Update concepts-network-fabric-optionA-optionB.md

jmmason70 · web-flow · commit d3df289373f2 · 2025-02-11T13:51:11.000-05:00
diff --git a/articles/operator-nexus/concepts-network-fabric-optionA-optionB.md b/articles/operator-nexus/concepts-network-fabric-optionA-optionB.md
@@ -5,11 +5,10 @@ author: jmmason70
 ms.author: jeffreymason
 ms.service: azure-operator-nexus
 ms.topic: concept-article
-ms.date: 02/07/2025
+ms.date: 02/11/2025
 ---
 
 # Network Fabric OptionA and OptionB 
-***DRAFT***
 
 BGP (Border Gateway Protocol) is a protocol used on the internet between routers to allow traffic to be routed between Autonomous Systems (AS). Autonomous Systems use BGP to advertise to their peers which IPs they can route to and which AS(S) they'll go through to get there. For example, an ISP (Internet Service Provider) advertises traffic to enter their network via their ingress points. They will then advertise they know how to route to the public IPs on their network, without them having to share how they do that routing internally.
  
@@ -24,68 +23,125 @@ Option B: This option is more complex but supports IPv4, IPv6, and multicast in
 For more information on Multi-Autonomous Systems, see section 10 of [RFC 4364](https://www.ietf.org/rfc/rfc4364.txt).
 
 
-***Access Control Lists (ACLs)*** \
-ACLs (Permit & Deny) at an NNI (Network-to-Network Interface) Level protect SSH access on a Management VPN. Network Access control lists can be applied before provisioning Network Fabric. This limitation is temporary and will be removed in future release.
-Ingress and Egress ACLs are created before creation of NNI resources and referenced into NNI payload. When NNI resources are created, it also creates referenced ingress and egress ACLs. This activity needs to be performed before provisioning the Network Fabric.
+## Create a Network Fabric 
 
 The following steps (with examples) are used in creating and provisioning a Nexus Network Fabric.
 
 1. Create Fabric
    
-Create a Network Fabric with option A Properties
+   **Create a Network Fabric with option A Properties**
 
-````
-az networkfabric fabric create --resource-group "<NFResourceGroup>" --location "<Location>" --resource-name "<NFname>" --nf-sku "NFSKU" --fabric-version "x.x.x" --nfc-id "/subscriptions/xxxxx-xxxx-xxxx-xxxx-xxxxx/resourceGroups/example-rg/providers/Microsoft.ManagedNetworkFabric/networkFabricControllers/example-NFC" --fabric-asn 20 --ipv4-prefix "x.x.x.x/19" --rack-count 2 --server-count-per-rack 5 --ts-config "{primaryIpv4Prefix:'x.x.0.0/30',secondaryIpv4Prefix:'x.x.x.x/30',username:'****',password:'*****',serialNumber:1234}" --managed-network-config "{infrastructureVpnConfiguration:{networkToNetworkInterconnectId:'/subscriptions/xxxxx-xxxx-xxxx-xxxx-xxxxx/resourceGroups/example-rg/providers/Microsoft.ManagedNetworkFabric/networkFabrics/example-fabric/networkToNetworkInterconnects/example-nni',peeringOption:OptionA,optionAProperties:{bfdConfiguration:{multiplier:5,intervalInMilliSeconds:300},mtu:1500,vlanId:520,peerASN:65133,primaryIpv4Prefix:'x.x.x.x/31',secondaryIpv4Prefix:'x.x.x.x/31'}},workloadVpnConfiguration:{networkToNetworkInterconnectId:'/subscriptions/xxxxx-xxxx-xxxx-xxxx-xxxxx/resourceGroups/example-rg/providers/Microsoft.ManagedNetworkFabric/networkFabrics/example-fabric/networkToNetworkInterconnects/example-nni',peeringOption:OptionA,optionAProperties:{bfdConfiguration:{multiplier:5,intervalInMilliSeconds:300},mtu:1500,vlanId:520,peerASN:65133,primaryIpv4Prefix:'x.x.x.x/31',secondaryIpv4Prefix:'x.x.x.x/31',primaryIpv6Prefix:'3FFE:FFFF:0:CD30::a0/127',secondaryIpv6Prefix:'3FFE:FFFF:0:CD30::a0/127'}}}"
-````
+   ```azurecli
+   
+   az networkfabric fabric create \ 
+   --resource-group "<NFResourceGroup>" 
+   --location "<Location>" \
+   --resource-name "<NFName>" \
+   --nf-sku "<NFSKU>" \
+   --fabric-version "x.x.x" \
+   --nfc-id "/subscriptions/<subscription_id>/resourceGroups/<NFResourceGroup>/providers/Microsoft.ManagedNetworkFabric/networkFabricControllers/<NFCName>" \
+   --fabric-asn 65048 \
+   --ipv4-prefix x.x.x.x/19 \
+   --rack-count 4 \
+   --server-count-per-rack 8 \
+   --ts-config "{primaryIpv4Prefix:'x.x.0.0/30',secondaryIpv4Prefix:'x.x.x.x/30',username:'****',password:'*****',serialNumber:<TS_SN>}" \
+   --managed-network-config "{infrastructureVpnConfiguration:{networkToNetworkInterconnectId:'/subscriptions/xxxxx-xxxx-xxxx-xxxx-xxxxx/resourceGroups/example-rg/providers/Microsoft.ManagedNetworkFabric/networkFabrics/example-fabric/networkToNetworkInterconnects/example-nni',peeringOption:OptionA,optionAProperties:{bfdConfiguration:{multiplier:5,intervalInMilliSeconds:300},mtu:1500,vlanId:520,peerASN:65133,primaryIpv4Prefix:'x.x.x.x/31',secondaryIpv4Prefix:'x.x.x.x/31'}},workloadVpnConfiguration:{networkToNetworkInterconnectId:'/subscriptions/xxxxx-xxxx-xxxx-xxxx-xxxxx/resourceGroups/example-rg/providers/Microsoft.ManagedNetworkFabric/networkFabrics/example-fabric/networkToNetworkInterconnects/example-nni',peeringOption:OptionA,optionAProperties:{bfdConfiguration:{multiplier:5,intervalInMilliSeconds:300},mtu:1500,vlanId:520,peerASN:65133,primaryIpv4Prefix:'x.x.x.x/31',secondaryIpv4Prefix:'x.x.x.x/31',primaryIpv6Prefix:'3FFE:FFFF:0:CD30::a0/127',secondaryIpv6Prefix:'3FFE:FFFF:0:CD30::a0/127'}}}" --debug --no-wait
+   
+   ```
+   > [!Note]
+   > * if it's a four racks set up then the rack count would be 4 
+   > * if it's an eight rack set up then the rack count would be 8
 
