az network watcher flow-log configure/show does not work as expected by passing in NSG ID #7065
Comments
zwswim
changed the title
|
As far as needing to pass --subscription, that is definitely a bug. CLI 2.0 doesn't support classic resources, but I'll see if there's a quick fix to make that work. |
tjprescott
added
bug
|
PR merged. Will be in Ignite release. |
* Bump API version * [Network] Public IP Prefix (#7081) * Initial Work * Finish command work and test. * Add help entries. * Vnet show/list table format. * [Network] Service endpoint policies (#7080) * Intial work * Finish command work and add test. * Remove policy-definition create workaround. * Code review feedback. * [Network] Load Balancer Outbound Rules (#7114) * Initial work on Outbound Rules * Progress on outbound rules. * Final work on LB outbound rules. * Add `--enable-tcp-reset` to inbound-nat-rule, inbound-nat-pool, and rule create/update commands. * Fix 2 Network Live test issues. * [IgniteNetwork] Fix issues with Network Watcher flog-log configure (#7143) * Fix #7065. Fix #7066. * Code review feedback. * [IgniteNetwork] Add `run-configuration-diagnostic` command and fix `test-connectivity` (#7165) * Add run-configuration-diagnostic command. * Add `run-configuration-diagnostic` command. Fix `test-connectivty` command because of SDK breaking change. * [IgniteNetwork] Subnet delegation (#7200) * Subnet delegation support. * Finish work and add test. * Close #7181. (#7205) * Code review comments. * Disable test recordings on IgniteNetwork branch. * Clean up static issues. * Add private WHL for draft SDK. * Fix #7146. Fix #7191. Fix #7213. (#7232) * [IgniteNetwork] DNS Alias Records (#7233) * Initial work. * Add test. * Add checks to DNS test. Add private DNS whl file. * Close #7242. (#7246) * Vnet show/list table format. * Bump API version * [Network] Public IP Prefix (#7081) * Initial Work * Finish command work and test. * Add help entries. * [Network] Service endpoint policies (#7080) * Intial work * Finish command work and add test. * Remove policy-definition create workaround. * Code review feedback. * [Network] Load Balancer Outbound Rules (#7114) * Initial work on Outbound Rules * Progress on outbound rules. * Final work on LB outbound rules. * Add `--enable-tcp-reset` to inbound-nat-rule, inbound-nat-pool, and rule create/update commands. * Fix 2 Network Live test issues. * [IgniteNetwork] Fix issues with Network Watcher flog-log configure (#7143) * Fix #7065. Fix #7066. * Code review feedback. * [IgniteNetwork] Add `run-configuration-diagnostic` command and fix `test-connectivity` (#7165) * Add run-configuration-diagnostic command. * Add `run-configuration-diagnostic` command. Fix `test-connectivty` command because of SDK breaking change. * [IgniteNetwork] Subnet delegation (#7200) * Subnet delegation support. * Finish work and add test. * Close #7181. (#7205) * Code review comments. * Disable test recordings on IgniteNetwork branch. * Clean up static issues. * Add private WHL for draft SDK. * Fix #7146. Fix #7191. Fix #7213. (#7232) * [IgniteNetwork] DNS Alias Records (#7233) * Initial work. * Add test. * Add checks to DNS test. Add private DNS whl file. * Close #7242. (#7246) * Record DNS tests. * Record tests 2018-08-01 * Re-enable tests. Begin re-recording. * Test re-recording. * Re-record test. * Re-record tests. * Re-record tests * Re-record tests * Re-record more tests. Unlimited tests!! * [IgniteNetwork] Read-only support for InterfaceEndpoints (#7272)
bsiegel
added
the
Service Attention
|
Hello @tjprescott I notice this issue is closed since last summer, however I am still experiencing this issue currently, passing in subscription ID as a workaround doesnt fix it either. $ az network watcher flow-log configure --resource-group XXX--enabled true --nsg XXX--storage-account XXX It is true that the storage account does not exist under the resource group, as I'm using the resource group where the NSG is actually in, even if I switch the resource group to the one where the storage account is, it still fails with the exact same error. I'm using 2.0.71 * for az-cli version currently which is a recent version. |
|
@myronfanqiu fyi |
KarenHammons
added
Network - Network Watcher
haroldrandom
added
bug
haroldrandom
removed
the
Service Attention
|
It the bug still? |
yonzhan
removed
the
bug
mmyyrroonn
added
Network
|
As for the different provoder for network, I found it's been fixed. As for the wanted behavior "all the information such as Subscription and provider should be get from the NSG id", it's been fixed too. |
|
@rem-aj There is an implicit restriction in flow-log. Firstly, only one watcher can be existed per subscription and region. One watcher can have many flow logs, they are in the same resource group (a default created one named "NetworkWatcherRG") and same location. Secondly, all the related sub-resources NSG, storage account, workspace can be in differenct resource group but are required in the same location of flow log per subscription. So it doesn't matter which resource group they are in, but region is. In the logic we implemented, we didn't count subscription in, it has no effect. The solution is to make your storage account be in the same region of NSG. BTW, a new command is developing |
and others
Describe the bug
A clear and concise description of what the bug is.
By passing nsg ID, the following command returns error: The Resource 'Microsoft.Network/networkSecurityGroups/classicnsgWestCEUAP_wezheng' under resource group 'juzEastUS2EUAPAG' was not found
In the error returned, the resource provider is Microsoft.Network, which is different from the one, "Microsoft.ClassicNetwork", passed in. The guess that the provider is hardcode instead of parsed from the NSG ID the client passed in.
Btw, another potential bug is: it looks like that I have to pass in the optional parameter --subscription, since I already set the required param NSG with the nsg resource id. If I do not have the --subscription there, it give me "resource group not found" error
To Reproduce
Steps to reproduce the behavior.
1> Create a classic nsg under Azure networkwatcher team test subscription 96e68903-0a56-4819-9987-8d08ad6a1f99
2> run CTL command:
az network watcher flow-log configure --nsg /subscriptions/96e68903-0a56-4819-9987-8d08ad6a1f99/resourceGroups/juzEastUS2EUAPAG/providers/Microsoft.ClassicNetwork/networkSecurityGroups/classicnsgWestCEUAP_wezheng --subscription 96e68903-0a56-4819-9987-8d08ad6a1f99 --enabled true --storage-account /subscriptions/96e68903-0a56-4819-9987-8d08ad6a1f99/resourceGroups/FlowAnalysisTest/providers/Microsoft.Storage/storageAccounts/flowanalysistestdiag145
Expected behavior
Since I set required parameter NSG ID, all the information such as Subscription and provider should be get from the NSG id.
Environment summary
Install Method (e.g. pip, interactive script, apt-get, Docker, MSI, edge build) / CLI version (
az --version) / OS version / Shell Type (e.g. bash, cmd.exe, Bash on Windows)CLI version: 2.0
Additional context
Similar problem for network watcher flow-log show
The text was updated successfully, but these errors were encountered: