-
Notifications
You must be signed in to change notification settings - Fork 381
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Feature Request]: Add RoutingIntent
child module to Virtual Hub module.
#2427
Comments
RoutingIntent
child module to Virtual Hub module.
Hey @annduda, |
Hey @AlexanderSehr if nobody took it yet I can try :) |
If you have the capacity, please do - and if you need support, please let me know :) |
Hey @arnoldna , |
Working on this now |
Running in to an issue with integrating this functionality; the problem is that this feature requires a firewall (Azure Firewall, for example), to be created and associated with the virtual hub before it is invoked, otherwise it will error out with an "invalid next hop" condition. In order for the firewall to be properly associated to the hub, it has to be created after the virtual hub, since the hub.id needs to be specified during the firewall creation (confirmed with the VWAN PG that providing the firewall.id during hub creation does nothing; it is a read-only parameter). The deployment flow needs to be:
The requirement for a firewall effectively introduces a race condition; @ChrisSidebotham is going to discuss amongst the core team how to approach this issue. There are a couple different courses of action under consideration:
Work is on-hold pending further direction. |
Hey @ericscheffler,
I did something similar for some CMK tests where I wanted to show how to do this with a System-Assigned identity. Similar issue: How to assign permissions to a MSI if the MSI is only created after the service is deployed for which I want to define CMK. Same solution: Deployed the vanilla service with a system-assigned identity in the test's dependencies, set the permissions, then invoked the module like nothing happened in an idempotent way. For reference: https://github.com/Azure/bicep-registry-modules/blob/main/avm/res/cognitive-services/account/tests/e2e/system-assigned-cmk-encryption/main.test.bicep |
## Description <!-- >Thank you for your contribution ! > Please include a summary of the change and which issue is fixed. > Please also include the context. > List any dependencies that are required for this change. --> Adding support for configuring Routing Intent within a Virtual Hub. Due to limitations within the Virtual Hub API, if a pattern is enabling Routing Intent, the pattern _must_ create invoke this resource twice; the first invocation creates the Virtual Hub, then the second idempotent invocation updates the Virtual Hub with the Routing Intent configuration: 1. Invoke Virtual Hub resource (output hub resource ID) 2. Invoke Firewall resource (pass in hub resource ID) 3. Invoke Virtual Hub resource again (pass in Routing Intent configuration) Input parameters for the Routing Intent configuration are: _privateToFirewall bool internetToFirewall bool_ Closes [2427](#2427) ## Pipeline Reference <!-- Insert your Pipeline Status Badge below --> [![avm.res.network.virtual-hub](https://github.com/ericscheffler/bicep-registry-modules/actions/workflows/avm.res.network.virtual-hub.yml/badge.svg?branch=Feature2427-VirtualHub_RoutingIntent)](https://github.com/ericscheffler/bicep-registry-modules/actions/workflows/avm.res.network.virtual-hub.yml) ## Type of Change <!-- Use the checkboxes [x] on the options that are relevant. --> - [ ] Update to CI Environment or utilities (Non-module affecting changes) - [X] Azure Verified Module updates: - [ ] Bugfix containing backwards-compatible bug fixes, and I have NOT bumped the MAJOR or MINOR version in `version.json`: - [ ] Someone has opened a bug report issue, and I have included "Closes #{bug_report_issue_number}" in the PR description. - [ ] The bug was found by the module author, and no one has opened an issue to report it yet. - [ ] Feature update backwards compatible feature updates, and I have bumped the MINOR version in `version.json`. - [ ] Breaking changes and I have bumped the MAJOR version in `version.json`. - [X] Update to documentation ## Checklist - [X] I'm sure there are no other open Pull Requests for the same update/change - [X] I have run `Set-AVMModule` locally to generate the supporting module files. - [X] My corresponding pipelines / checks run clean and green without any errors or warnings <!-- Please keep up to date with the contribution guide at https://aka.ms/avm/contribute/bicep --> --------- Co-authored-by: erschef_microsoft <[email protected]> Co-authored-by: arnoldna <[email protected]>
Description
Hi,
Could we have a routing Intent functionality for virtual Hub which would allow sending traffic to Azure Firewall:
https://learn.microsoft.com/en-us/azure/templates/microsoft.network/virtualhubs/routingintent?pivots=deployment-language-bicep
The text was updated successfully, but these errors were encountered: