Rename subnets. Changed NSG rules to prevent network connectivity between vnet 1 subnet 1 and vnet 1 subnet2.

Author: sivakami

.pipelines/swiftv2-long-running/scripts/create_aks.sh

@@ -1,5 +1,6 @@
 #!/usr/bin/env bash
 set -e
+trap 'echo "[ERROR] Failed during Resource group or AKS cluster creation." >&2' ERR
 
 SUBSCRIPTION_ID=$1
 LOCATION=$2

.pipelines/swiftv2-long-running/scripts/create_nsg.sh

@@ -1,63 +1,48 @@
 #!/usr/bin/env bash
 set -e
-trap 'echo "[ERROR] Failed during NSG creation." >&2' ERR
+trap 'echo "[ERROR] Failed during NSG creation or rule setup." >&2' ERR
 
 SUBSCRIPTION_ID=$1
 RG=$2
-LOCATION=${3:-centraluseuap}
+LOCATION=$3
 
 VNET_A1="cx_vnet_a1"
+SUBNET1_PREFIX="10.10.1.0/24"
+SUBNET2_PREFIX="10.10.2.0/24"
 NSG_NAME="${VNET_A1}-nsg"
 
 echo "==> Creating Network Security Group: $NSG_NAME"
 az network nsg create -g "$RG" -n "$NSG_NAME" -l "$LOCATION" --output none \
-  && echo "NSG $NSG_NAME created."
+  && echo "[OK] NSG '$NSG_NAME' created."
 
-echo "==> Adding NSG rules"
-
-# Allow SSH from any
+echo "==> Creating NSG rule to DENY traffic from Subnet1 ($SUBNET1_PREFIX) to Subnet2 ($SUBNET2_PREFIX)"
 az network nsg rule create \
   -g "$RG" \
   --nsg-name "$NSG_NAME" \
-  -n allow-ssh \
+  -n deny-subnet1-to-subnet2 \
   --priority 100 \
-  --source-address-prefixes "*" \
-  --destination-port-ranges 22 \
+  --source-address-prefixes "$SUBNET1_PREFIX" \
+  --destination-address-prefixes "$SUBNET2_PREFIX" \
   --direction Inbound \
-  --access Allow \
-  --protocol Tcp \
-  --description "Allow SSH access" \
+  --access Deny \
+  --protocol "*" \
+  --description "Deny all traffic from Subnet1 to Subnet2" \
   --output none \
-    && echo "Rule allow-ssh created."
+  && echo "[OK] Deny rule from Subnet1 → Subnet2 created."
 
-# Allow internal VNet traffic
+echo "==> Creating NSG rule to DENY traffic from Subnet2 ($SUBNET2_PREFIX) to Subnet1 ($SUBNET1_PREFIX)"
 az network nsg rule create \
   -g "$RG" \
   --nsg-name "$NSG_NAME" \
-  -n allow-vnet \
+  -n deny-subnet2-to-subnet1 \
   --priority 200 \
-  --source-address-prefixes VirtualNetwork \
-  --destination-address-prefixes VirtualNetwork \
+  --source-address-prefixes "$SUBNET2_PREFIX" \
+  --destination-address-prefixes "$SUBNET1_PREFIX" \
   --direction Inbound \
-  --access Allow \
+  --access Deny \
   --protocol "*" \
-  --description "Allow VNet internal traffic" \
-  --output none \
-    && echo "Rule allow-vnet created."
-
-# Allow AKS API traffic
-az network nsg rule create \
-  -g "$RG" \
-  --nsg-name "$NSG_NAME" \
-  -n allow-aks-controlplane \
-  --priority 300 \
-  --source-address-prefixes AzureCloud \
-  --destination-port-ranges 443 \
-  --direction Inbound \
-  --access Allow \
-  --protocol Tcp \
-  --description "Allow AKS control plane traffic" \
+  --description "Deny all traffic from Subnet2 to Subnet1" \
   --output none \
-    && echo "Rule allow-aks-controlplane created."
+  && echo "[OK] Deny rule from Subnet2 → Subnet1 created."
 
