search

Azure / AKS-Construction

Accelerate your onboarding to AKS with; Helper Web App, bicep templating and CI/CD samples. Flexible & secure AKS baseline implementations in a Microsoft + community maintained reference implementation.
https://azure.github.io/AKS-Construction/
MIT License
356 stars 167 forks source link

Application Gateway Subnet Inbound Traffic Blocked By Network Security Group #333

Closed khowling closed 1 year ago

khowling commented 2 years ago

Describe the bug

"ApplicationGatewaySubnetInboundTrafficBlockedByNetworkSecurityGroup "Network security group /subscriptions//resourceGroups/az-k8s-5jtu-rg/providers/Microsoft.Network/networkSecurityGroups/nsg-appgw-sn-az-k8s-5jtu blocks incoming internet traffic on ports 65200 - 65535 to subnet /subscriptions//resourceGroups/az-k8s-5jtu-rg/providers/Microsoft.Network/virtualNetworks/vnet-az-k8s-5jtu/subnets/appgw-sn, associated with Application Gateway /subscriptions/***/resourceGroups/az-k8s-5jtu-rg/providers/Microsoft.Network/applicationGateways/agw-az-k8s-5jtu. This is not permitted for Application Gateways that have V2 Sku.

To Reproduce

Provision a cluster with "I want a managed environment" & "Private cluster with isolating network". Then run the same script again

    resourceName=az-k8s-5jtu \
    agentCount=2 \
    upgradeChannel=stable \
    JustUseSystemPool=true \
    custom_vnet=true \
    CreateNetworkSecurityGroups=true \
    bastion=true \
    enable_aad=true \
    AksDisableLocalAccounts=true \
    enableAzureRBAC=true \
    adminPrincipalId=$(az ad signed-in-user show --query id --out tsv) \
    registries_sku=Premium \
    acrPushRolePrincipalId=$(az ad signed-in-user show --query id --out tsv) \
    imageNames="[\"k8s.gcr.io/external-dns/external-dns:v0.11.0\"]" \
    azureFirewalls=true \
    certManagerFW=true \
    privateLinks=true \
    kvIPAllowlist="[\"5.67.72.204/32\"]" \
    omsagent=true \
    retentionInDays=30 \
    networkPolicy=azure \
    azurepolicy=audit \
    enablePrivateCluster=true \
    dnsZoneId=/subscriptions/xxx/resourceGroups/kh-common/providers/Microsoft.Network/dnszones/xxx \
    ingressApplicationGateway=true \
    appGWcount=0 \
    appGWsku=WAF_v2 \
    appGWmaxCount=10 \
    appgwKVIntegration=true \
    azureKeyvaultSecretsProvider=true \
    createKV=true \
    kvOfficerRolePrincipalId=$(az ad signed-in-user show --query id --out tsv) \
    acrPrivatePool=true

Expected behavior Successful provisioning

Gordonby commented 2 years ago

This sounds like #206 @khowling

github-actions[bot] commented 2 years ago

Issue smells stale, no activity for 30 days. Stale Label will be removed if the issue is updated, otherwise closed in a month.

github-actions[bot] commented 1 year ago

Issue smells stale, no activity for 30 days. Stale Label will be removed if the issue is updated, otherwise closed in a month.