Skip to content

feat: network module redesign for future growth#130

Merged
mishraomp merged 5 commits intomainfrom
docs/ip-budget-breakdown
Mar 3, 2026
Merged

feat: network module redesign for future growth#130
mishraomp merged 5 commits intomainfrom
docs/ip-budget-breakdown

Conversation

@mishraomp
Copy link
Collaborator

@mishraomp mishraomp commented Mar 3, 2026
edited by github-actions bot
Loading

This changeset replaces the computed offset-based subnet allocation with an explicit subnet_allocation map-of-maps variable, adds external VNet peered project NSG rules, implements per-tenant PE subnet selection via pe_subnet_key, and updates all stacks, tenant configs, docs, and workflows accordingly.

AI Hub Infra Changes

Summary: 1 to add, 3 to change, 0 to destroy (across 2 stack(s))

Show plan details 
Terraform will perform the following actions:

  # module.network.azapi_resource.private_endpoints_subnet has moved to module.network.azapi_resource.pe_subnets["privateendpoints-subnet"]
    resource "azapi_resource" "pe_subnets" {
        id                        = "/subscriptions/****/resourceGroups/da4cf6-test-networking/providers/Microsoft.Network/virtualNetworks/da4cf6-test-vwan-spoke/subnets/privateendpoints-subnet"
        name                      = "privateendpoints-subnet"
        # (11 unchanged attributes hidden)
    }

