New virtual-network-manager extension features - IPAM and VNV

[jbgorthy]

Preconditions

• [X] No need to upgrade Python SDK or the Python SDK is ready.

Related command

IP Address Management Feature

az network manager ipam-pool create az network manager ipam-pool show az network manager ipam-pool list az network manager ipam-pool update az network manager ipam-pool delete

az network manager ipam-pool get-pool-usage az network manager ipam-pool list-associated-resources az network manager ipam-pool static-cidr create az network manager ipam-pool static-cidr show az network manager ipam-pool static-cidr list az network manager ipam-pool static-cidr delete

Virtual Network Verifier Feature

az network manager verifier-workspace create az network manager verifier-workspace show az network manager verifier-workspace list az network manager verifier-workspace update az network manager verifier-workspace delete

az network manager verifier-workspace reachability-analysis-intent create az network manager verifier-workspace reachability-analysis-intent show az network manager verifier-workspace reachability-analysis-intent list az network manager verifier-workspace reachability-analysis-intent update az network manager verifier-workspace reachability-analysis-intent delete

az network manager verifier-workspace reachability-analysis-run create az network manager verifier-workspace reachability-analysis-run show az network manager verifier-workspace reachability-analysis-run list az network manager verifier-workspace reachability-analysis-run delete

Security Admin Configuration Feature - New Parameters

az network manager security-admin-config create az network manager security-admin-config update

az network manager security-admin-config rule-collection rule create az network manager security-admin-config rule-collection rule update

Resource Provider

Microsoft.Network/networkManagers

Description of Feature or Work Requested

The azure virtual network manager service has a new API version being released with the three features; IP Address Management, Vnet Verifier, and additional functionality to exsiting security admin configuration. They are all included in the same API version, which is why I thought it best to include all in one request; if you would recommend separate feature requests for each one please let me know.

IP Address Management Feature

IPAM allows customers to create pools of IP addresses and associate them with Azure resources (Vnet in particular). When creating the pool, it is expected that the user pass an array of IP address/CIDR strings to represent the scope of their pool. the pool is a tracked resource and supports tags. Some special actions include:

• The user should be able to list resources associated with the pool
• View the usage of the IP addresses within the pool
• Perform CRUD on static cidrs within the pool

az network manager ipam-pool create --name "myIpamPool" --network-manager-name "myAVNM" --resource-group "myAVNMResourceGroup" --addressPrefixes "["10.0.0.0/16", "10.1.0.0/16"]" --parentPoolName "myParentIpamPool" --displayName "myIpamPoolDisplayName" --description "New Description"

az network manager ipam-pool show --name "myIpamPool" --network-manager-name "myAVNM" --resource-group "myAVNMResourceGroup"

az network manager ipam-pool list --network-manager-name "myAVNM" --resource-group "myAVNMResourceGroup"

az network manager ipam-pool update --name "myIpamPool" --network-manager-name "myAVNM" --resource-group "myAVNMResourceGroup" --displayName "myIpamPoolDisplayName" --description "New Description" --tags ""

az network manager ipam-pool delete --name "myIpamPool" --network-manager-name "myAVNM" --resource-group "myAVNMResourceGroup"

az network manager ipam-pool get-pool-usage --name "myIpamPool" --network-manager-name "myAVNM" --resource-group "myAVNMResourceGroup"

az network manager ipam-pool list-associated-resources --name "myIpamPool" --network-manager-name "myAVNM" --resource-group "myAVNMResourceGroup"

az network manager ipam-pool static-cidr create --name "myStaticCidr" --ipam-pool-name "myIpamPool" --network-manager-name "myAVNM" --resource-group "myAVNMResourceGroup" --addressPrefixes "["10.0.0.0/24"]" --numberOfIPAddressesToAllocate "256" --description "New Static Cidr Description"

az network manager ipam-pool static-cidr show --name "myStaticCidr" --ipam-pool-name "myIpamPool" --network-manager-name "myAVNM" --resource-group "myAVNMResourceGroup"

az network manager ipam-pool static-cidr list --ipam-pool-name "myIpamPool" --network-manager-name "myAVNM" --resource-group "myAVNMResourceGroup"

az network manager ipam-pool static-cidr delete --name "myStaticCidr" --ipam-pool-name "myIpamPool" --network-manager-name "myAVNM" --resource-group "myAVNMResourceGroup"

