def validate_add_vnet(cmd, namespace):
from azure.core.exceptions import ResourceNotFoundError as ResNotFoundError
resource_group_name = namespace.resource_group_name
from azure.cli.command_modules.network._client_factory import network_client_factory
vnet_identifier = namespace.vnet
name = namespace.name
slot = namespace.slot
if is_valid_resource_id(vnet_identifier):
current_sub_id = get_subscription_id(cmd.cli_ctx)
parsed_vnet = parse_resource_id(vnet_identifier)
vnet_sub_id = parsed_vnet['subscription']
vnet_group = parsed_vnet['resource_group']
vnet_name = parsed_vnet['name']
cmd.cli_ctx.data['subscription_id'] = vnet_sub_id
vnet_client = network_client_factory(cmd.cli_ctx)
vnet_loc = vnet_client.virtual_networks.get(
resource_group_name=vnet_group,
virtual_network_name=vnet_name).location
cmd.cli_ctx.data['subscription_id'] = current_sub_id
else:
vnet_client = network_client_factory(cmd.cli_ctx)
try:
vnet_loc = vnet_client.virtual_networks.get(
resource_group_name=namespace.resource_group_name,
virtual_network_name=vnet_identifier).location
except ResNotFoundError:
vnets = vnet_client.virtual_networks.list_all()
vnet_loc = ''
for v in vnets:
if vnet_identifier == v.name:
vnet_loc = v.location
break
if not vnet_loc:
# Fall back to back end validation
logger.warning("Failed to fetch vnet. Skipping location validation.")
return
webapp = _generic_site_operation(cmd.cli_ctx, resource_group_name, name,
'get', slot)
webapp_loc = _normalize_location(cmd, webapp.location)
vnet_loc = _normalize_location(cmd, vnet_loc)
if vnet_loc != webapp_loc:
raise ValidationError(
"The app and the vnet resources are in different locations. "
"Cannot integrate a regional VNET to an app in a different region")
def validate_add_vnet(cmd, namespace):
resource_group_name = namespace.resource_group_name
from azure.cli.command_modules.network._client_factory import network_client_factory
vnet_client = network_client_factory(cmd.cli_ctx)
list_all_vnets = vnet_client.virtual_networks.list_all()
vnet = namespace.vnet
name = namespace.name
slot = namespace.slot
vnet_loc = ''
for v in list_all_vnets:
if vnet in (v.name, v.id):
vnet_loc = v.location
break
from ._appservice_utils import _generic_site_operation
webapp = _generic_site_operation(cmd.cli_ctx, resource_group_name, name,
'get', slot)
# converting geo region to geo location
webapp_loc = webapp.location.lower().replace(" ", "")
if vnet_loc != webapp_loc:
raise CLIError(
"The app and the vnet resources are in different locations. \
Cannot integrate a regional VNET to an app in a different region"
)
def _ensure_subnet_service_endpoint(cli_ctx, subnet_id):
from azure.cli.core.profiles import AD_HOC_API_VERSIONS, ResourceType
subnet_id_parts = parse_resource_id(subnet_id)
subnet_subscription_id = subnet_id_parts['subscription']
subnet_resource_group = subnet_id_parts['resource_group']
subnet_vnet_name = subnet_id_parts['name']
subnet_name = subnet_id_parts['resource_name']
if get_subscription_id(cli_ctx).lower() != subnet_subscription_id.lower():
raise ArgumentUsageError('Cannot validate subnet in different subscription for missing service endpoint.'
' Use --ignore-missing-endpoint or -i to'
' skip validation and manually verify service endpoint.')
