You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Azure Tales: Resource locks don't do what you may think they do
Azure Tales: Resource locks don't do what you may think they do
Before we start, names can be confusing, so let's make sure that we are on the same page.
By resource locks I mean the locks that lock Azure resources to prevent their modification or deletion.
Depending on what Azure client you use, you might also know them as
"management_lock" (in the Azure Terraform provider)
"lock" (in the Azure Portal and the docs)
"ResourceLock" (in the Azure PowerShell client)
"Microsoft.Authorization/locks" (in the API data model)
Azure Tales: Private Endpoints don't care about your feelings
Azure Tales: Private Endpoints don't care about your feelings
Recently, the team and I encountered weird networking behavior on Azure which just baffled us. We are developing a platform based on Azure's Hub & Spoke Network Topology reference architecture and are using the Azure Firewall as central routing component to route traffic from spoke to spoke. A simplified architecture diagram would look somewhat like this:
With this networking setup, we were able to establish connectivity...
from the VM in the Hub to the VM in Spoke A
from the VM in Spoke B to both the Private Endpoint and the VM in Spoke A
from on-premises to both the Private Endpoint and the VM in Spoke A
Azure Tales: The Scale Set that cares too much about Load Balancer rules
Azure Tales: The Scale Set that cares too much about Load Balancer rules
I've seen the error CannotRemoveRuleUsedByProbeUsedByVMSS quite a few times now in my Terraform logs, but I've never came around to care enough to actually look into it. Instead, I acknowledged that likely some dependencies are not set up right, shrugged it off and nuked and rebuilt the whole infrastructure, because that was way faster than having to dive into yet another Azure Terraform problem. It was a problem for the future. Well, the future is now.
Some background information on what we're dealing with here. We are operating a Virtual Machine Scale Set that runs a mission-critial ingress for our large-scale IT platform (we had used Azure Application Gateway before, but its limitations made us decide to rather build something on our own). In front of that Scale Set is an Azure Load Balancer, with Load Balancing rules configured for every protocol and port we have a backend service for. Updates to the list of backend services in