#136 block floating ip on secondary ipconfig (#137)

* floating ip validation check

* check for secondary ipconfig with floating ip

* readme note

Author: mbrat2005

AzureBasicLoadBalancerUpgrade/README.md

@@ -37,6 +37,7 @@ The PowerShell module performs the following functions:
 - Basic Load Balancers with IPV6 frontend IP configurations
 - Basic Load Balancers with a Virtual Machine Scale Set backend pool member where one or more Virtual Machine Scale Set instances have ProtectFromScaleSetActions Instance Protection policies enabled
 - Migrating a Basic Load Balancer to an existing Standard Load Balancer
+- Migrating LBs with Floating IP enabled where backend pool member is a secondary IP config
 
 ## Install the 'AzureBasicLoadBalancerUpgrade' module
 

AzureBasicLoadBalancerUpgrade/module/AzureBasicLoadBalancerUpgrade/AzureBasicLoadBalancerUpgrade.psd1

@@ -12,7 +12,7 @@
     RootModule = 'AzureBasicLoadBalancerUpgrade'
 
     # Version number of this module.
-    ModuleVersion = '2.4.21'
+    ModuleVersion = '2.4.22'
 
     # Supported PSEditions
     # CompatiblePSEditions = @()
@@ -107,7 +107,7 @@
             # IconUri = ''
 
             # ReleaseNotes of this module
-            ReleaseNotes = 'Clarified downtime warning when running validation only'
+            ReleaseNotes = 'Added validation check for customers using floating IP and non-primary IP configurations.'
 
             # Prerelease string of this module
             # Prerelease = 'beta'

AzureBasicLoadBalancerUpgrade/module/AzureBasicLoadBalancerUpgrade/modules/Start-AzBasicLoadBalancerUpgrade/Start-AzBasicLoadBalancerUpgrade.psm1

@@ -18,6 +18,7 @@ Import-Module ((Split-Path $PSScriptRoot -Parent) + "\BackupResources\BackupReso
     - Basic load balancers with IPV6 frontend IP configurations
     - Basic load balancers with a VMSS backend pool member where one or more VMSS instances have ProtectFromScaleSetActions Instance Protection policies enabled
     - Migrating a Basic load balancer to an existing Standard load balancer
+    - Migrating a Basic load balancer with floating IP enabled on load balancing rules, where the backend pool members are secondary IP configurations
 
     Multi-load balancer support:
     In a situation where multiple Basic load balancers are configured with the same backend pool members (internal and external load balancers), the migration can be performed in a single operation by specifying the 

AzureBasicLoadBalancerUpgrade/module/AzureBasicLoadBalancerUpgrade/modules/ValidateScenario/ValidateScenario.psm1

@@ -225,6 +225,30 @@ Function Test-SupportedMigrationScenario {
                 log -Message "[Test-SupportedMigrationScenario] All VMSS load balancer associations are with the Basic LB(s) to be migrated." -Severity Information
             }
         }
+
+        # check if load balancing rule has floating IP enabled and associated NIC IP config is not primary. See: https://learn.microsoft.com/en-us/azure/load-balancer/load-balancer-floating-ip
+        log -Message "[Test-SupportedMigrationScenario] Checking if load balancing rule has floating IP enabled and associated VMSS IP config is not primary..."
+        if ($floatingIPRules = $BasicLoadBalancer.LoadBalancingRules | Where-Object { $_.EnableFloatingIP -eq $true }) {
+            # check if floating IP rules contain non-primary IP configurations
+            ForEach ($rule in $floatingIPRules) {
+                log -message "[Test-SupportedMigrationScenario] Load balancing rule '$($rule.Name)' has floating IP enabled, checking for IP configuration which is not primary..."
+                $backendPool = $BasicLoadBalancer.BackendAddressPools | Where-Object { $_.Id -eq $rule.BackendAddressPool.Id }
+                if ($null -ne $backendPool -and $null -ne $backendPool.BackendIpConfigurations) {
+                
+                    # check if ipconfig lb backend pools contains this backend pool
+                    ForEach ($vmssNic in $basicLBVMSSs.VirtualMachineProfile.NetworkProfile.NetworkInterfaceConfigurations) {
+                        # ip config does not need to specify a .primary value unless there is more than one
+                        $isOnlyIpConfig = $vmssNic.IpConfigurations.Count -eq 1
+                        ForEach ($ipConfig in $vmssNic.IpConfigurations) {
+                            if ($ipConfig.LoadBalancerBackendAddressPools.id -contains $backendPool.id -and ($ipConfig.Primary -ne $true -and !$isOnlyIpConfig)) {
+                                $message = "[Test-SupportedMigrationScenario] Load balancing rule '$($rule.Name)' has floating IP enabled and associated IP configuration '$($ipConfig.Name)' from VMSS '$($vmssNic.Name)' is not primary. This is not supported for migration--change the IP config in the backend pool associated with the load balancing rule '$($rule.Name)' to a primary IP configuration and re-run the module. See: https://learn.microsoft.com/azure/load-balancer/load-balancer-floating-ip"
+                                log -Message $message -Severity 'Error' -terminateOnError
+                            }
+                        }
+                    }
+                }
+            }
+        }
 