vnet_client = network_client_factory(cli_ctx, api_version=AD_HOC_API_VERSIONS[ResourceType.MGMT_NETWORK]
['appservice_ensure_subnet'])
subnet_obj = vnet_client.subnets.get(subnet_resource_group, subnet_vnet_name, subnet_name)
subnet_obj.service_endpoints = subnet_obj.service_endpoints or []
service_endpoint_exists = False
for s in subnet_obj.service_endpoints:
if s.service == "Microsoft.Web":
service_endpoint_exists = True
break
if not service_endpoint_exists:
web_service_endpoint = ServiceEndpointPropertiesFormat(service="Microsoft.Web")
subnet_obj.service_endpoints.append(web_service_endpoint)
poller = vnet_client.subnets.begin_create_or_update(
subnet_resource_group, subnet_vnet_name,
subnet_name, subnet_parameters=subnet_obj)
# Ensure subnet is updated to avoid update conflict
LongRunningOperation(cli_ctx)(poller)
def _create_nsg_rule(cli_ctx,
resource_group_name,
network_security_group_name,
security_rule_name,
priority,
description=None,
protocol=None,
access=None,
direction=None,
source_port_range='*',
source_address_prefix='*',
destination_port_range=80,
destination_address_prefix='*'):
settings = SecurityRule(
protocol=protocol,
source_address_prefix=source_address_prefix,
destination_address_prefix=destination_address_prefix,
access=access,
direction=direction,
description=description,
source_port_range=source_port_range,
destination_port_range=destination_port_range,
priority=priority,
name=security_rule_name)
network_client = network_client_factory(cli_ctx)
poller = network_client.security_rules.create_or_update(
resource_group_name, network_security_group_name, security_rule_name,
settings)
LongRunningOperation(cli_ctx)(poller)
def _ensure_subnet_service_endpoint(cli_ctx, subnet_id):
from msrestazure.tools import parse_resource_id
subnet_id_parts = parse_resource_id(subnet_id)
subnet_resource_group = subnet_id_parts['resource_group']
subnet_vnet_name = subnet_id_parts['name']
subnet_name = subnet_id_parts['resource_name']
vnet_client = network_client_factory(cli_ctx,
api_version=NETWORK_API_VERSION)
subnet_obj = vnet_client.subnets.get(subnet_resource_group,
subnet_vnet_name, subnet_name)
subnet_obj.service_endpoints = subnet_obj.service_endpoints or []
service_endpoint_exists = False
for s in subnet_obj.service_endpoints:
if s.service == "Microsoft.Web":
service_endpoint_exists = True
break
if not service_endpoint_exists:
web_service_endpoint = ServiceEndpointPropertiesFormat(
service="Microsoft.Web")
subnet_obj.service_endpoints.append(web_service_endpoint)
poller = vnet_client.subnets.begin_create_or_update(
subnet_resource_group,
subnet_vnet_name,
subnet_name,
subnet_parameters=subnet_obj)
# Ensure subnet is updated to avoid update conflict
LongRunningOperation(cli_ctx)(poller)
def completer(cmd, prefix, namespace, **kwargs): # pylint: disable=unused-argument
client = network_client_factory(cmd.cli_ctx)
try:
ag_name = namespace.application_gateway_name
except AttributeError:
ag_name = namespace.resource_name
if namespace.resource_group_name and ag_name:
ag = client.application_gateways.get(namespace.resource_group_name, ag_name)
return [r.name for r in getattr(ag, prop)]
def subnet_completion_list(cmd, prefix, namespace, **kwargs): # pylint: disable=unused-argument
client = network_client_factory(cmd.cli_ctx)
if namespace.resource_group_name and namespace.virtual_network_name:
rg = namespace.resource_group_name
vnet = namespace.virtual_network_name
return [
r.name for r in client.subnets.list(resource_group_name=rg,
virtual_network_name=vnet)
]
def completer(cmd, prefix, namespace, **kwargs): # pylint: disable=unused-argument
client = network_client_factory(cmd.cli_ctx)
try:
ag_name = namespace.application_gateway_name
except AttributeError:
ag_name = namespace.resource_name
if namespace.resource_group_name and ag_name:
ag = client.application_gateways.get(namespace.resource_group_name, ag_name)
return [r.name for r in getattr(ag, prop)]
def completer(cmd, prefix, namespace, **kwargs): # pylint: disable=unused-argument
client = network_client_factory(cmd.cli_ctx)
try:
lb_name = namespace.load_balancer_name
except AttributeError:
lb_name = namespace.resource_name
if namespace.resource_group_name and lb_name:
lb = client.load_balancers.get(namespace.resource_group_name, lb_name)
return [r.name for r in getattr(lb, prop)]
def completer(cmd, prefix, namespace, **kwargs): # pylint: disable=unused-argument
client = network_client_factory(cmd.cli_ctx)
try:
lb_name = namespace.load_balancer_name
except AttributeError:
lb_name = namespace.resource_name
if namespace.resource_group_name and lb_name:
lb = client.load_balancers.get(namespace.resource_group_name, lb_name)
return [r.name for r in getattr(lb, prop)]
def ag_url_map_rule_completion_list(cmd, prefix, namespace, **kwargs): # pylint: disable=unused-argument
client = network_client_factory(cmd.cli_ctx)
try:
ag_name = namespace.application_gateway_name
except AttributeError:
ag_name = namespace.resource_name
if namespace.resource_group_name and ag_name:
ag = client.application_gateways.get(namespace.resource_group_name, ag_name)
url_map = next((x for x in ag.url_path_maps if x.name == namespace.url_path_map_name), None) # pylint: disable=no-member
return [r.name for r in url_map.path_rules]
def ag_url_map_rule_completion_list(cmd, prefix, namespace, **kwargs): # pylint: disable=unused-argument
client = network_client_factory(cmd.cli_ctx)
try:
ag_name = namespace.application_gateway_name
except AttributeError:
ag_name = namespace.resource_name
if namespace.resource_group_name and ag_name:
ag = client.application_gateways.get(namespace.resource_group_name, ag_name)
url_map = next((x for x in ag.url_path_maps if x.name == namespace.url_path_map_name), None) # pylint: disable=no-member
return [r.name for r in url_map.path_rules]
def _ensure_route_table(cli_ctx, resource_group_name, ase_name, location,
subnet_id, force):
from msrestazure.tools import parse_resource_id
subnet_id_parts = parse_resource_id(subnet_id)
vnet_resource_group = subnet_id_parts['resource_group']
vnet_name = subnet_id_parts['name']
subnet_name = subnet_id_parts['resource_name']
ase_route_table_name = ase_name + '-Route-Table'
ase_route_name = ase_name + '-route'
network_client = network_client_factory(cli_ctx)
subnet_obj = network_client.subnets.get(vnet_resource_group, vnet_name,
subnet_name)
if subnet_obj.route_table is None or force:
rt_list = network_client.route_tables.list(resource_group_name)
rt_found = False
for rt in list(rt_list):
if rt.name.lower() == ase_route_table_name.lower():
rt_found = True
break
if not rt_found:
logger.info('Ensure Route Table...')
