Managed SQL instance redeployment #12759

pchettri3 · 2023-12-15T00:15:05Z

pchettri3
Dec 15, 2023

Azure managed SQL instance unable to run as it finds bunch of routing intent NSG rule automatically added in Azure, therefore, breaking idempotency of bicep declarative syntax. I am getting these error (output redacted) -

All the error fails with NSG that were not defined in deployment but added during the deployment by MS to get MI running. I used as much code as documented on MS docs but routing intent NSG manifested on its own and now redeployment fails. It does even allow me to delete NSG. I am deleting MI hoping to delete NSG after that and redeploy but is painful for a resource that takes more than 2 hours to delete, especially when I need to understand these phantom resources and redeploy several times-

/subscriptions/abcd173-6666-888888-1171c6f3767/resourceGroups/avt-eus-dr-ase-apps-pctestappkpg5-rg/providers/Microsoft.Network/networkSecurityGroups/avt-eus-dr-ase-apps-pctestappkpg5-sqlmi-NSG conflicts with Network Intent Policy: mi_default_6cc22758-e99e-subxxxx Network Security Rule Name: deny_all_inbound, Id: /subscriptions/abcd173-6666-888888-1171c6f3767/resourceGroups/xyz-eus-dr-ase-apps-pctestappkpg5-rg/providers/Microsoft.Network/networkSecurityGroups/xyz-eus-dr-ase-apps-pctestappkpg5-sqlmi-NSG/securityRules/deny_all_inbound, Access: Deny, Direction: Inbound, Protocol: *, SourceAddressPrefix: *, SourcePortRange: *, DestinationAddressPrefix: *, DestinationPortRange: * conflicts with Network Intent Policy Security Rule: Name: mi-healthprobe-in-173-168-66-32-27-v11, Id: /subscriptions/abcd173-6666-888888-1171c6f3767/resourceGroups/xyz-eus-dr-ntw-rg/providers/Microsoft.Network/networkIntentPolicies/mi_default_6cc22758-e99e-subxxxx/securityRules/mi-healthprobe-in-173-168-66-32-27-v11, Access: Allow, Direction: Inbound, Protocol: *, SourceAddressPrefix: AzureLoadBalancer, SourcePortRange: *, DestinationAddressPrefix: 173.168.66.32/27, DestinationPortRange: * ---- Network Security Group doesn't have supporting Security Rule for Network Intent Policy Security Rule: Name: mi-internal-in-173-168-66-32-27-v11, Id: /subscriptions/abcd173-6666-888888-1171c6f3767/resourceGroups/xyz-eus-dr-ntw-rg/providers/Microsoft.Network/networkIntentPolicies/mi_default_6cc22758-e99e-subxxxx/securityRules/mi-internal-in-173-168-66-32-27-v11, Access: Allow, Direction: Inbound, Protocol: *, SourceAddressPrefix: 173.168.66.32/27, SourcePortRange: *, DestinationAddressPrefix: 173.168.66.32/27, DestinationPortRange: * ---- Network Security Group doesn't have supporting Security Rule for Network Intent Policy Security Rule: Name: mi-aad-out-173-168-66-32-27-v11, Id: /subscriptions/abcd173-6666-888888-1171c6f3767/resourceGroups/xyz-eus-dr-ntw-rg/providers/Microsoft.Network/networkIntentPolicies/mi_default_6cc22758-e99e-subxxxx/securityRules/mi-aad-out-173-168-66-32-27-v11, Access: Allow, Direction: Outbound, Protocol: Tcp, SourceAddressPrefix: 173.168.66.32/27, SourcePortRange: *, DestinationAddressPrefix: AzureActiveDirectory, DestinationPortRange: 443 ---- Network Security Group