Virtual Network Verifier Feature

az network manager verifier-workspace Verifier workspaces exists under the network manager resource. They are mostly a container for the child resources. It only takes in a description for the body, and tags (as is common for any azure tracked resource). Upon delete, the child resources may take a while to cleanup, so async delete response can be expected.

az network manager verifier-workspace create --name "myVerifierWorkspace" --network-manager-name "myAVNM" --resource-group "myAVNMResourceGroup" --description “hello world workspace” --tags [“color”: “blue”]

az network manager verifier-workspace show --name "myVerifierWorkspace" --network-manager-name "myAVNM" --resource-group "myAVNMResourceGroup"

az network manager verifier-workspace list --network-manager-name "myAVNM" --resource-group "myAVNMResourceGroup"

az network manager verifier-workspace update --name "myVerifierWorkspace" --network-manager-name "myAVNM" --resource-group "myAVNMResourceGroup" --description “hello world workspace”

az network manager verifier-workspace delete --name "myVerifierWorkspace" --network-manager-name "myAVNM" --resource-group "myAVNMResourceGroup"

az network manager verifier-workspace reachability-analysis-intent The analysis intent gives is used for the client to define 'I expect a source resource to be able to communicate with a destination resource, via these IPs, ports, etc. Once the intent is created, only the description can be modified. Note that the src/dest IDs should be well-formatted ARM IDs, if CLI team wants to include any client-side validation. The IPs, ports, and protocols are all lists of strings. Note that protocols is a list of enums, since we only support specific protocols. Delete for this resource is sync.

az network manager verifier-workspace reachability-analysis-intent create --name "myAnalysisIntent” --verifier-workspace-name "myVerifierWorkspace" --network-manager-name "myAVNM" --resource-group "myAVNMResourceGroup" --description “hello world intent” --sourceResourceId “/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg1/providers/Microsoft.Compute/virtualMachines/testVmSrc” --destinationResourceId “/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg1/providers/Microsoft.Compute/virtualMachines/testVmDest” --ipTraffic sourceIps=["10.0.0.0/16”, “12.0.0.0”] destinationIps=["12.0.0.0/8”, “10.0.0.0”] sourcePorts=["20”, “23”] destinationPorts=["80”, “81”] protocols=["TCP”, “UDP”]

az network manager verifier-workspace reachability-analysis-intent show --name "myAnalysisIntent" --verifier-workspace-name "myVerifierWorkspace" --network-manager-name "myAVNM" --resource-group "myAVNMResourceGroup"

az network manager verifier-workspace reachability-analysis-intent list --verifier-workspace-name "myVerifierWorkspace" --network-manager-name "myAVNM" --resource-group "myAVNMResourceGroup"

az network manager verifier-workspace reachability-analysis-intent update --name "myAnalysisIntent " --verifier-workspace-name "myVerifierWorkspace" --network-manager-name "myAVNM" --resource-group "myAVNMResourceGroup" --description “updated description”

az network manager verifier-workspace reachability-analysis-intent delete --name “myAnalysisIntent” --verifier-workspace-name "myVerifierWorkspace" --network-manager-name "myAVNM" --resource-group "myAVNMResourceGroup"

az network manager verifier-workspace reachability-analysis-run The reachability analysis is what actually runs the intent of 'I expect A to be able to talk to B'. It cannot be updated once created. The intent-id provided upon create should be the ARM ID of the intent (the resource described in the previous section) if there can be some client side validation of the input.

The run is processed by the RP, and the result is eventually put into the 'analysisResult' property (this is readonly for the customer). It is a string, containing json that describes the result of the run, maybe something like '"{\"resultOutcome\":\"NoPacketsReached\",\"unreachedTrace\":\"[{\\"name\\":\\"ming-sub14-vm2\\",\\"resourceId\\":\\"/subscriptions/a54d500d-a6b5-44f2-b090-21b0ef24a4fb/resourceGroups/ming-rg/providers/Microsoft.Compute/virtualMachines/ming-sub14-vm2\\",\\"resourceType\\":\\"Microsoft.Compute/virtualMachines\\",\\"packet......' so the user can see what azure components were used to determine the reachability. If CLI team has any json parser and could display this output better than a simple string, please use it!