ase_route_table = RouteTable(location=location)
poller = network_client.route_tables.create_or_update(
resource_group_name, ase_route_table_name, ase_route_table)
LongRunningOperation(cli_ctx)(poller)
logger.info('Ensure Internet Route...')
internet_route = Route(address_prefix='0.0.0.0/0',
next_hop_type='Internet')
poller = network_client.routes.create_or_update(
resource_group_name, ase_route_table_name, ase_route_name,
internet_route)
LongRunningOperation(cli_ctx)(poller)
rt = network_client.route_tables.get(resource_group_name,
ase_route_table_name)
if not subnet_obj.route_table or subnet_obj.route_table.id != rt.id:
logger.info('Associate Route Table with Subnet...')
subnet_obj.route_table = rt
poller = network_client.subnets.create_or_update(
vnet_resource_group,
vnet_name,
subnet_name,
subnet_parameters=subnet_obj)
LongRunningOperation(cli_ctx)(poller)
else:
route_table_id_parts = parse_resource_id(subnet_obj.route_table.id)
rt_name = route_table_id_parts['name']
if rt_name.lower() != ase_route_table_name.lower():
raise CLIError('Route table already exists. \
Use --ignore-route-table to use existing route table. \
Use --force-route-table to replace existing route table'
)
def completer(cmd, prefix, namespace, **kwargs): # pylint: disable=unused-argument
client = getattr(network_client_factory(cmd.cli_ctx), group)
operation = getattr(client, operation_name)
return operation(**kwargs)
def service_endpoint_completer(cmd, prefix, namespace, **kwargs): # pylint: disable=unused-argument
client = network_client_factory(cmd.cli_ctx).available_endpoint_services
location = namespace.location
return [x.name for x in client.list(location=location)]
def _ensure_network_security_group(cli_ctx, resource_group_name, ase_name,
location, subnet_id, force):
from msrestazure.tools import parse_resource_id
subnet_id_parts = parse_resource_id(subnet_id)
vnet_resource_group = subnet_id_parts['resource_group']
vnet_name = subnet_id_parts['name']
subnet_name = subnet_id_parts['resource_name']
ase_nsg_name = ase_name + '-NSG'
network_client = network_client_factory(cli_ctx)
subnet_obj = network_client.subnets.get(vnet_resource_group, vnet_name,
subnet_name)
subnet_address_prefix = subnet_obj.address_prefix
if subnet_obj.network_security_group is None or force:
nsg_list = network_client.network_security_groups.list(
resource_group_name)
nsg_found = False
for nsg in list(nsg_list):
if nsg.name.lower() == ase_nsg_name.lower():
nsg_found = True
break
if not nsg_found:
logger.info('Ensure Network Security Group...')
ase_nsg = NetworkSecurityGroup(location=location)
poller = network_client.network_security_groups.create_or_update(
resource_group_name, ase_nsg_name, ase_nsg)
LongRunningOperation(cli_ctx)(poller)
logger.info('Ensure Network Security Group Rules...')