doesn't have supporting Security Rule for Network Intent Policy Security Rule: Name: mi-onedsc-out-173-168-66-32-27-v11, Id: /subscriptions/abcd173-6666-888888-1171c6f3767/resourceGroups/xyz-eus-dr-ntw-rg/providers/Microsoft.Network/networkIntentPolicies/mi_default_6cc22758-e99e-subxxxx/securityRules/mi-onedsc-out-173-168-66-32-27-v11, Access: Allow, Direction: Outbound, Protocol: Tcp, SourceAddressPrefix: 173.168.66.32/27, SourcePortRange: *, DestinationAddressPrefix: OneDsCollector, DestinationPortRange: 443 ---- Network Security Group doesn't have supporting Security Rule for Network Intent Policy Security Rule: Name: mi-internal-out-173-168-66-32-27-v11, Id: /subscriptions/abcd173-6666-888888-1171c6f3767/resourceGroups/xyz-eus-dr-ntw-rg/providers/Microsoft.Network/networkIntentPolicies/mi_default_6cc22758-e99e-subxxxx/securityRules/mi-internal-out-173-168-66-32-27-v11, Access: Allow, Direction: Outbound, Protocol: *, SourceAddressPrefix: 173.168.66.32/27, SourcePortRange: *, DestinationAddressPrefix: 173.168.66.32/27, DestinationPortRange: * ---- Network Security Group doesn't have supporting Security Rule for Network Intent Policy Security Rule: Name: mi-strg-p-out-173-168-66-32-27-v11, Id: /subscriptions/abcd173-6666-888888-1171c6f3767/resourceGroups/xyz-eus-dr-ntw-rg/providers/Microsoft.Network/networkIntentPolicies/mi_default_6cc22758-e99e-subxxxx/securityRules/mi-strg-p-out-173-168-66-32-27-v11, Access: Allow, Direction: Outbound, Protocol: *, SourceAddressPrefix: 173.168.66.32/27, SourcePortRange: *, DestinationAddressPrefix: Storage.eastus, DestinationPortRange: 443 ---- Network Security Group doesn't have supporting Security Rule for Network Intent Policy Security Rule: Name: mi-strg-s-out-173-168-66-32-27-v11, Id: /subscriptions/abcd173-6666-888888-1171c6f3767/resourceGroups/xyz-eus-dr-ntw-rg/providers/Microsoft.Network/networkIntentPolicies/mi_default_6cc22758-e99e-subxxxx/securityRules/mi-strg-s-out-173-168-66-32-27-v11, Access: Allow, Direction: Outbound, Protocol: *, SourceAddressPrefix: 173.168.66.32/27, SourcePortRange: *, DestinationAddressPrefix: Storage.westus, DestinationPortRange: 443 ---- ---- ---- (Code: ConflictWithNetworkIntentPolicy) Status Message: Found conflicts with NetworkIntentPolicy. Details: RouteTable cannot have resources which conflict with its subnets' network intent policies. Route Table: /subscriptions/abcd173-6666-888888-yyyyxxxc/resourceGroups/xyz-eus-dr-ase-apps-pctestappkpg5-rg/providers/Microsoft.Network/routeTables/xyz-eus-dr-ase-apps-pctestappkpg5-sqlmi-rt does not meet exact route match requirements of Network Intent Policy: mi_default_6cc22758-e99e-subxxxx Route Table doesn't have exact match Route for Network Intent Policy Route: Name: subnet-173-168-66-32-27-to-vnetlocal, Id: /subscriptions/abcd173-6666-888888-yyyyxxxc/resourceGroups/xyz-eus-dr-ntw-rg/providers/Microsoft.Network/networkIntentPolicies/mi_default_6cc22758-e99e-subxxxx/routes/subnet-173-168-66-32-27-to-vnetlocal, AddressPrefix: 173.168.66.32/27, NextHopType: VnetLocal, NextHopIpAddress: Route Table doesn't have exact match Route for Network Intent