'
We can also defined subnets at the same time as we creating VNETs using the parameters in the above resource group.
There is another way to define subnets in Azure, using
Microsoft.Network/virtualNetworks/subnets
However Azure advises us that it is not a best practice to use this method, as they should be defined using the first method.
“Avoid defining subnets as child resources. This approach can result in downtime for your resources during subsequent deployments, or failed deployments.”
When creating security groups, similar to the above, we can create rules at the same time we are creating the security group as per:
Microsoft.Network networkSecurityGroups
However, we can also create them separately using
networkSecurityGroups/securityRules
Similar to the VNET Scenario above, is it a best practice to create a SG + rules at the same time, or create them independently?
If this question doesn't make sense apologies - new to this.
Similar to the VNET Scenario above, is it a best practice to create a
SG + rules at the same time, or create them independently
AFAIK, Network Security Groups should be deployed in the same way that VMs and other services are. It has to be happening at the same moment. Keeping everything in order.
To do that you can refer Microsoft.Network networkSecurityGroups/securityRules & this blog
So adding a slot name as dev, would create the url as appservice-dev.azuresites.net. How can we create dev-appservice.azurewebsites.net ?
CrashOverride, the other two posters are correct. We do not allow customers to edit the internal DNS name (.azurewebsites.net) of deployment slots.
I do also want to confirm that your best solution if needing custom DNS names for your slots would be to use a custom domain name (you'll need to add a SSL cert).
We encourage you to make a feature request here so the product group is made aware of this scenario.
If I have existing cloudflare settings (using web console), how to import/download existing cloudflare resource(s),e.g DNS records using terraform?
So, I could use it as a starting point to modify/update it.
Thanks.
Each Terraform resource has an example of importing existing data. For example, the record import
$ terraform import cloudflare_record.default ae36f999674d196762efcc5abb06b345/d41d8cd98f00b204e9800998ecf8427e
You can use cf-terraforming tool to terraforming existing CF resources.
Your steps will look like this:
Describe a Terraform configuration that contains the resources you want to manage with Terraform.
Initialize the created configuration using terraform init and after (this is convenient) quickly get the addresses of the resources that you need for import using terraform plan.
Next, you need to get the IDs of existing resources, they will also be required for import. For the Cloudflare Zone resource, this is easy to do, just refer to this instruction, for other resources, for example, for Cloudflare record you will either need to use cf-terraforming or Cloudflare API.
Import your resources using the terraform import RESOURCE_ADDRESS RESOURCE_ID command.
Another way is to delete your resources and recreate them with Terraform instead of importing them. This can make your infrastructure unavailable for some time.
I highly recommend that you read these guides:
https://developers.cloudflare.com/terraform/advanced-topics/import-cloudflare-resources/.
https://github.com/alex-feel/terraform-cloudflare-zone/wiki/Migration (it is written for a module, but is equally applicable to "raw" resources).
We manage an Azure subscription operated by several countries. Each of them is quite independant about they can do (create/edit/remove resources). A guide of good practices has been sent to them, but we (security team) would like to ensure a set of NSG is systematically applied for every new subnet/vnet created.
Giving a look to Azure Triggers, I am not sure that subnet creation belongs to the auditable events. I also was told to give a look to Azure policy, but once again I am not sure this will match our expectations which are : For every new vnet/subnet, automatically apply a set of predefined NSG.
Do you have any idea about a solution for our need ?
I have done work like this in the past (not this exact issue) and the way I solved it was with an Azure Function that walked the subscription and looked for these kinds of issues. You could have the code run as a Managed Identity with Reader rights on the subscription to report issues, or as a Contributor to update the setting. Here's some code that shows how you could do this with PowerShell https://github.com/Azure/azure-policy/tree/master/samples/Network/enforce-nsg-on-subnet
You could consider using a Policy that has a DeployIfNotExists Action, to deploy an ARM template that contains all the data for the NSG. https://learn.microsoft.com/en-us/azure/governance/policy/samples/pattern-deploy-resources
You can get the ARM template by creating the NSG and getting the template:
GettingNSGTemplate
Note also that creating a subnet is audited, you can see it in the Activity Log for the VNet. See the screen shot.
AddingASubnet
I have one resource group that I set up with the portal and another that I tried to configure the same way using Terraform.
Each group contains
Application Gateway with Web App Firewall
Virtual networks and subnets
VMs and associated storage
Public IPs, NSGs, NIC etc
Is there a way for me to compare the two sets of configurations?
For you, I assume you want to create the same resources with the same configurations in another group through Terraform. On my side, there are not many things you need to care about. Just according to the configuration of the resources to create the terraform script.
each resource region
the public IP and the NIC allocation method
NSG rules
vnet and the subnet address prefix
application gateway properties and the rules
The above points are that I think you need to care about. And the properties of the resources in Terraform also need to according to. I think there is no other way to compare two sets of configurations. If you really want, you can compare the template of each group when you create them. The group template shows below:
No, i dont think there is a reasonable straight forward way of doing this, you can create a powershell script that would get resources in each resource group and then try and compare properties, but its hard to give some sort of estimation how accurate it would be, there is a Compare-Object cmdlet in powershell, which might help you with that.