-echo "NSG '$NSG_NAME' created successfully with rules."
+echo "NSG '$NSG_NAME' created successfully with bidirectional isolation between Subnet1 and Subnet2."

.pipelines/swiftv2-long-running/scripts/create_peerings.sh

@@ -20,4 +20,4 @@ peer_two_vnets() {
 peer_two_vnets "$RG" "$VNET_A1" "$VNET_A2" "A1-to-A2" "A2-to-A1"
 peer_two_vnets "$RG" "$VNET_A2" "$VNET_A3" "A2-to-A3" "A3-to-A2"
 peer_two_vnets "$RG" "$VNET_A1" "$VNET_A3" "A1-to-A3" "A3-to-A1"
-echo "VNet peerings created successfully."
+echo "VNet peerings created successfully."

.pipelines/swiftv2-long-running/scripts/create_storage.sh

@@ -29,4 +29,4 @@ for SA in "$SA1" "$SA2"; do
   && echo "Storage account $SA created successfully."
 done
 
-echo "All storage accounts created successfully."
+echo "All storage accounts created successfully."

.pipelines/swiftv2-long-running/scripts/create_vnets.sh

@@ -35,19 +35,19 @@ az network vnet subnet create -g "$RG" --vnet-name "$VNET_A1" -n pe --address-pr
  && echo "Created $VNET_A1 with subnet pe"
 
 # A2
-az network vnet create -g "$RG" -n "$VNET_A2" --address-prefix 10.11.0.0/16 --subnet-name s-A2 --subnet-prefix "$A2_MAIN" -l "$LOCATION" --output none \
- && echo "Created $VNET_A2 with subnet s-A2"
+az network vnet create -g "$RG" -n "$VNET_A2" --address-prefix 10.11.0.0/16 --subnet-name s1 --subnet-prefix "$A2_MAIN" -l "$LOCATION" --output none \
+ && echo "Created $VNET_A2 with subnet s1"
 az network vnet subnet create -g "$RG" --vnet-name "$VNET_A2" -n pe --address-prefix "$A2_PE" --output none \
  && echo "Created $VNET_A2 with subnet pe"
 
 # A3
-az network vnet create -g "$RG" -n "$VNET_A3" --address-prefix 10.12.0.0/16 --subnet-name s-A3 --subnet-prefix "$A3_MAIN" -l "$LOCATION" --output none \
- && echo "Created $VNET_A3 with subnet s-A3"
+az network vnet create -g "$RG" -n "$VNET_A3" --address-prefix 10.12.0.0/16 --subnet-name s1 --subnet-prefix "$A3_MAIN" -l "$LOCATION" --output none \
+ && echo "Created $VNET_A3 with subnet s1"
 az network vnet subnet create -g "$RG" --vnet-name "$VNET_A3" -n pe --address-prefix "$A3_PE" --output none \
  && echo "Created $VNET_A3 with subnet pe"
 
 # B1
-az network vnet create -g "$RG" -n "$VNET_B1" --address-prefix 10.20.0.0/16 --subnet-name s-B1 --subnet-prefix "$B1_MAIN" -l "$LOCATION" --output none \
- && echo "Created $VNET_B1 with subnet s-B1"
+az network vnet create -g "$RG" -n "$VNET_B1" --address-prefix 10.20.0.0/16 --subnet-name s1 --subnet-prefix "$B1_MAIN" -l "$LOCATION" --output none \
+ && echo "Created $VNET_B1 with subnet s1"
 
 echo "All VNets and subnets created successfully."

.pipelines/swiftv2-long-running/template/long-running-pipeline-template.yaml

@@ -123,3 +123,4 @@ stages:
               arguments: >
                 ${{ parameters.subscriptionId }}
                 ${{ parameters.resourceGroupName }}
+                ${{ parameters.location }}