Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NetworkWatcherRG Deployment Causing DINE Policy (Deploy-VNET-HubSpoke) To Fail In Multi-Region Deployment/Assignment #726

Closed
pagyP opened this issue Aug 3, 2021 · 5 comments · Fixed by #772
Closed

NetworkWatcherRG Deployment Causing DINE Policy (Deploy-VNET-HubSpoke) To Fail In Multi-Region Deployment/Assignment #726

pagyP opened this issue Aug 3, 2021 · 5 comments · Fixed by #772
Assignees
@daltondhcp @jtracey93
Labels
enhancement New feature or request policy

Comments

@pagyP
Copy link

pagyP commented Aug 3, 2021

Describe the bug
the 'Deploys virtual network peering to hub' policy will fail if NetworkWatcherRG already exists in a different location. This RG may already exist because a virtual network has already been deployed in the subscription and/or policy is in place to create a network watcher.
So the policy 'Deploys virtual network peering to hub' cannot be used to deploy an additional vnet to a subscription or even a subscription that may have once had a vnet, but no longer has, but the NetworkWatcherRG is still present.

Steps to reproduce

1.Assign 'Deploys virtual network peering to hub' policy to a subscription
2. Policy deployment if not exists fails because NetworkWatcherRG already exists
3. "{"error":{"code":"InvalidResourceGroupLocation","message":"Invalid resource group location 'northeurope'. The Resource group already exists in location 'uksouth'."}}",

Screenshots
image
@pagyP pagyP added the bug Something isn't working label Aug 3, 2021
@jtracey93
Copy link
Collaborator

Thanks @pagyP for raising this.

I actually think this is due to the policy trying to create the NetworkWatcherRG in multiple regions which isn't supported by the platform for any resource group; as you can see from my quick test here:
image

Therefore I believe the policy should either:

  1. Have additional logic and input parameter for the NetworkWatcherRG location
  2. Remove the deployment of the NetworkWatcherRG as part of the DINE policy as it is enabled automatically on VNET creation if it doesn't exist by the platform already today (unless opted out) as per: https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-create

Have you tried amending the policy definition to try either of these options above? Or could you and report back?

Once I'm back from holiday I'll check in with @daltondhcp who created this policy for some further context before creating a PR to resolve, if required.

Thanks

Jack

@jtracey93 jtracey93 removed the triage label Aug 3, 2021
@jtracey93 jtracey93 added policy enhancement New feature or request waiting for response Maintainers have replied and are awaiting a response from the bug/issue/feature creator labels Aug 3, 2021
@jtracey93 jtracey93 changed the title Bug Report NetworkWatcherRG Deployment Causing DINE Policy (Deploy-VNET-HubSpoke) To Fail In Multi-Region Deployment/Assignment Aug 3, 2021
@pagyP
Copy link
Author

pagyP commented Aug 3, 2021

i think removing the network watcher Rg creation from the def is the simplest thing to do here. I'll test doing just that and update this issue.

@pagyP
Copy link
Author

pagyP commented Aug 4, 2021
edited
Loading

@jtracey93 Removing the RG creation sorts this out. Further context as to why it's in there would be good though in case I'm missing something.
image

image

There are a couple of other problems with this policy that I've noticed as well so will raise additional issues for those. Can then probably wrap up all changes to this policy def in one PR.

@jtracey93
Copy link
Collaborator

Thanks for letting us know @pagyP!

When we are all back from some holiday I'm sure @daltondhcp will let us know why it is part of the definition. However, from memory I'm sure it was to ensure the Landing Zone was enabled completely from the start with all the features it needs for the networking side of things.

But I think we are safe to remove it going forward as the platform does it automatically as described in a previous comment.

@jtracey93 jtracey93 removed the waiting for response Maintainers have replied and are awaiting a response from the bug/issue/feature creator label Aug 4, 2021
@daltondhcp
Copy link
Contributor

Thank you for reporting @pagyP - will investigate if we still need to pre-create it or if we can now leave it to the platform.

@daltondhcp daltondhcp removed the bug Something isn't working label Aug 23, 2021
@daltondhcp daltondhcp mentioned this issue Aug 31, 2021
Merged
6 tasks
@daltondhcp daltondhcp linked a pull request Aug 31, 2021 that will close this issue
Updates and bugfixes to Deploy-VNET-HubSpoke policyDefinition #772
Merged
6 tasks
@ghost ghost locked as resolved and limited conversation to collaborators Jan 11, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@daltondhcp daltondhcp

@jtracey93 jtracey93

Labels
enhancement New feature or request policy
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Updates and bugfixes to Deploy-VNET-HubSpoke policyDefinition daltondhcp/Enterprise-Scale
3 participants
@daltondhcp @pagyP @jtracey93