Policy Route: Name: mi-AzureActiveDirectory, Id: /subscriptions/abcd173-6666-888888-yyyyxxxc/resourceGroups/xyz-eus-dr-ntw-rg/providers/Microsoft.Network/networkIntentPolicies/mi_default_6cc22758-e99e-subxxxx/routes/mi-AzureActiveDirectory, AddressPrefix: AzureActiveDirectory, NextHopType: Internet, NextHopIpAddress: Route Table doesn't have exact match Route for Network Intent Policy Route: Name: mi-OneDsCollector, Id: /subscriptions/abcd173-6666-888888-yyyyxxxc/resourceGroups/xyz-eus-dr-ntw-rg/providers/Microsoft.Network/networkIntentPolicies/mi_default_6cc22758-e99e-subxxxx/routes/mi-OneDsCollector, AddressPrefix: OneDsCollector, NextHopType: Internet, NextHopIpAddress: Route Table doesn't have exact match Route for Network Intent Policy Route: Name: mi-Storage.eastus, Id: /subscriptions/abcd173-6666-888888-yyyyxxxc/resourceGroups/xyz-eus-dr-ntw-rg/providers/Microsoft.Network/networkIntentPolicies/mi_default_6cc22758-e99e-subxxxx/routes/mi-Storage.eastus, AddressPrefix: Storage.eastus, NextHopType: Internet, NextHopIpAddress: Route Table doesn't have exact match Route for Network Intent Policy Route: Name: mi-Storage.westus, Id: /subscriptions/abcd173-6666-888888-yyyyxxxc/resourceGroups/xyz-eus-dr-ntw-rg/providers/Microsoft.Network/networkIntentPolicies/mi_default_6cc22758-e99e-subxxxx/routes/mi-Storage.westus, AddressPrefix: Storage.westus, NextHopType: Internet, NextHopIpAddress: ---- ---- (Code: ConflictWithNetworkIntentPolicy) Status Message: At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details. (Code: DeploymentFailed) - { "error": { "code": "ConflictWithNetworkIntentPolicy", "message": "Found conflicts with NetworkIntentPolicy. Details: Network Security Group cannot have resources which conflict with its subnets' network intent policies.\r\nNetwork Security Group: /subscriptions/abcd173-6666-888888-yyyyxxxc/resourceGroups/xyz-eus-dr-ase-apps-pctestappkpg5-rg/providers/Microsoft.Network/networkSecurityGroups/xyz-eus-dr-ase-apps-pctestappkpg5-sqlmi-NSG conflicts with Network Intent Policy: mi_default_6cc22758-e99e-subxxxx\r\n Network Security Rule Name: deny_all_inbound, Id: /subscriptions/abcd173-6666-888888-yyyyxxxc/resourceGroups/xyz-eus-dr-ase-apps-pctestappkpg5-rg/providers/Microsoft.Network/networkSecurityGroups/xyz-eus-dr-ase-apps-pctestappkpg5-sqlmi-NSG/securityRules/deny_all_inbound, Access: Deny, Direction: Inbound, Protocol: *, SourceAddressPrefix: *, SourcePortRange: *, DestinationAddressPrefix: *, DestinationPortRange: * conflicts with \r\n Network Intent Policy Security Rule: Name: mi-healthprobe-in-173-168-66-32-27-v11, Id: /subscriptions/abcd173-6666-888888-yyyyxxxc/resourceGroups/xyz-eus-dr-ntw-rg/providers/Microsoft.Network/networkIntentPolicies/mi_default_6cc22758-e99e-subxxxx/securityRules/mi-healthprobe-in-173-168-66-32-27-v11, Access: Allow, Direction: Inbound, Protocol: *, SourceAddressPrefix: AzureLoadBalancer, SourcePortRange: *, DestinationAddressPrefix: 173.168.66.32/27, DestinationPortRange: *\r\n ----\r\n Network Security Group doesn't have supporting Security Rule for Network Intent Policy Security Rule: Name: