Closed InfoSphereTechnology closed 1 year ago
jtracey93
commented
1 year ago Hi @InfoSphereTechnology,
Thanks for the issue, can you confirm what options/values you are setting in the portal experience so we can try to reproduce it as its not clear on what is being set today and therefore hard to troubleshoot?
Also, when did this last happen or when did you last try the portal experience?
Finally, if you have any correlation IDs please share them 👍
Thanks
Jack
InfoSphereTechnology
commented
1 year ago Worked on Azure landing zone accelerator - Microsoft TrackingID# 2210070040008383 Gerald Biggs Support Engineer Azure | Developer Working hours: M-F 8:00am – 5:00pm UTC-7 Manager: Gabriel Rael / v-garael@microsoft.com
correlation IDs "correlationId": "32e8a5ad-a781-4c72-9ba4-ab4f4f3e200f",
------------------------------------------- RAW Error ----------------------------------------- { "code": "InvalidTemplate", "message": "Deployment template validation failed: 'The deployment metadata 'SUBSCRIPTION' is not valid.'." }
--------------------------------- Deployment settings --------------------------------------- Azure cloud environment Azure Cloud Region East US Azure core setup Resource prefix (Root ID) CAFLZ Platform subscription options Dedicated (recommended) Customer Usage Selection Options Enabled Platform management, security, and governance Deploy Log Analytics workspace and enable monitoring for your platform and resources Yes (recommended) Log Analytics Data Retention (days) 30 Management subscription Pay-As-You-Go Dev/Test Deploy Agent Health solution Yes (recommended) Deploy Change Tracking solution Yes (recommended) Deploy Update Management solution Yes (recommended) Deploy Activity Log solution Yes (recommended) Deploy VM Insights solution Yes (recommended) Deploy Service Map solution Yes (recommended) Deploy SQL Assessment solution Yes (recommended) Deploy SQL Vulnerability Assessment solution Yes (recommended) Deploy SQL Advanced Threat Protection solution Yes (recommended) Deploy Microsoft Defender for Cloud and enable security monitoring for your platform and resources Yes (recommended) Microsoft Defender for Cloud Email Contact JRogers@InfoSphereTechnology.com Enable Microsoft Defender for Cloud for servers Yes (recommended) Enable Microsoft Defender for Cloud for open-source relational databases Yes (recommended) Enable Microsoft Defender for Cloud for AppServices Yes (recommended) Enable Microsoft Defender for Cloud for Storage Yes (recommended) Enable Microsoft Defender for Cloud for Azure SQL Database Yes (recommended) Enable Microsoft Defender for Cloud for SQL servers on machines Yes (recommended) Enable Microsoft Defender for Cloud for Key Vault Yes (recommended) Enable Microsoft Defender for Cloud for Azure Resource Manager Yes (recommended) Enable Microsoft Defender for Cloud for DNS Yes (recommended) Enable Microsoft Defender for Cloud for Containers (Kubernetes and Container Registries) Yes (recommended) Deploy Microsoft Sentinel Yes (recommended) Platform DevOps and automation Deploy integrated CI/CD pipeline? Yes Select CI/CD option GitHub Actions GitHub organization or username InfoSphereTechnology New GitHub repository name InfoSphereTechnology GitHub personal access token
Enable DDoS Protection Standard Yes (recommended) Prevent usage of Public Endpoints for Azure PaaS services in the corp connected landing zones Yes (recommended) Ensure private endpoints to Azure PaaS services are integrated with Azure Private DNS Zones in the corp connected landing zones Yes (recommended) Ensure encryption in transit is enabled for PaaS services Yes (recommended) Ensure Azure VMs (Windows & Linux) and Azure Arc-enabled servers are being monitored Yes (recommended) Ensure Azure VMSS (Windows & Linux) are being monitored Yes (recommended) Enable Kubernetes (AKS) for Azure Policy Yes (recommended) Prevent privileged containers in Kubernetes clusters Yes (recommended) Prevent privileged escalation in Kubernetes clusters Yes (recommended) Ensure HTTPS ingress is enforced in Kubernetes clusters Yes (recommended) Prevent public IP for Databricks workloads in the corp connected landing zones Yes (recommended) Ensure VNet injection is enabled for Databricks workspaces in corp connected landing zones Yes (recommended) Ensure Databricks workloads are using the right SKU to ensure enterprise security and Azure RBAC Yes (recommended) Ensure Azure VMs (Windows & Linux) are enabled for Azure Backup Yes (recommended) Prevent inbound RDP from internet Yes (recommended) Ensure subnets are associated with NSG Yes (recommended) Prevent IP forwarding Yes (recommended) Ensure Azure SQL is enabled with transparent data encryption Yes (recommended) Ensure auditing is enabled on Azure SQL Yes (recommended) Ensure secure connections (HTTPS) to storage accounts Yes (recommended)
jtracey93
commented
1 year ago Hey @InfoSphereTechnology could you try setting this option to "no" and try again.
Platform DevOps and automation Deploy integrated CI/CD pipeline? - set to "no"
Also to confirm you are unable to actually deploy this at all? Do you have a screenshot of the error and screen you see?
Thanks
Jack
InfoSphereTechnology
commented
1 year ago Set CI/CD to "NO" Same results
{"code":"InvalidTemplate","message":"Deployment template validation failed: 'The deployment metadata 'SUBSCRIPTION' is not valid.'."}
jtracey93
commented
1 year ago Hey @InfoSphereTechnology,
I managed to repro your issue and have worked out what the issue is.
