VirtualHubs subresource Id for azure firewalls

[heyitsjla]

Hello,

i have a virtual hub deployed in a previous deployment.

Im trying to deploy an azure firewall where i need to provide the Id of the subresource for the virtual hub.

Trying to use the existing function doesnt bring me nowhere, bicep doesnt get it since im trying to point to a resource and the vhub is a subresource..so resource not found here, or with the harcoded path of the virtual hub ..im also getting MissingJsonReferenceId: Value for reference id is missing. Path properties.virtualHub.

the only way it works is if all the resources are deployed in the same template..

for the azure firewall i would provide :
virtualHubs: virtualhubs.outputs.vhubResourceId
where :
@description('The resource ID of the virtual hub.')
output vhubResourceId string = virtualHub.id
and it works

but now im using two separate deployments and im struggling a bit to formulate correctly the way the code should be done in this case ?
thanks for the help!

Jessica

[johnlokerse]

@heyitsjla,

I don't know if I understand the question correctly, but I will try to help.

Do you have two separate resource deployments? If yes, then I would suggest to combine them as you did in the when you tried to deploy your resources from the same template.

If that is not possible, then you can refer an existing child resources using the :: nested resource operator: https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/operators-access#nested-resource-accessor

If this doesn't help you, then do you have some bicep code that you can show for extra context?

[heyitsjla]

Hi John, providing more details for you! sorry about that.

I have two separate deployment and ideally i want to keep it that way, because its part of my landing zone and some of the hub will be living without an azure firewall attached to them and some will have it.. i want to be able to offer to the operations the possibility to deploy it or not.

Each creation occurs through a task in my yaml file using : AzureResourceManagerTemplateDeployment@3

Bicep code : (hardcoded for testing purpose)

@description('Required. Specifies the name of the virtual hub to be attached.')
param virtualHubId string = '/subscriptions/XXXXXX/resourceGroups/arg-rt-prd-connectivity-network/providers/Microsoft.Network/virtualHubs/vhb-rt-canadacentral-prd-02'

resource azureFirewall 'Microsoft.Network/azureFirewalls@2021-08-01' = {
name: name
location: location
//zones: length(zones) == 0 ? null : zones
tags: tags
properties: {
//threatIntelMode: threatIntelMode
firewallPolicy: empty(firewallPolicyId) ? null : {
id: firewallPolicyId
}
//ipConfigurations: ipConfigurations
sku: {
name: azureSkuName
tier: azureSkuTier
}
hubIPAddresses: {
publicIPs: {
count: 1
}
}
applicationRuleCollections: applicationRuleCollections
natRuleCollections: natRuleCollections
networkRuleCollections: networkRuleCollections
virtualHub: {
id : virtualHubId
}
}
}

======

Error = ##[error]NotFound: Resource /subscriptions/XXXXXXXXXXX/resourceGroups/ARG-RT-PRD-CONNECTIVITY-NETWORK/providers/Microsoft.Network/virtualHubs/VHB-RT-CANADACENTRAL-PRD-02 not found.
##[debug]Processed: ##vso[task.issue type=error;]NotFound: Resource /subscriptions/XXXXXXXXXXXXX/resourceGroups/ARG-RT-PRD-CONNECTIVITY-NETWORK/providers/Microsoft.Network/virtualHubs/VHB-RT-CANADACENTRAL-PRD-02 not found.

This is the right emplacement and all. It seems like the hub is declared as a property not a resource, so bicep doesn't understand how to get an ID from it and therefore cannot find it ??

What i dont understand is im doing exactly the same configuration with the expressroute gateways and it works fine.

======

@description('Required. The resource ID of the ExpressRoute connection.')
param expressRouteCircuitPeeringId string = '/subscriptions/XXXXXXXXXXXXXX/resourceGroups/arg-rt-gnet-cace-network/providers/Microsoft.Network/expressRouteCircuits/ERC-rt-prd-TEST-02/peerings/AzurePrivatePeering'

@description('Required. The resource ID of the virtual Hub.')
param virtualHubId string = '/subscriptions/XXXXXXXXXXX/resourceGroups/arg-rt-prd-connectivity-network/providers/Microsoft.Network/virtualHubs/vhb-rt-canadacentral-prd-02'

resource expressRouteGateways 'Microsoft.Network/expressRouteGateways@2022-07-01' = {
name: name
location: location
tags: tags
properties: {
autoScaleConfiguration: {
bounds: {
//max: bounds
min: bounds
}
}
expressRouteConnections: [
{
name: name
properties: {
expressRouteCircuitPeering: {
id: expressRouteCircuitPeeringId
}
}
}
]
virtualHub: {
id: virtualHubId
}
}
}

