Nat Gateway simplification (#599)

* bicep bumps * ui * overlay not preview * deploy logic glitch * purge rest of NatGateway mentions * nice meta * deployment name issue
2023-06-30 08:53:48 +01:00 · 2023-06-30 08:53:48 +01:00 · 5e360b521d
--- a/.github/workflows/AKSC_Deploy.yml
+++ b/.github/workflows/AKSC_Deploy.yml
@ -10,7 +10,7 @@ on:
      templateVersion:
        description: 'Template Version'
        required: false
-        default: '0.9.13b'
+        default: '0.10.0-preview'
        type: string
      rg:
        description: 'Resource Group name'
--- a/.github/workflows/StandardCI.yml
+++ b/.github/workflows/StandardCI.yml
@ -31,7 +31,7 @@ on:
    - cron: "0 23 * * 2"
 env:
  RG: "AksBicepAcc-Ci-BasicCluster" #The resource group we're deploying to.
-  ParamFilePath: "https://raw.githubusercontent.com/Azure/AKS-Construction/main/.github/workflows_dep/AksDeploy-Basic.parameters.json" # ".github/workflows_dep/AksDeploy-Basic.parameters.json" #Path to parameter file
+  ParamFilePath: "https://raw.githubusercontent.com/Azure/AKS-Construction/0.10.0-preview/.github/workflows_dep/AksDeploy-Basic.parameters.json" # ".github/workflows_dep/AksDeploy-Basic.parameters.json" #Path to parameter file
  RESNAME: "AksStan" #Used in Azure Resource Naming, overrides the default in the parameter file
  DEPNAME: "Dep${{ github.run_number }}" #Deployment Name
  AZCLIVERSION: 2.43.0 #Pinning to a specific AZ CLI version
--- a/.github/workflows_dep/AksDeploy-Basic.parameters.json
+++ b/.github/workflows_dep/AksDeploy-Basic.parameters.json
@ -39,7 +39,7 @@
            "value": "Standard"
        },
        "aksOutboundTrafficType" : {
-            "value": "managedNATGateway"
+            "value": "natGateway"
        }
    }
 }
--- a/.github/workflows_dep/AksDeploy-Private.parameters.json
+++ b/.github/workflows_dep/AksDeploy-Private.parameters.json
@ -93,7 +93,7 @@
            "value": true
          },
          "aksOutboundTrafficType" : {
-              "value": "userAssignedNATGateway"
+              "value": "natGateway"
          },
          "createNatGateway" : {
              "value": true
--- a/.github/workflows_dep/regressionparams/managedNatGw.json
+++ b/.github/workflows_dep/regressionparams/managedNatGw.json
@ -9,7 +9,7 @@
      "value": "Standard_DS3_v2"
    },
    "aksOutboundTrafficType" : {
-      "value": "managedNATGateway"
+      "value": "natGateway"
    },
    "natGwIpCount" : {
      "value": 3
--- a/bicep/main.bicep
+++ b/bicep/main.bicep
@ -1059,8 +1059,7 @@ param AutoscaleProfile object = {

@allowed([
  'loadBalancer'
-  'managedNATGateway'
-  'userAssignedNATGateway'
+  'natGateway'
  'userDefinedRouting'
 ])
@description('Outbound traffic type for the egress traffic of your cluster')
@ -1121,6 +1120,9 @@ var serviceMeshProfileObj = {
  mode: 'Istio'
 }