 
-Create a Network Fabric with option B Properties
+   **Create a Network Fabric with option B Properties**
+
+   ```azurecli
+   
+   az networkfabric fabric create \ 
+   --resource-group "<NFResourceGroup>" 
+   --location "<Location>" \
+   --resource-name "<NFName>" \
+   --nf-sku "<NFSKU>" \
+   --fabric-version "x.x.x" \
+   --nfc-id "/subscriptions/<subscription_id>/resourceGroups/<NFResourceGroup>/providers/Microsoft.ManagedNetworkFabric/networkFabricControllers/<NFCName>" \
+   --fabric-asn 65048 \
+   --ipv4-prefix "x.x.x.x/19" \
+   --ipv6-prefix "fd02:0000:7748:0140::/59" \
+   --rack-count 8 \
+   --server-count-per-rack 16 \
+   --ts-config '{"primaryIpv4Prefix": "x.x.x.x/30", "secondaryIpv4Prefix": "x.x.x.x/30", "username": "'$TS_USER'", "password": "'$TS_PASSWORD'", "serialNumber": "<TS_SN>",    "primaryIpv6Prefix": "fd00:0:7748:016e::/64", "secondaryIpv6Prefix": "fd00:0:7748:016f::/64"}' \
+   --managed-network-config '{"infrastructureVpnConfiguration": {"peeringOption": "OptionB", "optionBProperties": {"routeTargets": {"exportIpv4RouteTargets": ["13979:2928504", "13979:106948"], "exportIpv6RouteTargets": ["13979:2928504", "13979:106948"], "importIpv4RouteTargets": ["13979:2928504", "13979:106947"], "importIpv6RouteTargets": ["13979:2928504", "13979:106947"]}}}, "workloadVpnConfiguration": {"peeringOption": "OptionB", "optionBProperties": {"routeTargets": {"exportIpv4RouteTargets": ["13979:2928516"], "exportIpv6RouteTargets": ["13979:2928516"], "importIpv4RouteTargets": ["13979:2928516"], "importIpv6RouteTargets": ["13979:2928516"]}}}}' --debug --no-wait
+   
+   ```
+   > [!Note]
+   > * if it's a four racks set up then the rack count would be 4 
+   > * if it's an eight rack set up then the rack count would be 8
 