mi-internal-in-173-168-66-32-27-v11, Id: /subscriptions/abcd173-6666-888888-yyyyxxxc/resourceGroups/xyz-eus-dr-ntw-rg/providers/Microsoft.Network/networkIntentPolicies/mi_default_6cc22758-e99e-subxxxx/securityRules/mi-internal-in-173-168-66-32-27-v11, Access: Allow, Direction: Inbound, Protocol: *, SourceAddressPrefix: 173.168.66.32/27, SourcePortRange: *, DestinationAddressPrefix: 173.168.66.32/27, DestinationPortRange: *\r\n ----\r\n Network Security Group doesn't have supporting Security Rule for Network Intent Policy Security Rule: Name: mi-aad-out-173-168-66-32-27-v11, Id: /subscriptions/abcd173-f5ce-4169-982c-yyyyxxxc/resourceGroups/xyz-eus-dr-ntw-rg/providers/Microsoft.Network/networkIntentPolicies/mi_default_6cc22758-e99e-subxxxx/securityRules/mi-aad-out-173-168-66-32-27-v11, Access: Allow, Direction: Outbound, Protocol: Tcp, SourceAddressPrefix: 173.168.66.32/27, SourcePortRange: *, DestinationAddressPrefix: AzureActiveDirectory, DestinationPortRange: 443\r\n ----\r\n Network Security Group doesn't have supporting Security Rule for Network Intent Policy Security Rule: Name: mi-onedsc-out-173-168-66-32-27-v11, Id: /subscriptions/abcd173-f5ce-4169-982c-yyyyxxxc/resourceGroups/xyz-eus-dr-ntw-rg/providers/Microsoft.Network/networkIntentPolicies/mi_default_6cc22758-e99e-subxxxx/securityRules/mi-onedsc-out-173-168-66-32-27-v11, Access: Allow, Direction: Outbound, Protocol: Tcp, SourceAddressPrefix: 173.168.66.32/27, SourcePortRange: *, DestinationAddressPrefix: OneDsCollector, DestinationPortRange: 443\r\n ----\r\n Network Security Group doesn't have supporting Security Rule for Network Intent Policy Security Rule: Name: mi-internal-out-173-168-66-32-27-v11, Id: /subscriptions/abcd173-f5ce-4169-982c-yyyyxxxc/resourceGroups/xyz-eus-dr-ntw-rg/providers/Microsoft.Network/networkIntentPolicies/mi_default_6cc22758-e99e-subxxxx/securityRules/mi-internal-out-173-168-66-32-27-v11, Access: Allow, Direction: Outbound, Protocol: *, SourceAddressPrefix: 173.168.66.32/27, SourcePortRange: *, DestinationAddressPrefix: 173.168.66.32/27, DestinationPortRange: *\r\n ----\r\n Network Security Group doesn't have supporting Security Rule for Network Intent Policy Security Rule: Name: mi-strg-p-out-173-168-66-32-27-v11, Id: /subscriptions/abcd173-f5ce-4169-982c-yyyyxxxc/resourceGroups/xyz-eus-dr-ntw-rg/providers/Microsoft.Network/networkIntentPolicies/mi_default_6cc22758-e99e-subxxxx/securityRules/mi-strg-p-out-173-168-66-32-27-v11, Access: Allow, Direction: Outbound, Protocol: *, SourceAddressPrefix: 173.168.66.32/27, SourcePortRange: *, DestinationAddressPrefix: Storage.eastus, DestinationPortRange: 443\r\n ----\r\n Network Security Group doesn't have supporting Security Rule for Network Intent Policy Security Rule: Name: mi-strg-s-out-173-168-66-32-27-v11, Id: /subscriptions/abcd173-f5ce-4169-982c-yyyyxxxc/resourceGroups/xyz-eus-dr-ntw-rg/providers/Microsoft.Network/networkIntentPolicies/mi_default_6cc22758-e99e-subxxxx/securityRules/mi-strg-s-out-173-168-66-32-27-v11, Access: Allow, Direction: Outbound, Protocol: *, SourceAddressPrefix: 173.168.66.32/27, SourcePortRange: *, DestinationAddressPrefix: Storage.westus, DestinationPortRange: 443\r\n ----\r\n---- ----", "details": [] } } (Code:BadRequest) - { "error": { "code": "ConflictWithNetworkIntentPolicy", "message": "Found conflicts with NetworkIntentPolicy. Details: RouteTable cannot have resources which conflict with its subnets' network intent policies.