+@description('This resolves the friendly natGateway to the actual outbound traffic type value used by AKS')
+var outboundTrafficType = aksOutboundTrafficType=='natGateway' ? ( custom_vnet ? 'userAssignedNATGateway' : 'managedNATGateway' )  : aksOutboundTrafficType
+
@description('System Pool presets are derived from the recommended system pool specs')
 var systemPoolPresets = {
  CostOptimised : {
@ -1291,7 +1293,7 @@ var aksProperties = union({
    serviceCidr: serviceCidr
    dnsServiceIP: dnsServiceIP
    dockerBridgeCidr: dockerBridgeCidr
-    outboundType: aksOutboundTrafficType
+    outboundType: outboundTrafficType
    ebpfDataplane: networkPlugin=='azure' ? ebpfDataplane : ''
  }
  disableLocalAccounts: AksDisableLocalAccounts && enable_aad
@ -1326,14 +1328,14 @@ var aksProperties = union({
    restrictionLevel: restrictionLevelNodeResourceGroup
  }
 },
-aksOutboundTrafficType == 'managedNATGateway' ? managedNATGatewayProfile : {},
+outboundTrafficType == 'managedNATGateway' ? managedNATGatewayProfile : {},
 defenderForContainers && createLaw ? azureDefenderSecurityProfile : {},
 keyVaultKmsCreateAndPrereqs || !empty(keyVaultKmsByoKeyId) ? azureKeyVaultKms : {},
 !empty(managedNodeResourceGroup) ? {  nodeResourceGroup: managedNodeResourceGroup} : {},
 !empty(serviceMeshProfile) ? { serviceMeshProfile: serviceMeshProfileObj } : {}
 )

-resource aks 'Microsoft.ContainerService/managedClusters@2023-03-02-preview' = {
+resource aks 'Microsoft.ContainerService/managedClusters@2023-04-01' = {
  name: 'aks-${resourceName}'
  location: location
  properties: aksProperties
@ -1373,7 +1375,7 @@ param osSKU string = 'Ubuntu'
 var poolName = osType == 'Linux' ? nodePoolName : take(nodePoolName, 6)

 module userNodePool '../bicep/aksagentpool.bicep' = if (!JustUseSystemPool){
-  name: 'userNodePool'
+  name: take('${deployment().name}-userNodePool',64)
  params: {
    AksName: aks.name
    PoolName: poolName
--- a/bicep/network.bicep
+++ b/bicep/network.bicep
@ -393,7 +393,7 @@ resource bastionHost 'Microsoft.Network/bastionHosts@2022-11-01' = if(bastion) {
  }
 }

-resource log 'Microsoft.OperationalInsights/workspaces@2021-06-01' existing = if(networkSecurityGroups && !empty(workspaceName)) {
+resource log 'Microsoft.OperationalInsights/workspaces@2022-10-01' existing = if(networkSecurityGroups && !empty(workspaceName)) {
  name: workspaceName
  scope: resourceGroup(workspaceResourceGroupName)
 }
@ -520,7 +520,7 @@ resource natGw 'Microsoft.Network/natGateways@2021-08-01' = if(natGateway) {
  sku: {
    name: 'Standard'
  }
-  zones: !empty(availabilityZones) ? availabilityZones : []
+  zones: !empty(availabilityZones) ? first(availabilityZones) : []
  properties: {
    publicIpAddresses: [for i in range(0, natGatewayPublicIps): {
      id: natGwIp[i].id
--- a/helper/.playwrighttests/helper-test-managednatgw.spec.js
+++ b/helper/.playwrighttests/helper-test-managednatgw.spec.js
@ -14,7 +14,7 @@ test('managed-natgw-option-is-now-the-prod-default', async ({ page }) => {
  //Check default value
  const dropdown = await page.waitForSelector('[data-testid="net-aksEgressType"]')
  await expect(dropdown).toBeVisible()
-  await expect(dropdown).toMatchText('Assigned NAT Gateway')
+  await expect(dropdown).toMatchText('NAT Gateway')

  // Click the 1st Tab in the portal Navigation Pivot (network)
  await page.click('[data-testid="portalnav-Pivot"] > button:nth-child(1)');
@ -23,6 +23,6 @@ test('managed-natgw-option-is-now-the-prod-default', async ({ page }) => {
  await page.waitForSelector('[data-testid="deploy-deploycmd"]')
  const clitextbox = await page.$('[data-testid="deploy-deploycmd"]')
  await expect(clitextbox).toBeVisible()
-  await expect(clitextbox).toContainText('aksOutboundTrafficType=userAssignedNATGateway')
+  await expect(clitextbox).toContainText('aksOutboundTrafficType=natGateway')

