Commit workflow v2 Feature

sushantjrao · sushantjrao · commit f830a3a3e3b8 · 2025-05-26T14:06:33.000+05:30
diff --git a/articles/operator-nexus/TOC.yml b/articles/operator-nexus/TOC.yml
@@ -50,6 +50,8 @@
           href: concepts-disable-border-gateway-protocol-neighbors.md
         - name: Network Packet Broker
           href: concepts-nexus-network-packet-broker.md
+        - name: Commit Workflow v2
+          href: concepts-commit-workflow-v2
         - name: Route Policy
           expanded: false
           items:
@@ -246,6 +248,8 @@
           href: concepts-bmp-log-streaming.md
         - name: How to enable / disable BMP log streaming Azure Operator Nexus
           href: howto-enable-log-streaming.md
+        - name: How to use Commit Workflow v2 in Azure Operator Nexus
+          href: howto-use-commit-workflow-v2.md
     - name: Cluster
       expanded: false
       items:
diff --git a/articles/operator-nexus/concepts-commit-workflow-v2.md b/articles/operator-nexus/concepts-commit-workflow-v2.md
@@ -0,0 +1,106 @@
+---
+title: Azure Operator Nexus – Network Fabric - Commit Workflow v2
+description: Learn about Commit Workflow v2 process in Azure Operator Nexus – Network Fabric
+author: sushantjrao
+ms.author: sushrao
+ms.service: azure-operator-nexus
+ms.topic: conceptual
+ms.date: 05/16/2025
+ms.custom: template-concept
+---
+
+# Commit Workflow v2 in Azure Operator Nexus - Network Fabric
+
+**Commit Workflow v2** introduces a modernized and transparent approach for applying configuration changes to **Azure Operator Nexus – Network Fabric (NNF)** resources. This enhanced workflow provides better operational control, visibility, and error handling during the configuration update process.
+
+With this update, users can lock configuration states, preview device-level changes, validate updates, and commit with confidence—overcoming earlier limitations such as the inability to inspect pre/post configurations and difficulty in diagnosing failures.
+
+## Key concepts and capabilities
+
+Commit Workflow v2 is built around a structured change management flow. The following core features are available:
+
+- **Explicit configuration locking:** Users must explicitly lock the configuration of a Network Fabric resource after making changes. This ensures updates are applied in a predictable and controlled manner.
+
+- **Full device configuration preview:** Enables visibility into the exact configuration that will be applied to each device before the commit. This helps validate intent and catch issues early.
+
+- **Commit configuration to devices**
+  Once validated, changes can be committed to the devices. This final step applies the locked configuration updates across the fabric.
+
+## Prerequisites
+
+Before using Commit Workflow v2, ensure the following environment requirements are met:
+
+### Required versions
+
+* **Runtime version**: `5.0.1` or later is required for Commit Workflow v2.
+
+* **Network Fabric API version**:  `2024-06-15-preview`
+
+* **AzCLI version**:  `8.0.0.b3` or later
+
+### Supported upgrade paths to runtime version 5.0.1
+
+* **Direct upgrade**: From `4.0.0 → 5.0.1` or From `5.0.0 → 5.0.1`
+
+* **Sequential upgrade**:   From `4.0.0 → 5.0.0 → 5.0.1`
+
+> [!Note]
+>  Additional actions may be required when upgrading from version 4.0.0. Please refer to the [runtime release notes](#) for guidance on upgrade-specific steps.
+
+
+## Behavior and constraints
+
+Commit Workflow v2 introduces new operational expectations and constraints to ensure consistency and safety in configuration management:
+
+- **Availability & Irreversibility**
+
+Commit Workflow v2 is only available after upgrading to Runtime Version 5.0.1. Once upgraded, reverting to Commit Workflow v1 is not supported.
+
+- **Configuration lock requirements**
+
+Locking is only possible when:
+
+    - There is no ongoing commit operation.
+
+    - The fabric is not in maintenance or upgrade mode.
+
+    - The fabric is in an administrative enabled state.
+
+- **Unsupported during maintenance or upgrade**
+
+Configuration Lock and View Device Configuration are not allowed during maintenance or upgrade windows.
+
+- **Commit is final**
+
+Once a configuration is committed, it cannot be rolled back. Future changes must go through another lock-commit cycle.