\r\nRoute Table: /subscriptions/prexx-f5ce-4169-982c-yyyyxxxc/resourceGroups/xyz-eus-dr-ase-apps-pctestappkpg5-rg/providers/Microsoft.Network/routeTables/xyz-eus-dr-ase-apps-pctestappkpg5-sqlmi-rt does not meet exact route match requirements of Network Intent Policy: mi_default_6cc22758-e99e-subxxxx\r\n Route Table doesn't have exact match Route for Network Intent Policy Route: Name: subnet-173-168-66-32-27-to-vnetlocal, Id: /subscriptions/prexx-f5ce-4169-982c-yyyyxxxc/resourceGroups/xyz-eus-dr-ntw-rg/providers/Microsoft.Network/networkIntentPolicies/mi_default_123456-e99e-subxxxx/routes/subnet-173-168-66-32-27-to-vnetlocal, AddressPrefix: 173.168.66.32/27, NextHopType: VnetLocal, NextHopIpAddress: \r\n Route Table doesn't have exact match Route for Network Intent Policy Route: Name: mi-AzureActiveDirectory, Id: /subscriptions/prexx-f5ce-4169-982c-yyyyxxxc/resourceGroups/xyz-eus-dr-ntw-rg/providers/Microsoft.Network/networkIntentPolicies/mi_default_123456-e99e-subxxxx/routes/mi-AzureActiveDirectory, AddressPrefix: AzureActiveDirectory, NextHopType: Internet, NextHopIpAddress: \r\n Route Table doesn't have exact match Route for Network Intent Policy Route: Name: mi-OneDsCollector, Id: /subscriptions/prexx-f5ce-4169-982c-yyyyxxxc/resourceGroups/xyz-eus-dr-ntw-rg/providers/Microsoft.Network/networkIntentPolicies/mi_default_123456-e99e-subxxxx/routes/mi-OneDsCollector, AddressPrefix: OneDsCollector, NextHopType: Internet, NextHopIpAddress: \r\n Route Table doesn't have exact match Route for Network Intent Policy Route: Name: mi-Storage.eastus, Id: /subscriptions/prexx-f5ce-4169-982c-yyyyxxxc/resourceGroups/xyz-eus-dr-ntw-rg/providers/Microsoft.Network/networkIntentPolicies/mi_default_123456-e99e-subxxxx/routes/mi-Storage.eastus, AddressPrefix: Storage.eastus, NextHopType: Internet, NextHopIpAddress: \r\n Route Table doesn't have exact match Route for Network Intent Policy Route: Name: mi-Storage.westus, Id: /subscriptions/prexx-f5ce-4169-982c-yyyyxxxc/resourceGroups/xyz-eus-dr-ntw-rg/providers/Microsoft.Network/networkIntentPolicies/mi_default_123456-e99e-subxxxx/routes/mi-Storage.westus, AddressPrefix: Storage.westus, NextHopType: Internet, NextHopIpAddress: \r\n---- ----", "details": [] } } (Code:BadRequest) CorrelationId: 00-6fc8-467e-ad4c-444455677

pchettri3 · 2023-12-17T19:10:37Z

pchettri3
Dec 17, 2023
Author

Fixed after creating all RT and NSG MS creates. Decompiling and reverse engineering the deployment

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Managed SQL instance redeployment #12759

{{title}}

Replies: 1 comment

{{title}}

Select a reply

Managed SQL instance redeployment #12759

pchettri3 Dec 15, 2023

Replies: 1 comment

pchettri3 Dec 17, 2023 Author

pchettri3
Dec 15, 2023

pchettri3
Dec 17, 2023
Author