You have selected to use dedicated platform subscriptions
But then you have selected the same subscription for Management, Identity & Connectivity - which is not supported - they must be different subscriptions as per the note above each of the subscription selectors
Please either use dedicated separate subscriptions or select single platform subscription on the Azure core setup blade if you only have 1 subscription:
Thanks
Jack
InfoSphereTechnology
commented
1 year ago Thanks I will check the subscription selections. I will reply back after some testing...
InfoSphereTechnology
commented
1 year ago AzOps - Pull: All jobs have failed notifications@github.com.docx
I create all necessary subscriptions - Verified and deployed but failed
Azure landing zone accelerator
jtracey93
commented
1 year ago Hey @InfoSphereTechnology,
I think a call may be the best next step to troubleshoot further here as difficult of this chat base method.
Can you email me on jack[dot]tracey[at]microsoft[dot]com and we can look to get something setup soon
Thanks
jtracey93
commented
1 year ago Hey @InfoSphereTechnology, as discussed let us know how you get on fixing the AzOps SPN issues following the docs here https://github.com/azure/azops/wiki/prerequisites & https://github.com/Azure/Enterprise-Scale/wiki/Deploying-Enterprise-Scale-Platform-DevOps
ghost
commented
1 year ago This issue has been automatically marked as stale because it has been marked as requiring author feedback but has not had any activity for 5 days.
jtracey93
commented
1 year ago Closing as stale
InfoSphereTechnology
commented
1 year ago ThanksJamesOn Nov 9, 2022, at 12:52 PM, Jack Tracey @.***> wrote: Closed #1092 as completed.
—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you were mentioned.Message ID: @.***>
I have worked with Azure on original issue: Microsoft Azure Landing Zone Accelerator. I completed the entire build and create/verify. Receive message below
RAW { "code": "InvalidTemplate", "message": "Deployment template validation failed: 'The deployment metadata 'SUBSCRIPTION' is not valid.'." }
================================================= Regarding issues with the specifics to the Microsoft CAF (73) template Submit to: https://github.com/Azure/Enterprise-Scale/issues
Original Support Ticket Template Issue: The Microsoft CAF (73) template link from the Microsoft website pulls directly from the Enterprise-Scale/eslzArm/eslz-portal.json template on this page: Enterprise-Scale/eslz-portal.json at main · Azure/Enterprise-Scale · GitHub.
Microsoft CAF (73) template Azure Landing Zone (CAF) https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/ https://aka.ms/caf/ready/accelerator
Same with AdventureWorks | On-premises connectivity with Hub & Spoke https://portal.azure.com/#blade/Microsoft_Azure_CreateUIDef/CustomDeploymentBlade/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FEnterprise-Scale%2Fmain%2FeslzArm%2FeslzArm.json/uiFormDefinitionUri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FEnterprise-Scale%2Fmain%2FeslzArm%2Feslz-portal.json
======= On Fri, Oct 21, 2022 at 3:23 PM Tyler W support@mail.support.microsoft.com wrote: ========= James,
My name is Tyler, and I am one of the Senior Support Engineers working with Gerald providing Microsoft Azure Support. I understand that you are running into some issues attempting to deploy the Azure Landing Zone quick start template from here: What is an Azure landing zone? - Cloud Adoption Framework | Microsoft Learn. I would like to assure you that this issue has been escalated to the highest level of support, in order to get you the best help for this issue. After investigation, and based on the error message you are receiving as well as the lack of preflight calls being made to the ARM deployment layers of Azure, we have determined that the template itself is the likely cause of these issues.
Unfortunately, issues with the template itself do fall outside of the scope of support we are able to offer, as for any issues that require bugfix in the Template or Code in the repo, Microsoft support will redirect the user to file the issue on GitHub. For this template, and most other Azure quick start templates, the easiest and most expedient way to get assistance with the template itself is to raise an issue on the template's GitHub page. The template's creator and contributors can assist with correcting bugs and issues in the template itself. The GitHub page for the Azure Landing Zone template you are using can be found here: GitHub - Azure/Enterprise-Scale: The Azure Landing Zones (Enterprise-Scale) architecture provides prescriptive guidance coupled with Azure best practices, and it follows design principles across the critical design areas for organizations to define their Azure architecture. Once you file an issue there, it will be addressed by the template's maintainers.
I do apologize for the time it took to reach this conclusion. We did want to conduct a thorough investigation in order to be certain that the template itself was causing the issue, rather than any aspect of the Azure architecture or deployment process.
Should you have any further questions or concerns about the information above, please feel free to respond to this email, or let me know a good time and we can connect on a call to discuss.
Thank you, Tyler Wengert
Support Engineer Azure | Developer Working hours: M-F 8:00am – 5:00pm UTC-6 Manager: Gabriel Rael / v-garael@microsoft.com
Can’t reach me? Contact Azure Support Backup / azurebu@microsoft.com
===================================
I do not see the template creator of Microsoft CAF (73) Template at GitHub - Azure/Enterprise-Scale: The Azure Landing Zones (Enterprise-Scale) architecture provides prescriptive guidance coupled with Azure best practices, and it follows design principles across the critical design areas for organizations to define their Azure architecture for the Azure landing zone accelerator at Microsoft website https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/
Microsoft website executes https://aka.ms/caf/ready/accelerator