+
+### Supported resource actions via Commit workflow v2 (when parent resources are in administrative state – Enabled)
+
+| **Requires Commit Workflow (Impacts Device Config)** | **Does NOT Require Commit Workflow (ARM-level only)** |
+| ---------------------------------------------------- | ----------------------------------------------------- |
+| Updates to Network Fabric                            | ISD Creation (L2/L3)                                  |
+| Updates to NNI                                       | Network TAP, Neighbor Group creation/updates          |
+| Updates to Isolation Domains (L2/L3)                 | IP Prefix / IP Community (unattached)                 |
+| Internal/External Network updates (L3 ISD)           | ACL creation not attached to any parent resource      |
+| Route Policy changes (attached)                      | NFC creation/updates                                  |
+| ACLs (attached to NNI, External, ISD)                | Tag updates                                           |
+| IP Prefix / Community changes (attached)             | Resource delete when disabled and not attached        |
+| Additional descriptions to Network Devices           | Admin actions like enable/disable, upgrade, RMA       |
+| Network Monitor updates (with Fabric ID)             | Deletion of all NNF resources                         |
+
+
+### Allowed actions after configuration lock
+
+| **Supported Actions**                                               | **Unsupported Actions**                             |
+| ------------------------------------------------------------------- | --------------------------------------------------- |
+| Update NFC                                                          | Create/update NNI, ISDs, Internal/External Networks |
+| Create/update/delete Network TAP rules, TAP, Neighbor Groups        | Modify Route Policies, ACLs (if attached)           |
+| Create/update IP Prefix / IP Community (unattached)                 | Modify Network Monitor attached to Fabric           |
+| Read operations across NNF resources                                | Delete enabled resources                            |
+| Delete disabled, unattached resources                               | All admin actions (e.g., enable/disable, RMA)       |
+| Lock Fabric, View Device Config, Commit Config, Check commit status | Other post-actions must be performed before locking |
+
+
+## Next steps
+
+[How to use Commit Workflow v2 in Azure Operator Nexus](./howto-use-commit-workflow-v2.md)
diff --git a/articles/operator-nexus/howto-use-commit-workflow-v2.md b/articles/operator-nexus/howto-use-commit-workflow-v2.md
@@ -0,0 +1,118 @@
+---
+title: How to use Commit Workflow v2 in Azure Operator Nexus
+description: Learn the process for using Commit Workflow v2 in Nexus Network Fabric
+author: sushantjrao 
+ms.author: sushrao
+ms.date: 05/26/2025
+ms.topic: how-to
+ms.service: azure-operator-nexus
+ms.custom: template-how-to, devx-track-azurecli
+---
+
+# How to use Commit Workflow v2 in Azure Operator Nexus
+
+The **Commit Workflow v2** ensures that device-impacting changes to a Network Fabric instance are explicitly acknowledged and committed before being applied to the underlying infrastructure. This structured workflow increases reliability and control over configuration changes.
+
+## Prerequisites
+
+* Your **Network Fabric must be in `Provisioned` state** and **configuration state must be `Succeeded`**.
+
+* The **fabric and all impacted resources must have admin state set to `Enabled`**.
+
+* You must have **BYOS (Bring Your Own Storage)** configured on the fabric to use the optional validation step.
+
+
+## Commit Workflow v2 overview
+
+Any **patch operation** on parent resources or **Create/Update/Delete (CUD)** operation on connected child resources will now require an **explicit commit step**. Changes are **batched** until you lock, validate (optional), and commit them.
+
+### Step 1: Update resources
+
+Make patch or CUD operations via Azure CLI, Portal, or ARM template.
+Once these changes are made, the fabric's configuration state will change to `Accepted (Pending Commit)`.
+
+#### Example scenarios:
+
+* Create a new **Route Policy** and attach it to **Internal Network 1**
+* Create an additional **Internal Network 2**
+
+All these changes will be **batched**, but **not applied** to devices yet.
+
+---
+
+### Step 2: Lock Configuration (Mandatory)
+
+Lock the configuration to signal that all intended updates are completed. After this lock, **no further updates** can be made to any fabric-related resources until you unlock.
+
+#### Azure CLI Command:
+
+```bash
+az networkfabric fabric networkFabricLock \
+  --type "configuration updates" \
+  --state "enable" \
+  --resource-group "example-rg" \
+  --resource-name "example-fabric"
+```
+
+- Successful execution transitions the fabric to a **locked state**.
+
+- Check CLI output for success or failure status.
+
+
+### Step 3: Validate updates (Optional but recommended)
+
+Validate the configuration using the `ViewDeviceConfiguration` post-action. This shows you how the device configuration will change before you commit.
+
+> [!Important] 
+> BYOS must be configured on the Network Fabric.
+
+#### Azure CLI Command:
+
+```bash
+az networkfabric fabric ViewDeviceConfiguration \
+  --resource-group "example-rg" \
+  --resource-name "example-fabric"
+```
+
+This provides:
+
+- **Pre-Device Changes**: Current config for all devices (CE, TOR, Management Switches)
+
+- **Post-Device Changes**: Preview of what will be applied after commit
+
+#### Need to Make More Updates?
+
+Unlock the configuration to make further changes, then repeat the lock/validate/commit steps.
+
+#### Unlock Example:
+
+```bash
+az networkfabric fabric networkFabricLock \
+  --type "configuration updates" \
+  --state "disable" \
+  --resource-group "example-rg" \
+  --resource-name "example-fabric"
+```
+
+### Step 4: Commit Configuration (Mandatory)
+
+Commit the configuration to apply the batched changes to all relevant fabric devices.
+
+#### Azure CLI Command:
+
+```bash
+az networkfabric fabric commitConfiguration \
+  --resource-group "example-rg" \
+  --resource-name "example-fabric"
+```
+
+- The operation returns a **status**: `Succeeded`, `InProgress`, or `Failed`
+
+- Use CLI polling or Azure Activity Logs to monitor progress
+
+> [Important]
+> - This workflow applies **only when the fabric is in Provisioned state** and **admin state is Enabled**. <br>
+> - Locking is mandatory before commit; **commit cannot proceed without locking first**. <br>
+> - **Rollback is not supported** – any incorrect configuration must be updated and re-committed. <br>
+> - Updates outside of this workflow (e.g., to tags or disconnected resources) do **not require commit**. <br>
+