         # check if any VMSS instances have instance protection enabled
         log -Message "[Test-SupportedMigrationScenario] Checking for instances in backend pool member VMSS '$($vmssIds.split('/')[-1])' with Instance Protection configured"
@@ -388,7 +412,7 @@ Function Test-SupportedMigrationScenario {
                 }
                 Else {      
                     # add VM resources to array for later validation
-                    try{
+                    try {
                         $basicLBVMs += Get-AzVM -ResourceId $nic.VirtualMachine.id -ErrorAction Stop
                     }
                     catch {
@@ -528,6 +552,28 @@ Function Test-SupportedMigrationScenario {
                 log -Message $message -Severity 'Warning'
             }
         }
+
+        # check if load balancing rule has floating IP enabled and associated NIC IP config is not primary. See: https://learn.microsoft.com/en-us/azure/load-balancer/load-balancer-floating-ip
+        log -Message "[Test-SupportedMigrationScenario] Checking if load balancing rule has floating IP enabled and associated IP config is not primary..."
+        if ($floatingIPRules = $BasicLoadBalancer.LoadBalancingRules | Where-Object { $_.EnableFloatingIP -eq $true }) {
+            # check if floating IP rules contain non-primary IP configurations
+            ForEach ($rule in $floatingIPRules) {
+                log -message "[Test-SupportedMigrationScenario] Load balancing rule '$($rule.Name)' has floating IP enabled, checking for IP configuration which is not primary..."
+                $backendPool = $BasicLoadBalancer.BackendAddressPools | Where-Object { $_.Id -eq $rule.BackendAddressPool.Id }
+                if ($null -ne $backendPool -and $null -ne $backendPool.BackendIpConfigurations) {
+                    $backendIpConfigs = $backendPool.BackendIpConfigurations
+                
+                    ForEach ($nic in $basicLBVMNics) {
+                        ForEach ($ipConfig in $nic.IpConfigurations) {
+                            If ($null -ne $backendIpConfigs -and $ipConfig.Id -in $backendIpConfigs.id -and ($ipConfig.Primary -eq $false)) {
+                                $message = "[Test-SupportedMigrationScenario] Load balancing rule '$($rule.Name)' has floating IP enabled and associated IP configuration '$($ipConfig.Name)' from NIC '$($nic.Name)' is not primary. This is not supported for migration--change the IP config in the backend pool associated with the load balancing rule '$($rule.Name)' to a primary IP configuration and re-run the module. See: https://learn.microsoft.com/azure/load-balancer/load-balancer-floating-ip"
+                                log -Message $message -Severity 'Error' -terminateOnError
+                            }
+                        }
+                    }
+                }
+            }
+        }
     }
 
 
@@ -623,7 +669,7 @@ Function Test-SupportedMultiLBScenario {
     If ($multiLBConfig[0].scenario.backendType -eq 'VMSS') {
         $basicLBBackends = @()
         ForEach ($config in $multiLBConfig) {
-            $basicLBBackends += $config.BasicLoadBalancer.BackendAddressPools.BackendIpConfigurations.id | ForEach-Object {$_.split('/virtualMachines/')[0]}
+            $basicLBBackends += $config.BasicLoadBalancer.BackendAddressPools.BackendIpConfigurations.id | ForEach-Object { $_.split('/virtualMachines/')[0] }
         }
         $groupedBackends = $basicLBBackends | Sort-Object | Get-Unique
 
@@ -684,7 +730,7 @@ Function Test-SupportedMultiLBScenario {
         }
 
         # VMs must share an availability set or the backend must be a single VM with no availability set ('NO_AVAILABILITY_SET')
-        If (($VMAvailabilitySets.availabilitySetId | Sort-Object | Get-Unique).count -gt 1 -or ($VMAvailabilitySets.availabilitySetId | Where-Object {$_ -eq 'NO_AVAILABILITY_SET'}).count -gt 1) {
+        If (($VMAvailabilitySets.availabilitySetId | Sort-Object | Get-Unique).count -gt 1 -or ($VMAvailabilitySets.availabilitySetId | Where-Object { $_ -eq 'NO_AVAILABILITY_SET' }).count -gt 1) {
             log -Severity Error -Message "[Test-SupportedMultiLBScenario] The provided Basic Load Balancers do not share backend pool members (VMs are in different or no Availability Sets: '$($VMAvailabilitySets.availabilitySetId -join ',')'). Using -multiLBConfig when backend is not shared adds risk and complexity in recovery." -terminateOnError
         }
         Else {