_create_nsg_rule(cli_ctx, resource_group_name, ase_nsg_name,
'Inbound-management', 100,
'Used to manage ASE from public VIP', '*',
'Allow', 'Inbound', '*', 'AppServiceManagement',
'454-455', '*')
_create_nsg_rule(cli_ctx, resource_group_name, ase_nsg_name,
'Inbound-load-balancer-keep-alive', 105,
'Allow communication to ASE from Load Balancer',
'*', 'Allow', 'Inbound', '*', 'AzureLoadBalancer',
'16001', '*')
_create_nsg_rule(cli_ctx, resource_group_name, ase_nsg_name,
'ASE-internal-inbound', 110,
'ASE-internal-inbound', '*', 'Allow', 'Inbound',
'*', subnet_address_prefix, '*', '*')
_create_nsg_rule(cli_ctx, resource_group_name, ase_nsg_name,
'Inbound-HTTP', 120, 'Allow HTTP', '*', 'Allow',
'Inbound', '*', '*', '80', '*')
_create_nsg_rule(cli_ctx, resource_group_name, ase_nsg_name,
'Inbound-HTTPS', 130, 'Allow HTTPS', '*', 'Allow',
'Inbound', '*', '*', '443', '*')
_create_nsg_rule(cli_ctx, resource_group_name, ase_nsg_name,
'Inbound-FTP', 140, 'Allow FTP', '*', 'Allow',
'Inbound', '*', '*', '21', '*')
_create_nsg_rule(cli_ctx, resource_group_name, ase_nsg_name,
'Inbound-FTPS', 150, 'Allow FTPS', '*', 'Allow',
'Inbound', '*', '*', '990', '*')
_create_nsg_rule(cli_ctx, resource_group_name, ase_nsg_name,
'Inbound-FTP-Data', 160, 'Allow FTP Data', '*',
'Allow', 'Inbound', '*', '*', '10001-10020', '*')
_create_nsg_rule(cli_ctx, resource_group_name, ase_nsg_name,
'Inbound-Remote-Debugging', 170,
'Visual Studio remote debugging', '*', 'Allow',
'Inbound', '*', '*', '4016-4022', '*')
_create_nsg_rule(cli_ctx, resource_group_name, ase_nsg_name,
'Outbound-443', 100, 'Azure Storage blob', '*',
'Allow', 'Outbound', '*', '*', '443', '*')
_create_nsg_rule(cli_ctx, resource_group_name, ase_nsg_name,
'Outbound-DB', 110, 'Database', '*', 'Allow',
'Outbound', '*', '*', '1433', 'Sql')
_create_nsg_rule(cli_ctx, resource_group_name, ase_nsg_name,
'Outbound-DNS', 120, 'DNS', '*', 'Allow',
'Outbound', '*', '*', '53', '*')
_create_nsg_rule(cli_ctx, resource_group_name, ase_nsg_name,
'ASE-internal-outbound', 130,
'Azure Storage queue', '*', 'Allow', 'Outbound',
'*', '*', '*', subnet_address_prefix)
_create_nsg_rule(cli_ctx, resource_group_name, ase_nsg_name,
'Outbound-80', 140, 'Outbound 80', '*', 'Allow',
'Outbound', '*', '*', '80', '*')
_create_nsg_rule(cli_ctx, resource_group_name, ase_nsg_name,
'Outbound-monitor', 150, 'Azure Monitor', '*',
'Allow', 'Outbound', '*', '*', 12000, '*')
_create_nsg_rule(cli_ctx, resource_group_name, ase_nsg_name,
'Outbound-NTP', 160, 'Clock', '*', 'Allow',
'Outbound', '*', '*', '123', '*')
nsg = network_client.network_security_groups.get(
resource_group_name, ase_nsg_name)
if not subnet_obj.network_security_group or subnet_obj.network_security_group.id != nsg.id:
logger.info('Associate Network Security Group with Subnet...')
subnet_obj.network_security_group = NetworkSecurityGroup(id=nsg.id)
poller = network_client.subnets.create_or_update(
vnet_resource_group,
vnet_name,
subnet_name,
subnet_parameters=subnet_obj)
LongRunningOperation(cli_ctx)(poller)
else:
nsg_id_parts = parse_resource_id(subnet_obj.network_security_group.id)
nsg_name = nsg_id_parts['name']
if nsg_name.lower() != ase_nsg_name.lower():
raise CLIError('Network Security Group already exists. \
Use --ignore-network-security-group to use existing NSG. \
Use --force-network-security-group to replace existing NSG'
)
def service_endpoint_completer(cmd, prefix, namespace, **kwargs): # pylint: disable=unused-argument
client = network_client_factory(cmd.cli_ctx).available_endpoint_services
location = namespace.location
return [x.name for x in client.list(location=location)]
def subnet_completion_list(cmd, prefix, namespace, **kwargs): # pylint: disable=unused-argument
client = network_client_factory(cmd.cli_ctx)
if namespace.resource_group_name and namespace.virtual_network_name:
rg = namespace.resource_group_name
vnet = namespace.virtual_network_name
return [r.name for r in client.subnets.list(resource_group_name=rg, virtual_network_name=vnet)]