 });
--- a/helper/src/components/deployTab.js
+++ b/helper/src/components/deployTab.js
@ -86,6 +86,9 @@ export default function DeployTab({ defaults, updateFn, tabValues, invalidArray,
    ...(addons.azurepolicy !== "none" && { azurepolicy: addons.azurepolicy }),
    ...(addons.azurepolicy !== "none" && addons.azurePolicyInitiative !== defaults.addons.azurePolicyInitiative && { azurePolicyInitiative: addons.azurePolicyInitiative }),
    ...(net.networkPlugin !== defaults.net.networkPlugin && {networkPlugin: net.networkPlugin}),
+    ...(net.networkPlugin === 'azure' && {
+        ...(net.networkPluginMode && {networkPluginMode: 'Overlay'}),
+        }),
    ...(net.vnet_opt === "custom" && net.networkPlugin === 'kubenet' && defaults.net.podCidr !== net.podCidr && { podCidr: net.podCidr }),
    ...((net.vnet_opt === "custom" || net.vnet_opt === "byo") && defaults.net.cniDynamicIpAllocation !== net.cniDynamicIpAllocation && { cniDynamicIpAllocation: true }),
    ...(net.vnet_opt === "custom" && net.cniDynamicIpAllocation && defaults.net.podCidr !== net.podCidr && { podCidr: net.podCidr }),
@ -109,9 +112,7 @@ export default function DeployTab({ defaults, updateFn, tabValues, invalidArray,
        ...(addons.appgwKVIntegration && addons.csisecret === 'akvNew' && { appgwKVIntegration: true })
      })
    }),
-    ...(net.vnet_opt !== "default" && {
-      ...(net.aksOutboundTrafficType !== defaults.net.aksOutboundTrafficType && {aksOutboundTrafficType: net.aksOutboundTrafficType})
-    }),
+    ...(net.aksOutboundTrafficType !== defaults.net.aksOutboundTrafficType && {aksOutboundTrafficType: net.aksOutboundTrafficType}),
    ...(cluster.keyVaultKms !== defaults.cluster.keyVaultKms && {
      ...(cluster.keyVaultKms === "public" && {keyVaultKmsCreate: true, keyVaultKmsOfficerRolePrincipalId: "$(az ad signed-in-user show --query id --out tsv)"}),
      ...(cluster.keyVaultKms === "byoprivate" && cluster.keyVaultKmsByoKeyId !== '' &&  cluster.keyVaultKmsByoRG !== '' && {keyVaultKmsByoKeyId: cluster.keyVaultKmsByoKeyId, keyVaultKmsByoRG: cluster.keyVaultKmsByoRG}),
@ -134,12 +135,12 @@ export default function DeployTab({ defaults, updateFn, tabValues, invalidArray,
  const preview_params = {
    ...(addons.registry === "Premium" && addons.acrUntaggedRetentionPolicyEnabled !== defaults.addons.acrUntaggedRetentionPolicyEnabled && { acrUntaggedRetentionPolicyEnabled: addons.acrUntaggedRetentionPolicyEnabled}),
    ...(addons.registry === "Premium" && addons.acrUntaggedRetentionPolicyEnabled && addons.acrUntaggedRetentionPolicy !== defaults.addons.acrUntaggedRetentionPolicy && { acrUntaggedRetentionPolicy: addons.acrUntaggedRetentionPolicy}),
-    ...(net.vnet_opt === "default" && net.aksOutboundTrafficType === 'managedNATGateway' && {
+    ...(net.vnet_opt === "default" && net.aksOutboundTrafficType === 'natGateway' && {
      ...(net.aksOutboundTrafficType !== defaults.net.aksOutboundTrafficType && {aksOutboundTrafficType: net.aksOutboundTrafficType}),
      ...(net.natGwIpCount !== defaults.net.natGwIpCount && {natGwIpCount: net.natGwIpCount}),
      ...(net.natGwIdleTimeout !== defaults.net.natGwIdleTimeout && {natGwIdleTimeout: net.natGwIdleTimeout})
    }),
-    ...(net.vnet_opt === "custom" && net.aksOutboundTrafficType === 'userAssignedNATGateway' && {
+    ...(net.vnet_opt === "custom" && net.aksOutboundTrafficType === 'natGateway' && {
      ...({createNatGateway: true}),
      ...(net.aksOutboundTrafficType !== defaults.net.aksOutboundTrafficType && {aksOutboundTrafficType: net.aksOutboundTrafficType}),
      ...(net.natGwIpCount !== defaults.net.natGwIpCount && {natGwIpCount: net.natGwIpCount}),
@ -158,7 +159,6 @@ export default function DeployTab({ defaults, updateFn, tabValues, invalidArray,
    ...(defaults.addons.blobCSIDriver !== addons.blobCSIDriver && {blobCSIDriver: addons.blobCSIDriver }),
    ...(defaults.addons.workloadIdentity !== addons.workloadIdentity && {oidcIssuer: true, workloadIdentity: addons.workloadIdentity }),
    ...(net.networkPlugin === 'azure' && {
-      ...(net.networkPluginMode && {networkPluginMode: 'Overlay'}),
      ...(net.ebpfDataplane && {ebpfDataplane: 'cilium'})
    }),
    ...(urlParams.getAll('feature').includes('defender') && cluster.DefenderForContainers !== defaults.cluster.DefenderForContainers && { DefenderForContainers: cluster.DefenderForContainers }),
--- a/helper/src/components/networkTab.js
+++ b/helper/src/components/networkTab.js
@ -92,20 +92,13 @@ export default function NetworkTab ({ defaults, tabValues, updateFn, invalidArra
                            label="Implement Dynamic Allocation of IPs" />
                    </Stack.Item>
                    <Stack.Item>
