Alz Deployment Error: Deployment Fails when we select Azure Firewall Tier as Basic but was successful when we select Standard

Azure / Enterprise-Scale

The Azure Landing Zones (Enterprise-Scale) architecture provides prescriptive guidance coupled with Azure best practices, and it follows design principles across the critical design areas for organizations to define their Azure architecture

https://aka.ms/alz

MIT License

1.73k stars 980 forks source link

Alz Deployment Error: Deployment Fails when we select Azure Firewall Tier as Basic but was successful when we select Standard #1726

Closed Anto4595 closed 2 months ago

Anto4595 commented 3 months ago

Hello @jtracey93 @Springstone

When I was deploying the Alz using Portal and when I select Azure Firewall tier as Standard under Network topology and connectivity the deployment was successful. To manage the cost, I was redeploying again but selected the Azure Firewall tier as Basic and the deployment got failed.

Deployment name: alz-HubSpoke-westeurope-97ade51b-52e6-5ffa-855b-4e276d1933b3-hub

Correlation ID: 5acd03d2-a306-450e-8e0b-b4c898a7441e

Can you check and guide what is the issue ? and how can I move further.

Thank You..

Anto4595 commented 3 months ago

Network Topology selected as Hub and spoke with Azure Firewall.

Springstone commented 3 months ago

@Anto4595 looks like you've stumbled on the infamous "InternalServerError", which is impossible for us to troubleshoot. We have seen this issue before, specifically when deploying Basic Azure Firewall (because it requires extra bits). The underlying issue is that two operations are trying to update the same resource at the same time. We have put a workaround in for VPN Gateway and Basic Firewall, so it would be helpful to understand the exact configuration you are deploying.

Could you share all the options selected under the networking blade, and we will try repro.

And just to clarify, you can't deploy Basic FW OVER a Standard FW deployment. I'm assuming you've done a new deployment.

Anto4595 commented 3 months ago

Hello @Springstone

Thank you for the Reply.

Yes I have done a new deployment for this.

Below is the screenshots that shows what are the options that I have selected under Networking.

Awaiting Reply...

Springstone commented 3 months ago

Hi @Anto4595. As I suspected, the issue here is that the ER GW and the Basic FW are both trying to make changes to the virtual network at the same time (which is not permitted). I have validated a fix for the issue, but it will take a couple of weeks before it lands in production (extensive testing is required). In the meantime, you can do the deployment from this link which should work as expected:

Springstone commented 3 months ago

PR with fix https://github.com/Azure/Enterprise-Scale/pull/1733

jtracey93 commented 2 months ago

Fixed in latest release https://github.com/Azure/Enterprise-Scale/releases/tag/2024-08-27