Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cost optimisation - Firewall Basic SKU #3961

Closed
jonnyry opened this issue Jun 1, 2024 · 7 comments · Fixed by #3975
Closed

Cost optimisation - Firewall Basic SKU #3961

jonnyry opened this issue Jun 1, 2024 · 7 comments · Fixed by #3975
Labels
story Stories are the smallest unit of work to be done for a project.

Comments

@jonnyry
Copy link
Contributor

jonnyry commented Jun 1, 2024

Is it possible to use the Azure Firewall Basic SKU to reduce the running cost in non production environments?

I know this has previously been discussed here #2723 - it reads like the main blocker at the time was the inability to deallocate the firewall Basic SKU.

I've just tested out deallocation and allocation of the policy on a Basic SKU Firewall and it now appears to be possible:

image

@marrobi @tamirkamara Is there a finer point in the allocation/deallocation that I might have missed? Were there any other blockers to using the Basic SKU?
@jonnyry jonnyry mentioned this issue Jun 1, 2024
Closed
@marrobi
Copy link
Member

marrobi commented Jun 1, 2024

Should work fine. It's in the bundle, just dont think it's exposed.

Would be good to have an config value to configure it.

@jonnyry
Copy link
Contributor Author

jonnyry commented Jun 1, 2024
edited
Loading

The Basic SKU Firewall is specifically excluded from deallocation in the start/stop script:

AzureTRE/devops/scripts/control_tre.sh

Lines 70 to 77 in 1ffb09b

IPCONFIG_NAME=$(az network firewall ip-config list -f "${fw_name}" -g "${core_rg_name}" --query "[0].name" -o tsv)
if [ -n "$IPCONFIG_NAME" ] && [ "${fw_sku}" != "Basic" ]; then
echo "Deleting Firewall ip-config: $IPCONFIG_NAME"
az network firewall ip-config delete -f "${fw_name}" -n "$IPCONFIG_NAME" -g "${core_rg_name}" &
else
echo "No Firewall ip-config found or SKU (${fw_sku}) doesn't allow deallocation"
fi

If there aren't any other blockers then hopefully its just a case of:

  • modifying the start/stop script to allow deallocation of the Basic SKU
  • plus surfacing a FIREWALL_SKU environment variable

@marrobi
Copy link
Member

marrobi commented Jun 3, 2024

Yes, that would make a lot of sense. Great if you can contribute it.

@jonnyry
Copy link
Contributor Author

jonnyry commented Jun 4, 2024

It's on my list! Just need to figure out how parameters get passed into the resource processor :-D

@marrobi
Copy link
Member

marrobi commented Jun 4, 2024

https://github.com/microsoft/AzureTRE/blob/main/resource_processor%2Fresources%2Fcommands.py#L58

As long as the parameter matches the config key, it should just need adding to the config object.

@marrobi
Copy link
Member

marrobi commented Jun 4, 2024

Example: https://github.com/microsoft/AzureTRE/blob/main/resource_processor%2Fshared%2Fconfig.py#L24

@jonnyry
Copy link
Contributor Author

jonnyry commented Jun 12, 2024

Am I right in thinking the firewall is not deployed via the resource processor when the TRE is initially deployed? (since its the only shared service that's gets deployed on initial TRE deployment)

But then if the firewall is updated subsequently (e.g. via the TRE UI), this would update would take place via the resource processor?

@jonnyry jonnyry mentioned this issue Jun 14, 2024
Merged
@tim-allen-ck tim-allen-ck added the story Stories are the smallest unit of work to be done for a project. label Jun 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
story Stories are the smallest unit of work to be done for a project.
Projects
None yet
Milestone
No milestone
3 participants
@jonnyry @marrobi @tim-allen-ck