https://pulumi.com logo
Join Slack
Powered by
I’m really struggling to get started. I’ve tried t...
# azure
p
I’m really struggling to get started. I’ve tried the AI bot and few examples but can’t get my simple requirements to work: vnet containing 2 websites, sql server and storage account. None having public access inbound but websites can get outbound. One developer IP with inbound access. Pulumi looks to create the vnet, websites, sql and storage but doesn’t hook them up to vnet nor restrict public access. Anyone mind helping me get out the box please? I’ve even tried the arm importer but it doesn’t work on any arm file I try. Very much appreciated.
m
There's quite a bit here. But, is the issue around your service endpoints for SQL and Storage not getting created? There might be some limitations on the Azure-Native provider with using a subnet delegation vs. service point injection. Also, public access is on by default unless you turn that off and add firewall exceptions on the storage and sql services themselves.
p
No, everything gets created, but nothing gets “injected” into the vnet
I’ve tried a simple one site and one vnet and it still doesn’t work.
m
Let's pick one service first. Are you using web apps? Is that what you mean by website?
p
Yes, so I create an app service and a web app.
m
Are you defining the virtual_network_subnet_id in the web app? Depending on the sku you're using, this may or may not work. I know that for my premium sku, I'm limited to two networks.
p
Can I post the script here? If so, I’ll do that in the morning as getting on here.
m
Sure!
p
Picking back up on this, here's what i want to acheive diagramatically. Azure API Management with public access. Backends in Web App and SQL and Web App coexisting safely in a vnet without public access.
Copy code
import * as pulumi from "@pulumi/pulumi";
import * as azureNative from "@pulumi/azure-native";

// Create a new resource group
const resourceGroup = new azureNative.resources.ResourceGroup("resourceGroup");

// Create a virtual network
const vnet = new azureNative.network.VirtualNetwork("vnet", {
    resourceGroupName: resourceGroup.name,
    addressSpace: {
        addressPrefixes: ["10.0.0.0/16"],
    },
    subnets: [{
        name: "default",
        addressPrefix: "10.0.1.0/24",
    }],
});

// Create a subnet for the App Service Environment
const aseSubnet = new azureNative.network.Subnet("aseSubnet", {
    resourceGroupName: resourceGroup.name,
    virtualNetworkName: vnet.name,
    addressPrefix: "10.0.2.0/24",
});

// Create an App Service Plan with an ASE
const appServicePlan = new azureNative.web.AppServicePlan("appServicePlan", {
    resourceGroupName: resourceGroup.name,
    sku: {
        name: "I1",
        tier: "Isolated",
        size: "I1",
        family: "I",
        capacity: 1,
    },
    appServiceEnvironmentId: aseSubnet.id,
});

// Create a web app within the VNet
const webApp = new azureNative.web.WebApp("webApp", {
    resourceGroupName: resourceGroup.name,
    serverFarmId: appServicePlan.id,
    siteConfig: {
        appSettings: [
            {
                name: "WEBSITE_VNET_ROUTE_ALL",
                value: "1",
            },
        ],
    },
});

// Create a SQL Server with no public network access
const sqlServer = new azureNative.sql.Server("sqlServer", {
    resourceGroupName: resourceGroup.name,
    administratorLogin: "sqladmin",
    administratorLoginPassword: "ComplexPassword#1234",
    version: "12.0",
    publicNetworkAccess: "Disabled",
});

// Create an APIM instance with public access
const apim = new azureNative.apimanagement.Service("apim", {
    resourceGroupName: resourceGroup.name,
    publisherName: "api-publisher",
    publisherEmail: "<mailto:contact@api-publisher.com|contact@api-publisher.com>",
    sku: {
        name: "Consumption",
        capacity: 0,
    },
});

// Export the Web App URL and APIM Gateway URL
export const webAppUrl = webApp.defaultHostName.apply(hostName => `https://${hostName}`);
export const apimGatewayUrl = apim.gatewayUrl;
This is the code but it doesnt assign the web app and the sql to the vnet
m
Yeah, that would be your issue there. You're not enabling the service endpoints on the subnets or adding the subnets to your two resources. I would look into the private endpoint configs for those two services. On my web app subnet, I had to delegate that subnet to the web app service endpoint. You'll have to enable that for SQL service endpoint as well. Once those are enabled on your subnets, then you'll be able to assign the web app and the sql service to your subnets and get the private routing you want.
p
would you be able to share some obfuscated sample code to explain what you mean please?
m
Here's one of my subnets with a delegation to the web app service.
Copy code
azure_native.network.SubnetArgs(
            name=f"snet-{location_abb}-web-application-integrations",
            address_prefix="10.1.0.0/24",
            delegations=[azure_native.network.DelegationArgs(
                name="delegation-web-applications",
                service_name="Microsoft.Web/serverFarms",
            )],
            nat_gateway=azure_native.network.SubResourceArgs(
                id=nat_web_app_services.id,
            ),
            network_security_group=azure_native.network.NetworkSecurityGroupArgs(
                id=nsg_web_applications.id,
            ),
            private_endpoint_network_policies="Enabled",
            private_link_service_network_policies="Enabled",
        ),
This tells Azure that the Web App is allowed to use the subnet. Then, in my web app, I add the subnet ID through the "virtual_network_subnet_id" argument. What I see is you're trying to get that done through the site config, but you'll want to do it through the web app's argument. Here's the page to show you that argument: azure-native.web.WebApp | Pulumi Registry
p
thanks, will give it a shot.
Open in Slack
PreviousNext
Powered by