-````
-az networkfabric fabric create --resource-group "<NFResourceGroup>" --location "<Location>" --resource-name "<NFname>" --nf-sku "NFSKU" --fabric-version "x.x.x" --nfc-id "/subscriptions/xxxxx-xxxx-xxxx-xxxx-xxxxx/resourceGroups/example-rg/providers/Microsoft.ManagedNetworkFabric/networkFabricControllers/example-NFC" --fabric-asn 20 --ipv4-prefix x.x.x.x/19 --rack-count 2 --server-count-per-rack 5 --ts-config "{primaryIpv4Prefix:'x.x.x.x/30',secondaryIpv4Prefix:'x.x.x.x/30',username:'****',password:'*****',serialNumber:'1234'}"
---managed-network-config "{infrastructureVpnConfiguration:{networkToNetworkInterconnectId:'/subscriptions/xxxxx-xxxx-xxxx-xxxx-xxxxx/resourceGroups/example-rg/providers/Microsoft.ManagedNetworkFabric/networkFabrics/example-fabric/networkToNetworkInterconnects/example-nni',peeringOption:OptionB,optionBProperties:{routeTargets:{exportIpv4RouteTargets:['65046:10039'],exportIpv6RouteTargets:['65046:10039'],importIpv4RouteTargets:['65046:10039'],importIpv6RouteTargets:['65046:10039']}}},
-workloadVpnConfiguration:{networkToNetworkInterconnectId:'/subscriptions/xxxxx-xxxx-xxxx-xxxx-xxxxx/resourceGroups/example-rg/providers/Microsoft.ManagedNetworkFabric/networkFabrics/example-fabric/networkToNetworkInterconnects/example-nni',peeringOption:OptionB,optionBProperties:{routeTargets:{exportIpv4RouteTargets:['65046:10039'],exportIpv6RouteTargets:['65046:10039'],importIpv4RouteTargets:['65046:10039'],importIpv6RouteTargets:['65046:10039']}}}}"
-````
 
 2.  Create NNI ingress and egress ACLs
 
-Create ingress ACL
-
-````
-az networkfabric acl create --resource-group "<NFResourceGroup>" \
---location "<Location>"  \
---resource-name "<example-Ipv4ingressACL>" \
---configuration-type "Inline" \
---default-action "Permit" \
---dynamic-match-configurations "[{ipGroups:[{name:'example-ipGroup',ipAddressType:IPv4,ipPrefixes:['x.x.x.x/20']}],vlanGroups:[{name:'example-vlanGroup',vlans:['20-30']}],portGroups:[{name:'example-portGroup',ports:['100-200']}]}]" \
---match-configurations "[{matchConfigurationName:'example-match',sequenceNumber:123,ipAddressType:IPv4,matchConditions:[{etherTypes:['0x1'],fragments:['0xff00-0xffff'],ipLengths:['4094-9214'],ttlValues:[23],dscpMarkings:[32],portCondition:{flags:[established],portType:SourcePort,layer4Protocol:TCP,ports:['1-20']},protocolTypes:[TCP],vlanMatchCondition:{vlans:['20-30'],innerVlans:[30]},ipCondition:{type:SourceIP,prefixType:Prefix,ipPrefixValues:['x.x.x.x/12']}}],actions:[{type:Count,counterName:'example-counter'}]}]"
-````
-
-Create egress ACL
-
-````
-az networkfabric acl create --resource-group "<NFResourceGroup>"  \
---location "<Location>" \
---resource-name "<example-Ipv4egressACL>" \
---configuration-type "File" \
---acls-url "https://ACL-Storage-URL" --default-action "Permit" \
---dynamic-match-configurations "[{ipGroups:[{name:'example-ipGroup',ipAddressType:IPv4,ipPrefixes:['x.x.x.x/20']}],vlanGroups:[{name:'example-vlanGroup',vlans:['20-30']}],portGroups:[{name:'example-portGroup',ports:['100-200']}]}]"
-````
+    **Create ingress ACL**
+
+    ```azurecli
+    
+    az networkfabric acl create --resource-group "<NFResourceGroup>" \
+    --location "<Location>"  \
+    --resource-name "<example-Ipv4ingressACL>" \
+    --configuration-type "Inline" \
+    --default-action "Permit" \
+    --dynamic-match-configurations "[{ipGroups:[{name:'example-ipGroup',ipAddressType:IPv4,ipPrefixes:['x.x.x.x/20']}],vlanGroups:[{name:'example-vlanGroup',vlans:['20-30']}],portGroups:[{name:'example-portGroup',ports:['100-200']}]}]" \
+    --match-configurations "[{matchConfigurationName:'example-match',sequenceNumber:123,ipAddressType:IPv4,matchConditions:[{etherTypes:['0x1'],fragments:['0xff00-0xffff'],ipLengths:['4094-9214'],ttlValues:[23],dscpMarkings:[32],portCondition:{flags:[established],portType:SourcePort,layer4Protocol:TCP,ports:['1-20']},protocolTypes:[TCP],vlanMatchCondition:{vlans:['20-30'],innerVlans:[30]},ipCondition:{type:SourceIP,prefixType:Prefix,ipPrefixValues:['x.x.x.x/12']}}],actions:[{type:Count,counterName:'example-counter'}]}]"
+    
+    ````
+
+    **Create egress ACL**
+
+    ```azurecli
+    
+    az networkfabric acl create --resource-group "<NFResourceGroup>" \
+    --location "<Location>" \
+    --resource-name "<example-Ipv4egressACL>" \
+    --configuration-type "File" \
+    --acls-url "https://ACL-Storage-URL" --default-action "Permit" \
+    --dynamic-match-configurations "[{ipGroups:[{name:'example-ipGroup',ipAddressType:IPv4,ipPrefixes:['x.x.x.x/20']}],vlanGroups:[{name:'example-vlanGroup',vlans:['20-30']}],portGroups:[{name:'example-portGroup',ports:['100-200']}]}]"
+    
+    ````
 
