ARM Deployment of IPGroups fails on Update: Conflict

Christoph Distefano 101 Reputation points
2020-07-17T09:32:30.287+00:00

Hello, we are trying to update IPGroups through an ARM deployment, but this fails with "Conflict" on some of the IPGroups. All resources included in the discussion are created via DevOps pipeline and ARM templates. Unfortunately, rerunning a pipeline to upgrade IPGroups fails with a "conflict" error message on 6 of the 10 IPGroups. All 10 IPGroups are currently in use within the firewall rules. ![12767-image.png][1] Error Messages from the Activity Log: ![12768-image.png][2] Operation Details of one of the failed operations: ![12725-image.png][3] We are using the latest version on the ARM template for IPGroups (2020-05-01): https://video2.skills-academy.com/en-us/azure/templates/microsoft.network/ipgroups [1]: /api/attachments/12767-image.png?platform=QnA [2]: /api/attachments/12768-image.png?platform=QnA [3]: /api/attachments/12725-image.png?platform=QnA

Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
600 questions
0 comments
Accepted answer
  1. Christoph Distefano 101 Reputation points
    2020-09-01T16:07:09.65+00:00

    Hello,
    sorry for the late response.
    I resolved the issue myself by changing the deployment mode on the copy loop we used within the ARM template.
    Anyway, for future reference it may help to describe the issue and solution for others.

    We deploy our IPGroups via an ARM template that takes the ipgroups as a parameter. The ARM template uses a copy loop to deploy the IP Groups to the defined Resource Group. The copy mode was not set specifically, so ARM uses parallel.
    Having only some IPGroups (like 2 to 5) was not an issue. But starting with more IPGroups, the deployment failed.

    Setting the Copy-Mode to "serial" resolved this issue.
    Now, our deployments take a lot time, since the loop is not running in parallel anymore, but at least the pipelines don't fail anymore.
    We could start playing around with batchSize and serial-mode, but at the moment it works as is.

    The following ARM Module works for us: 

    {
    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "ipGroups": {
            "type": "array",
            "metadata": {
                "description": "Required. An array of IP Group objects."
            }
        },
        "location": {
            "type": "string",
            "defaultValue": "[resourceGroup().location]",
            "metadata": {
                "description": "Optional. Location for all resources."
            }
        }
    },
    "variables": {},
    "resources": [
        {
            "apiVersion": "2020-05-01",
            "type": "Microsoft.Network/ipGroups",
            "name": "[parameters('ipGroups')[copyIndex()].name]",
            "location": "[parameters('location')]",
            "tags": "[parameters('ipGroups')[copyIndex()].tags]",
            "properties": {
                "ipAddresses": "[parameters('ipGroups')[copyIndex()].ipAddresses]"
            },
            "copy": {
                "name": "ipGroupLoop",
                "count": "[length(parameters('ipGroups'))]", 
                "mode": "serial"
            }
        }
    ],
    "outputs": {
        "ipGroupResourceId": {
            "type": "array",
            "copy": {
                "count": "[length(parameters('ipGroups'))]",
                "input": "[resourceId('Microsoft.Network/ipGroups', parameters('ipGroups')[copyIndex()].name)]"
            }
        }
    }
}
    1 person found this answer helpful.
    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. suvasara-MSFT 10,026 Reputation points
    2020-07-22T06:39:18.243+00:00

    Hello,

    Apologies for the delayed response. In case of deleting an IPGroup which is still use in a rule, then the operation will be skipped due to its state and results in conflict error. But in your case it is updating an IPGroup which should not have any issue like the other rules which went on with successful deployment.
    I would suggest you upgrade the rule manually and check if you have any issues, 

    az network ip-group update --name
                           --resource-group
                           [--add]
                           [--force-string]
                           [--ip-addresses]
                           [--remove]
                           [--set]
                           [--tags]

    If it gets updated without any errors then there is need to look into the template.

    Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.

    0 comments