AzureBasicLoadBalancerUpgrade/testEnvs/scenarios/043-basic-lb-floating-ip-secondary-ipconfig.bicep

@@ -0,0 +1,168 @@
+targetScope = 'subscription'
+param randomGuid string = newGuid()
+param location string
+param resourceGroupName string
+
+
+// Resource Group
+module rg '../modules/Microsoft.Resources/resourceGroups/deploy.bicep' = {
+  name: '${resourceGroupName}-${location}'
+  params: {
+    name: resourceGroupName
+    location: location
+  }
+}
+
+// vnet
+module virtualNetworks '../modules/Microsoft.Network/virtualNetworks/deploy.bicep' = {
+  name: '${uniqueString(deployment().name)}-virtualNetworks'
+  scope: resourceGroup(resourceGroupName)
+  params: {
+    // Required parameters
+    location: location
+    addressPrefixes: [
+      '10.0.0.0/16'
+    ]
+    name: 'vnet-01'
+    subnets: [
+      {
+        name: 'subnet1'
+        addressPrefix: '10.0.1.0/24'
+      }
+    ]
+  }
+  dependsOn: [
+    rg
+  ]
+}
+
+module publicIp01 '../modules/Microsoft.Network/publicIPAddresses/deploy.bicep' = {
+  name: 'pip-01'
+  params: {
+    name: 'pip-01'
+    location: location
+    publicIPAddressVersion: 'IPv4'
+    skuTier: 'Regional'
+    skuName: 'Basic'
+    publicIPAllocationMethod: 'Dynamic'
+  }
+  scope: resourceGroup(resourceGroupName)
+  dependsOn: [
+    rg
+  ]
+}
+
+// basic lb
+module loadbalancer '../modules/Microsoft.Network/loadBalancers_custom/deploy.bicep' = {
+  name: 'lb-basic01'
+  scope: resourceGroup(resourceGroupName)
+  params: {
+    name: 'lb-basic-01'
+    location: location
+    frontendIPConfigurations: [
+      {
+        name: 'fe-01'
+        publicIPAddressId: publicIp01.outputs.resourceId
+      }
+    ]
+    backendAddressPools: [
+      {
+        name: 'be-01'
+      }
+    ]
+    inboundNatRules: []
+    loadBalancerSku: 'Basic'
+    loadBalancingRules: [
+      {
+        backendAddressPoolName: 'be-01'
+        backendPort: 80
+        frontendIPConfigurationName: 'fe-01'
+        frontendPort: 80
+        idleTimeoutInMinutes: 4
+        loadDistribution: 'Default'
+        name: 'rule-01'
+        probeName: 'probe-01'
+        protocol: 'Tcp'
+        enableFloatingIp: true
+      }
+    ]
+    probes: [
+      {
+        intervalInSeconds: 5
+        name: 'probe-01'
+        numberOfProbes: 2
+        port: '80'
+        protocol: 'Tcp'
+      }
+    ]
+  }
+  dependsOn: [
+    rg
+  ]
+}
+
+
+module virtualMachineScaleSets '../modules/Microsoft.Compute/virtualMachineScaleSets/deploy.bicep' = {
+  name: 'vmss-01'
+  scope: resourceGroup(resourceGroupName)
+  params: {
+    location: location
+    // Required parameters
+    encryptionAtHost: false
+    adminUsername: 'admin-vmss'
+    skuCapacity: 1
+    upgradePolicyMode: 'Manual'
+    imageReference: {
+      offer: 'WindowsServer'
+      publisher: 'MicrosoftWindowsServer'
+      sku: '2022-Datacenter'
+      version: 'latest'
+    }
+    name: 'vmss-01'
+    osDisk: {
+      createOption: 'fromImage'
+      diskSizeGB: '128'
+      managedDisk: {
+        storageAccountType: 'Standard_LRS'
+      }
+    }
+    osType: 'Windows'
+    skuName: 'Standard_DS1_v2'
+    // Non-required parameters
+    adminPassword: '${uniqueString(randomGuid)}rpP@340'
+    nicConfigurations: [
+      {
+        ipConfigurations: [
+          {
+            name: 'ipconfig1'
+            properties: {
+              subnet: {
+                id: virtualNetworks.outputs.subnetResourceIds[0]
+              }
+              loadBalancerBackendAddressPools: [
+              ]
+              primary: true
+            }
+          }
+          {
+            name: 'ipconfig2'
+            properties: {
+              subnet: {
+                id: virtualNetworks.outputs.subnetResourceIds[0]
+              }
+              loadBalancerBackendAddressPools: [
+                {
+                  id: loadbalancer.outputs.backendpools[0].id
+                }
+              ]
+            }
+          }
+        ]
+        nicSuffix: '-nic-01'
+      }
+    ]
+  }
+  dependsOn: [
+    rg
+  ]
+}