Add new TopLevel Resource PublicIPPrefix to CLI

[anilingle-ms]

Is your feature request related to a problem? Please describe.
No not related

Describe the solution you'd like
Please add a new TopLevel Resource (PublicIPPrefix) to the CLI. It is optionally referenced from PublicIPAddress.

Describe alternatives you've considered
NA/

Additional context
NA

[anavinahar]

@christiankuhtz please add info for outbound rules as well so it happens all together

[christiankuhtz]

Outbound rules are a new child resource in Standard Load Balancer which provides control over outbound network translations. Load Balancer uses port masquerading SNAT to facilitate outbound connections. https://aka.ms/lboutbound provides background on how these functions haved worked up til now. Outbound rules provides explicit controls over which IP addresses are used for outbound, how SNAT ports are allocated, exposes control over the outbound idle timeout, and allows TCP RST's to be enabled on idle timeout (TCP RSTs can also now enabled on LB rules and inbound NAT rules with the same parameter as well). This feature also has interaction with the DisableOutboundSNAT property of LB rules in Standard Load Balancer, which can enable or prevent the LB rule from programming SNAT.

The frontend of the rule is an array of frontend child resources containing public IP addresses or public IP prefixes or both.

The backend pool definition of the outbound rule is reusing the backend address pool child resource in load balancer. Customers can choose to reuse an existing pool definition or create a new pool just for use with outbound rules.

idleTimeoutInMinutes provides a configurable idle timeout for outbound SNAT connections from 4 to 66 Minutes (4000 seconds).

enableTcpReset is an on/off switch for sending bidirectional TCP RST on idle timeout. It's available on outbound rules as well as load balancing rules, and inbound NAT rules.

Please let me know how we can get this rolling.

[christiankuhtz]

@khannarhea fyi

[tjprescott]

Swagger PR: Azure/azure-rest-api-specs#3592

[christiankuhtz]

Swagger spec for LB: https://github.com/Azure/azure-rest-api-specs/blob/Network-August-Release/specification/network/resource-manager/Microsoft.Network/stable/2018-07-01/loadBalancer.json

[yugangw-msft]

@christiankuhtz or @anavinahar, can one of you talk a bit about when the public ip prefixes would be used? A bit naive, but is that just for easier to author rules?

[christiankuhtz]

public ip prefix is a means to reserve a CIDR prefix of a specific length. the reservation of this range guarantees a sequential set of addresses. This in turn makes a number of things easier. Rather than having a random set of public IP's, customers can describe the destination or source of their traffic with a single prefix. So, if your deployment has a need for 64 IP's, you can whitelist the entire range of 64 IP's with one statement. If you didn't have the prefix as the source for public IP's, and instead have 64 individual addresses, they are very unlikely to be aggregate-able/summarized as a single prefix because they are random and not in a contiguous range. In turn, the tradeoff is a single statement or 64 statements; the latter has scaling issues for customers. It's a very clean way to create a surface area of contiguous IP address space.

customers can then take the prefix resource and use it in two ways:

1. create individual public IP resource from it by referencing the prefix resource. then use those public ip's like any other public ip's
2. assign the prefix directly to an outbound rule, and the outbound rule will use all ip's in the reserved range.

If (1) was started, (2) is not allowed. It's an either or choice.

From an outbound rules perspective, one or more public ip resources, one or more prefix, or a combination of both can be assigned to outbound rules.