Reputation: 162
Bicep Template for NIC breaks internet access when adding in Load Balancer Configuration
I am trying to deploy the network interface card for a SQL Server VM, that will be placed as part of an AlwaysOn Availability Group and subsequently should be added to my Internal Load Balancer. This card will be created in advance of the VM itself.
My problem is that when the VM is created and the pre-created NIC is attached as part of the deployment, internet access for the VM doesn't seem to work.
I have tried created a NIC in the portal manually and attaching to the VM/Load Balancer manually and that seemed to work fine.
For reference, I have deployed a similar template to a different VM that doesn't require the NIC to be part of the backend address pool and that deploys no problem.
Do I need to add more properties than just a reference to the resourceId of the backend address pool in the load balancer to get this working?
resource virtualNetwork 'Microsoft.Network/virtualNetworks@2022-05-01' existing = {
name: virtualNetworkName
scope: resourceGroup(virtualNetworkResourceGroup)
}
resource virtualMachineNetworkInterfaceCardSubnet 'Microsoft.Network/virtualNetworks/subnets@2022-05-01' existing = {
name: virtualNetworkSubnetName
parent: virtualNetwork
}
resource loadBalancer 'Microsoft.Network/loadBalancers@2022-05-01' existing = {
name: loadBalancerName
scope: resourceGroup(virtualNetworkResourceGroup)
}
resource loadBalancerBackendAddressPool 'Microsoft.Network/loadBalancers/backendAddressPools@2022-05-01' existing = {
name: loadBalancerBackendAddressPoolName
parent: loadBalancer
}
resource virtualMachineNetworkInterfaceCard 'Microsoft.Network/networkInterfaces@2022-05-01' = {
name: '${virtualMachineName}-nic-01'
location: resourceLocation
tags: {
associatedResource: virtualMachineName
environmentCode: environmentCode
loadBalancer: loadBalancerName
resourceLocation: resourceLocation
}
properties: {
dnsSettings: {
dnsServers: [
]
}
enableAcceleratedNetworking: true
enableIPForwarding: false
ipConfigurations: [
{
name: '${virtualMachineName}-nic-01-configuration'
properties: {
loadBalancerBackendAddressPools: [
{
id: loadBalancerBackendAddressPool.id
}
]
primary: true
privateIPAddress: networkInterfaceCardIPAddress
privateIPAddressVersion: 'IPv4'
privateIPAllocationMethod: 'Static'
subnet: {
id: virtualMachineNetworkInterfaceCardSubnet.id
}
}
}
]
nicType: 'Standard'
}
}
Upvotes: 1
Views: 381
Answers (1)
Reputation: 162
Turns out the underlying error was nothing to do with the Bicep template for the NIC itself.
It is due to the fact, that by design, load balancers (internal and public) don't allow outbound internet access according to https://learn.microsoft.com/en-us/answers/questions/37890/internet-access-on-vms-in-internal-load-balancer-p.html and https://learn.microsoft.com/en-us/azure/load-balancer/load-balancer-outbound-connections
I have been able to get this working in my case by first assigning a NAT gateway to the subnet where the VMs/Load Balancer reside. I was also able to test forwarding the traffic via a routing table to an Azure firewall which also worked
Upvotes: 1
Related Questions
- Add Azure Traffic Manager endpoints in main bicep template as child resource
- Is there a way to get multiple non-related IP addresses configured in an Azure SQL Server Firewall using Bicep?
- Azure Bicep - unable to set ipSecurityRestrictions
- Azure Bicep - Additional IP Restrictions
- Deployment of queue, blob and ADLS2 private endpoints via Bicep goes wrong
- Add new NIC to existing Subnet
- Azure Load Balancer - cannot reach port unless it is open in Network Security Group
- New Azure Standard LB doesn't allow inbound connection
- Azure LB not routing traffic to VMs
- Configuring Azure load balancer and NAT rules