Azure / Enterprise-Scale

The Azure Landing Zones (Enterprise-Scale) architecture provides prescriptive guidance coupled with Azure best practices, and it follows design principles across the critical design areas for organizations to define their Azure architecture
https://aka.ms/alz
MIT License
1.73k stars 979 forks source link

Bug Report #1695

Closed berky-ms closed 4 months ago

berky-ms commented 5 months ago

Bug description: Below you can see the exact error we got, when we tried to deploy the ALZ with regional VPN gateway with SKU of VpnGw2.

We got the following error: Standard Public IPs associated with VPN gateways with non-AZ VPN skus cannot have zones configured

Below you can see the failed ARM template we extracted from deployment logs

    {
        "type": "Microsoft.Network/publicIpAddresses",
        "apiVersion": "2020-05-01",
        "name": "<removedByUsForConfidentiality>",
        "location": "uksouth",
        "sku": {
            "name": "Standard"
        },
        "properties": {
            "publicIPAllocationMethod": "Static"
        },
        "condition": true
    },
    {
        "type": "Microsoft.Network/publicIpAddresses",
        "apiVersion": "2020-05-01",
        "name": "<removedByUsForConfidentiality>",
        "location": "uksouth",
        "sku": {
            "name": "Standard"
        },
        "properties": {
            "publicIPAllocationMethod": "Static"
        },
        "condition": false
    },
    {
        "type": "Microsoft.Network/virtualNetworkGateways",
        "apiVersion": "2020-05-01",
        "name": "<removedByUsForConfidentiality>",
        "location": "uksouth",
        "dependsOn": [
               <removedByUsForConfidentiality>
        ],
        "properties": {
            "activeActive": false,
            "gatewayType": "Vpn",
            "vpnGatewayGeneration": "Generation2",
            "vpnType": "RouteBased",
            "ipConfigurations": [
                {
                    "name": "default",
                    "properties": {
                        "privateIPAllocationMethod": "Dynamic",
                        "subnet": {
                            "id": "<removedByUsForConfidentiality>"
                        },
                        "publicIpAddress": {
                            "id": "<removedByUsForConfidentiality>"
                        }
                    }
                }
            ],
            "sku": {
                "name": "VpnGw2",
                "tier": "VpnGw2"
            }
        },
        "condition": true
    },

In the eslzArm/subscriptionTemplates/hubspoke-connectivity.json (line 306) script the SKU of the Public IP is hardcoded as Standard also.

So based on the error (which you can see infull below) it seems like Standard Public Ips are not allowed for VpnGw2 or any non-AZ type VPN gateway which means also VpnGw3, VpnGw4, and VpnGw5. Not sure but this might be the case when activeactive is set to false only.

Full error: }\r\n}"}]} {"code":"DeploymentFailed","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details.","details":[{"code":"Conflict","message":"{\r\n \"status\": \"Failed\",\r\n \"error\": {\r\n \"code\": \"ResourceDeploymentFailure\",\r\n \"message\": \"The resource write operation failed to complete successfully, because it reached terminal provisioning state 'Failed'.\",\r\n \"details\": [\r\n {\r\n \"code\": \"DeploymentFailed\",\r\n \"message\": \"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details.\",\r\n \"details\": [\r\n {\r\n \"code\": \"Conflict\",\r\n \"message\": \"{\r\n \\"status\\": \\"Failed\\",\r\n \\"error\\": {\r\n \\"code\\": \\"ResourceDeploymentFailure\\",\r\n \\"message\\": \\"The resource write operation failed to complete successfully, because it reached terminal provisioning state 'Failed'.\\",\r\n \\"details\\": [\r\n {\r\n \\"code\\": \\"DeploymentFailed\\",\r\n \\"message\\": \\"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details.\\",\r\n \\"details\\": [\r\n {\r\n \\"code\\": \\"BadRequest\\",\r\n \\"message\\": \\"{\\r\\n \\\\"error\\\\": {\\r\\n \\\\"code\\\\": \\\\"RegionalVmssVpnGatewayPublicIpsMustNotHaveZonesConfigured\\\\",\\r\\n \\\\"message\\\\": \\\\"Standard Public IPs associated with VPN gateways with non-AZ VPN skus cannot have zones configured.\\\\",\\r\\n \\\\"details\\\\": []\\r\\n }\\r\\n}\\"\r\n }\r\n ]\r\n }\r\n ]\r\n }\r\n}\"\r\n }\r\n ]\r\n }\r\n ]\r\n }\r\n}"}]}

jtracey93 commented 4 months ago

This has been resolved in the latest release that we cut yesterday :)