az network manager verifier-workspace reachability-analysis-run create --name "myAnalysisRun" --verifier-workspace-name "myVerifierWorkspace" --network-manager-name "myAVNM" --resource-group "myAVNMResourceGroup" --description “hello world analysis run” --intent-id “/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/ myAVNMResourceGroup /providers/Microsoft.Network/networkManagers/myAVNM/verifierWorkspaces/myVerifierWorkspace /reachabilityAnalysisIntents/myAnalysisIntent”

az network manager verifier-workspace reachability-analysis-run show --name "myAnalysisRun" --verifier-workspace-name "myVerifierWorkspace" --network-manager-name "myAVNM" --resource-group "myAVNMResourceGroup"

az network manager verifier-workspace reachability-analysis-run list --verifier-workspace-name "myVerifierWorkspace" --network-manager-name "myAVNM" --resource-group "myAVNMResourceGroup"

az network manager verifier-workspace reachability-analysis-run delete --verifier-workspace-name "myVerifierWorkspace" --network-manager-name "myAVNM" --resource-group "myAVNMResourceGroup" --name “myAnalysisRun”

Security Admin Configuration Feature - New Parameters

Security admin configuration has a new parameter to specify a network group aggregation option (this is an enum). If the value in the config is not set to 'None', the use can now use a 'NetworkGroup' as their address prefix type in a security admin rule. This requires the address prefix to then be a well formatted ARM ID of a network group resource (see the example input below).

az network manager security-admin-config create --network-manager-name "myAVNM" --resource-group "myAVNMResourceGroup" --name “newSecAdminConfig” --description ”my config” --networkGroupAddressSpaceAggregationOption “Manual”

az network manager security-admin-config update --network-manager-name "myAVNM" --resource-group "myAVNMResourceGroup" --name “mySecAdminConfig” --description”my config” --networkGroupAddressSpaceAggregationOption “None”

az network manager security-admin-config rule-collection rule create -network-manager-name "myAVNM" --resource-group "myAVNMResourceGroup" --configuration-name “mySecAdminConfig” --rule-collection-name “myRuleCollection” --name “myNewRule” --kind “Custom” --protocol “Tcp” --access “Allow” --priority 32 --direction “Inbound” --destinations address-prefix-type=NetworkGroup --address-prefix=”/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/ myAVNMResourceGroup /providers/Microsoft.Network/networkManagers/myAVNM/networkGroups/myNetworkGroup” --dest-port-ranges 22

az network manager security-admin-config rule-collection rule update -network-manager-name "myAVNM" --resource-group "myAVNMResourceGroup" --configuration-name “mySecAdminConfig” --rule-collection-name “myRuleCollection” --name “myRule” --kind “Custom” --protocol “Tcp” --access “Allow” --priority 5 --direction “Inbound” --destinations address-prefix-type=NetworkGroup --address-prefix=”/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/ myAVNMResourceGroup /providers/Microsoft.Network/networkManagers/myAVNM/networkGroups/myNetworkGroup” --dest-port-ranges 22

Minimum API Version Required

2024-01-01-preview is the only one that can be used, these features are all going into public preview

Swagger PR link / SDK link

At time of creating the request, we are still in the private preview phase and specs are therefore being kept in the private repo. As we approach mid-may, specs will be moved to public repo.

https://github.com/Azure/azure-rest-api-specs-pr/tree/merge-vnetVerifierPublicPreview/specification/network/resource-manager/Microsoft.Network/preview/2024-01-01-preview

Request Example

https://github.com/Azure/azure-rest-api-specs-pr/tree/merge-vnetVerifierPublicPreview/specification/network/resource-manager/Microsoft.Network/preview/2024-01-01-preview/examples

Target Date

5/15/2024

PM Contact

anmichael@microsoft.com

Engineer Contact

jaredgorthy@microsoft.com, sssharma@microsoft.com

Additional context

At time of creating the feature, there are feature flags guarding IPAM and Verifier Workspace resources. If these feature flags are still present when you begin development, please reach jaredgorthy to have your dev subscriptions registered. Thanks!

[yonzhan]

Thank you for opening this issue, we will look into it.

[Jacekey23]

@necusjz please evaluate if this is SFI related or not. Thanks.

[necusjz]

@necusjz please evaluate if this is SFI related or not. Thanks.

not related