-                        <MessageBar messageBarType={MessageBarType.info}>Overlay is a <a target="_new" href="https://learn.microsoft.com/en-us/azure/aks/azure-cni-overlay#steps-to-set-up-overlay-clusters">preview feature</a> that leverages a private CIDR for Pod IP's. See if it's right for you:<a target="_new" href="https://learn.microsoft.com/en-us/azure/aks/azure-cni-overlay">docs</a> </MessageBar>
+                        <MessageBar messageBarType={MessageBarType.info}>Overlay is a feature that leverages a private CIDR for Pod IP's. See if it's right for you:<a target="_new" href="https://learn.microsoft.com/azure/aks/azure-cni-overlay">docs</a> </MessageBar>
                        <Checkbox
                            styles={{ root: { marginLeft: '50px', marginTop: '10px !important' } }}
                            disabled={net.networkPlugin!=='azure' || net.cniDynamicIpAllocation}
                            checked={net.networkPluginMode}
                            onChange={(ev, v) => UpdateCniOverlay(v)}
                            label="CNI Overlay Network" />
-                            {
-                                net.networkPluginMode &&
-                                (
-                                    <PreviewDialog previewLink={"https://learn.microsoft.com/en-us/azure/aks/azure-cni-overlay#steps-to-set-up-overlay-clusters"} />
-                                )
-
-                            }
                    </Stack.Item>
                    <Stack.Item>
                        <MessageBar messageBarType={MessageBarType.info}>Powered by Cilium is a <a target="_new" href="https://learn.microsoft.com/en-us/azure/aks/azure-cni-powered-by-cilium#prerequisites">preview feature</a> that leverages more efficient use of the linux kernel and other networking features.</MessageBar>
@ -172,6 +165,9 @@ export default function NetworkTab ({ defaults, tabValues, updateFn, invalidArra
                <Stack horizontal tokens={{ childrenGap: 50 }}>
                    <Stack.Item>
                        <MessageBar messageBarType={MessageBarType.info}>NAT Gateway allows more traffic flows than a Load Balancer.<a target="_target" href="https://docs.microsoft.com/azure/aks/nat-gateway">docs</a></MessageBar>
+                        {cluster.availabilityZones === "yes" &&
+                            <MessageBar messageBarType={MessageBarType.warning}>NAT Gateways are not a Zone Redundant resource</MessageBar>
+                        }
                        {net.aksOutboundTrafficType==='userDefinedRouting' && net.vnet_opt === 'byo' &&
                          <MessageBar styles={{ root: { width:'400px', marginTop: '10px !important'}}} messageBarType={MessageBarType.warning}>Ensure that the AKS Subnet is configured with a UDR and that your Virtual Network Appliance is <Link href="https://learn.microsoft.com/azure/aks/limit-egress-traffic">properly configured</Link> to allow necessary traffic</MessageBar>
                        }
@ -185,8 +181,7 @@ export default function NetworkTab ({ defaults, tabValues, updateFn, invalidArra
                            data-testid="net-aksEgressType"
                            options={[
                                { key: 'loadBalancer', text: 'Load Balancer'  },
-                                { key: 'managedNATGateway', text: 'Managed NAT Gateway' },
-                                { key: 'userAssignedNATGateway', text: 'Assigned NAT Gateway'},
+                                { key: 'natGateway', text: 'NAT Gateway' },
                                { key: 'userDefinedRouting', text: 'User Defined Routing'}
                            ]}
                            onChange={(ev, { key }) => updateFn("aksOutboundTrafficType", key)}
@ -195,7 +190,7 @@ export default function NetworkTab ({ defaults, tabValues, updateFn, invalidArra
                    <Stack.Item>
                        <Checkbox //simple "read-only" checkbox that derives its values from other settings
                            styles={{ root: { marginBottom: '10px' }}}
-                            checked={net.vnet_opt === 'custom' && net.aksOutboundTrafficType === 'userAssignedNATGateway'}
+                            checked={net.vnet_opt === 'custom' && net.aksOutboundTrafficType === 'natGateway'}
                            disabled={true}
                            label="Create NAT Gateway for AKS Subnet (Custom VNet Only)"
                        />
--- a/helper/src/components/portalnav.js
+++ b/helper/src/components/portalnav.js
@ -394,13 +394,8 @@ export default function PortalNav({ config }) {
     :'Ensure to select Azure Firewall when using Custom Networking and User Defined Routing for Outbound Traffic Type')