How would you use the nested resource in this case ? define in the azure firewall bicep template. Firewall being the parent and hub the child?

thanks!
Jessica

https://learn.microsoft.com/en-us/azure/templates/microsoft.network/expressroutegateways?pivots=deployment-language-bicep
https://learn.microsoft.com/en-us/azure/templates/microsoft.network/azurefirewalls?pivots=deployment-language-bicep

[johnlokerse]

I see, this helps with context, thanks :-)

Managing dependencies when using separated deployments can be a challenge, but I would do it this way:

param attachVirtualHub bool

resource virtualHub 'Microsoft.Network/virtualHubs@2023-05-01' existing = if (attachVirtualHub) {
  name: 'name'
}

resource azureFirewall 'Microsoft.Network/azureFirewalls@2021-08-01' = {
  name: name
  location: location
  properties: {
    ... more properties here ...
    virtualHub: attachVirtualHub ? {
      id: virtualHub.id
    } : {}
  }
}

Instead of giving a parameter with the Id let the ARM engine handle retrieving Ids through the existing keyword. Keep in mind that you need to handle dependencies on the deployment pipeline. So I think it might be a dependency issue regarding the NotFound error.

If the virtualHub is in another subscription or resource group you can add a scope to it. This way you can retrieve properties from the resource cross subscription/resource group:

resource virtualHub 'Microsoft.Network/virtualHubs@2023-05-01' existing = if (attachVirtualHub) {
  name: 'name'
  scope: resourceGroup('subscription id here', 'resource group name here')
}

[heyitsjla]

very sorry i forgot to mention that i also tried using the existing function and its returning too a NOT FOUND as you can see here.

param attachVirtualHub bool = true

resource virtualHub 'Microsoft.Network/virtualHubs@2023-05-01' existing = if (attachVirtualHub) {
name: 'vhb-rt-canadacentral-prd-02'
scope: resourceGroup('XXXXXXXXXXXX', 'arg-rt-prd-connectivity-network')
}

resource azureFirewall 'Microsoft.Network/azureFirewalls@2021-08-01' = {
name: name
location: location
//zones: length(zones) == 0 ? null : zones
tags: tags
properties: {
//threatIntelMode: threatIntelMode
firewallPolicy: empty(firewallPolicyId) ? null : {
id: firewallPolicyId
}
//ipConfigurations: ipConfigurations
sku: {
name: azureSkuName
tier: azureSkuTier
}
hubIPAddresses: {
publicIPs: {
count: 1
}
}
applicationRuleCollections: applicationRuleCollections
natRuleCollections: natRuleCollections
networkRuleCollections: networkRuleCollections
virtualHub: attachVirtualHub ? {
id: virtualHub.id
} : {}
}
}

ERROR: {"status":"Failed","error":{"code":"DeploymentFailed","target":"/subscriptions/XXXXXXXXXXXXXXXXXX/resourceGroups/arg-rt-prd-connectivity-network/providers/Microsoft.Resources/deployments/deploy","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details.","details":[{"code":"InvalidResourceReference","message":"Resource /subscriptions/XXXXXXXXXXXXXXXXXX/resourceGroups/ARG-RT-PRD-CONNECTIVITY-NETWORK/providers/Microsoft.Network/virtualHubs/VHB-RT-CANADACENTRAL-PRD-02 referenced by resource /subscriptions/XXXXXXXXXX/resourceGroups/arg-rt-prd-connectivity-network/providers/Microsoft.Network/azureFirewalls/testjesss was not found. Please make sure that the referenced resource exists, and that both resources are in the same region.","details":[{"code":"NotFound","message":"Resource /subscriptions/XXXXXXXXXXXXXXXXXXX/resourceGroups/ARG-RT-PRD-CONNECTIVITY-NETWORK/providers/Microsoft.Network/virtualHubs/VHB-RT-CANADACENTRAL-PRD-02 not found."}]}]}}

[heyitsjla]

This makes me realize that my approach is maybe not the right one and indeed the dependencies are for a big thing here.

Im thinking of regrouping all dependencies together in their specific bicep and define them per pattern instead of trying to do the deployment separately as iam doing now. its going to be much easier i believe.

pattern 1 : Build azure firewall, attach to hub (boolean if its present or not) all together so the dependencies are at the same place and not in a different deployment etc.

Thanks for the help by the way! very much appreciated.

[johnlokerse]

Yes, this is the way! 👍 Managing your bicep in modules and combining them in a main.bicep (everything like your firewall, hub etc. together) will make developing infrastructure easier. Also, the ARM engine will handle your dependencies instead of doing it via your pipeline.

[heyitsjla]

thanks John!! appreciate the help :)