 3.  Create NNI (Network-to-NetworkInterface). Completed after the fabric create but before device update and fabric provision.
 
-````
-az networkfabric nni create --resource-group "<NFResourceGroup>" --fabric "<NFFabric>" --resource-name "<NFNNIName>" --nni-type "CE" --is-management-type "True" --use-option-b "True" --layer2-configuration "{interfaces:['/subscriptions/xxxxx-xxxx-xxxx-xxxx-xxxxx/resourceGroups/example-rg/providers/Microsoft.ManagedNetworkFabric/networkDevices/example-networkDevice/networkInterfaces/example-interface'],mtu:1500}" --option-b-layer3-configuration "{peerASN:28,vlanId:501,primaryIpv4Prefix:'x.x.x.x/30',secondaryIpv4Prefix:'x.x.x.x/30',primaryIpv6Prefix:'10:2:0:124::400/127',secondaryIpv6Prefix:'10:2:0:124::402/127'}" --ingress-acl-id "/subscriptions/xxxxx-xxxx-xxxx-xxxx-xxxxx/resourceGroups/example-rg/providers/Microsoft.ManagedNetworkFabric/accesscontrollists/example-Ipv4ingressACL" --egress-acl-id "/subscriptions/xxxxx-xxxx-xxxx-xxxx-xxxxx/resourceGroups/example-rg/providers/Microsoft.ManagedNetworkFabric/accesscontrollists/example-Ipv4egressACL"
-````
+    ```azurecli
+    
+    az networkfabric nni create --resource-group "<NFResourceGroup>" \
+    --fabric "<NFFabric>" \
+    --resource-name "<NFNNIName>" \
+    --nni-type "CE" \
+    --is-management-type "True" \
+    --use-option-b "True" \
+    --layer2-configuration "{interfaces:['/subscriptions/xxxxx-xxxx-xxxx-xxxx-xxxxx/resourceGroups/example-rg/providers/Microsoft.ManagedNetworkFabric/networkDevices/example-networkDevice/networkInterfaces/example-interface'],mtu:1500}" \
+    --option-b-layer3-configuration "{peerASN:28,vlanId:501,primaryIpv4Prefix:'x.x.x.x/30',secondaryIpv4Prefix:'x.x.x.x/30',primaryIpv6Prefix:'10:2:0:124::400/127',secondaryIpv6Prefix:'10:2:0:124::402/127'}" \
+    --ingress-acl-id "/subscriptions/xxxxx-xxxx-xxxx-xxxx-xxxxx/resourceGroups/example-rg/providers/Microsoft.ManagedNetworkFabric/accesscontrollists/example-Ipv4ingressACL" \
+    --egress-acl-id "/subscriptions/xxxxx-xxxx-xxxx-xxxx-xxxxx/resourceGroups/example-rg/providers/Microsoft.ManagedNetworkFabric/accesscontrollists/example-Ipv4egressACL"
+    
+    ````
 
 4.  Update devices
 
-````
-az networkfabric device update --resource-group "<NFResourceGroup>" --resource-name "<Network-Device-Name>" --host-name <example-device-hostname> --serial-number <NF_DEVICE_SN>
-````
-
-5.  Provision network fabric
-
-````
-az networkfabric fabric provision --resource-group "<NFResourceGroup>" --resource-name "<NFName>"
-````
+    The following command should be run for each network fabric device.
+    
+    ```azurecli
+    
+    az networkfabric device update --resource-group "<NFResourceGroup>" \
+    --resource-name "<Network-Device-Name>" \
+    --host-name <example-device-hostname> \
+    --serial-number <NF_DEVICE_SN>
+    
+    ````
+
+6.  Provision network fabric
+
+    ```azurecli
+    
+    az networkfabric fabric provision --resource-group "<NFResourceGroup>" \
+    --resource-name "<NFName>"
+    
+    ````