  invalidFn('net', 'aksOutboundTrafficType',
-    (net.aksOutboundTrafficType === 'managedNATGateway' && net.vnet_opt !== "default") ||
-    (net.aksOutboundTrafficType === 'userAssignedNATGateway' && net.vnet_opt === "default") ||
    (net.aksOutboundTrafficType === 'userDefinedRouting' && net.vnet_opt === "default"),
-     net.aksOutboundTrafficType === 'userDefinedRouting' ?
-     'When using User Defined Routing, only custom and Bring your Own networking is supported.'
-     :
-     'When using Managed Nat Gateway, only default networking is supported. For other networking options, use Assigned NAT Gateway')
+     'When using User Defined Routing, only custom and Bring your Own networking is supported.')
  invalidFn('net', 'serviceCidr',  net.vnet_opt === "custom" && !isCidrValid(net.serviceCidr), invalidCidrMessage)
  invalidFn('net', 'podCidr', !isCidrValid(net.podCidr), invalidCidrMessage)
  invalidFn('net', 'dnsServiceIP', !isIPValid(net.dnsServiceIP), 'Enter a valid IP')
--- a/helper/src/configpresets/principals.json
+++ b/helper/src/configpresets/principals.json
@ -463,7 +463,7 @@
                            },
                            "net": {
                                "createNatGateway": true,
-                                "aksOutboundTrafficType": "userAssignedNATGateway"
+                                "aksOutboundTrafficType": "natGateway"
                            }
                        }
                    }