  # module.network.azurerm_network_security_group.aca[0] will be updated in-place
  ~ resource "azurerm_network_security_group" "aca" {
        id                  = "/subscriptions/****/resourceGroups/da4cf6-test-networking/providers/Microsoft.Network/networkSecurityGroups/ai-services-hub-test-aca-nsg"
        name                = "ai-services-hub-test-aca-nsg"
      ~ security_rule       = [
          - {
              - access                                     = "Allow"
              - destination_address_prefix                 = "AzureActiveDirectory"
              - destination_address_prefixes               = []
              - destination_application_security_group_ids = []
              - destination_port_range                     = "443"
              - destination_port_ranges                    = []
              - direction                                  = "Outbound"
              - name                                       = "AllowAadOutbound"
              - priority                                   = 120
              - protocol                                   = "Tcp"
              - source_address_prefix                      = "VirtualNetwork"
              - source_address_prefixes                    = []
              - source_application_security_group_ids      = []
              - source_port_range                          = "*"
              - source_port_ranges                         = []
                # (1 unchanged attribute hidden)
            },
          - {
              - access                                     = "Allow"
              - destination_address_prefix                 = "AzureContainerRegistry"
              - destination_address_prefixes               = []
              - destination_application_security_group_ids = []
              - destination_port_range                     = "443"
              - destination_port_ranges                    = []
              - direction                                  = "Outbound"
              - name                                       = "AllowAcrOutbound"
              - priority                                   = 100
              - protocol                                   = "Tcp"
              - source_address_prefix                      = "VirtualNetwork"
              - source_address_prefixes                    = []
              - source_application_security_group_ids      = []
              - source_port_range                          = "*"
              - source_port_ranges                         = []
                # (1 unchanged attribute hidden)
            },
          - {
              - access                                     = "Allow"
              - destination_address_prefix                 = "AzureMonitor"
              - destination_address_prefixes               = []
              - destination_application_security_group_ids = []
              - destination_port_range                     = "443"
              - destination_port_ranges                    = []
              - direction                                  = "Outbound"
              - name                                       = "AllowMonitorOutbound"
              - priority                                   = 110
              - protocol                                   = "Tcp"
              - source_address_prefix                      = "VirtualNetwork"
              - source_address_prefixes                    = []
              - source_application_security_group_ids      = []
              - source_port_range                          = "*"
              - source_port_ranges                         = []
                # (1 unchanged attribute hidden)
            },
          - {
              - access                                     = "Allow"
              - destination_address_prefix                 = "VirtualNetwork"
              - destination_address_prefixes               = []
              - destination_application_security_group_ids = []
              - destination_port_range                     = "*"
              - destination_port_ranges                    = []
              - direction                                  = "Inbound"
              - name                                       = "AllowVnetInbound-10-46-136-0-24"
              - priority                                   = 200
              - protocol                                   = "*"
              - source_address_prefix                      = "10.46.136.0/24"
              - source_address_prefixes                    = []
              - source_application_security_group_ids      = []
              - source_port_range                          = "*"
              - source_port_ranges                         = []
                # (1 unchanged attribute hidden)
            },
          - {
              - access                                     = "Allow"
              - destination_address_prefix                 = "VirtualNetwork"
              - destination_address_prefixes               = []
              - destination_application_security_group_ids = []
              - destination_port_range                     = "*"
              - destination_port_ranges                    = []
              - direction                                  = "Inbound"
              - name                                       = "AllowVnetInbound-10-46-82-0-24"
              - priority                                   = 201
              - protocol                                   = "*"
              - source_address_prefix                      = "10.46.82.0/24"
              - source_address_prefixes                    = []
              - source_application_security_group_ids      = []
              - source_port_range                          = "*"
              - source_port_ranges                         = []
                # (1 unchanged attribute hidden)
            },
          + {
              + access                                     = "Allow"
              + destination_address_prefix                 = "VirtualNetwork"
              + destination_address_prefixes               = []
              + destination_application_security_group_ids = []
              + destination_port_range                     = "443"
              + destination_port_ranges                    = []
              + direction                                  = "Outbound"
              + name                                       = "AllowVirtualNetworkOutbound"
              + priority                                   = 130
              + protocol                                   = "Tcp"
              + source_address_prefix                      = "VirtualNetwork"
              + source_address_prefixes                    = []
              + source_application_security_group_ids      = []
              + source_port_range                          = "*"
              + source_port_ranges                         = []
                # (1 unchanged attribute hidden)
            },
          + {
              + access                                     = "Allow"
              + destination_address_prefix                 = "AzureActiveDirectory"
              + destination_address_prefixes               = []
              + destination_application_security_group_ids = []
              + destination_port_range                     = "443"
              + destination_port_ranges                    = []
              + direction                                  = "Outbound"
              + name                                       = "AllowAadOutbound"
              + priority                                   = 120
              + protocol                                   = "Tcp"
              + source_address_prefix                      = "VirtualNetwork"
              + source_address_prefixes                    = []
              + source_application_security_group_ids      = []
              + source_port_range                          = "*"
              + source_port_ranges                         = []
            },
          + {
              + access                                     = "Allow"
              + destination_address_prefix                 = "AzureContainerRegistry"
              + destination_address_prefixes               = []
              + destination_application_security_group_ids = []
              + destination_port_range                     = "443"
              + destination_port_ranges                    = []
              + direction                                  = "Outbound"
              + name                                       = "AllowAcrOutbound"
              + priority                                   = 100
              + protocol                                   = "Tcp"
              + source_address_prefix                      = "VirtualNetwork"
              + source_address_prefixes                    = []
              + source_application_security_group_ids      = []
              + source_port_range                          = "*"
              + source_port_ranges                         = []
            },
          + {
              + access                                     = "Allow"
              + destination_address_prefix                 = "AzureMonitor"
              + destination_address_prefixes               = []
              + destination_application_security_group_ids = []
              + destination_port_range                     = "443"
              + destination_port_ranges                    = []
              + direction                                  = "Outbound"
              + name                                       = "AllowMonitorOutbound"
              + priority                                   = 110
              + protocol                                   = "Tcp"
              + source_address_prefix                      = "VirtualNetwork"
              + source_address_prefixes                    = []
              + source_application_security_group_ids      = []
              + source_port_range                          = "*"
              + source_port_ranges                         = []
            },
          + {
              + access                                     = "Allow"
              + destination_address_prefix                 = "VirtualNetwork"
              + destination_address_prefixes               = []
              + destination_application_security_group_ids = []
              + destination_port_range                     = "*"
              + destination_port_ranges                    = []
              + direction                                  = "Inbound"
              + name                                       = "AllowVnetInbound-10-46-136-0-24"
              + priority                                   = 200
              + protocol                                   = "*"
              + source_address_prefix                      = "10.46.136.0/24"
              + source_address_prefixes                    = []
              + source_application_security_group_ids      = []
              + source_port_range                          = "*"
              + source_port_ranges                         = []
            },
          + {
              + access                                     = "Allow"
              + destination_address_prefix                 = "VirtualNetwor
(truncated, see workflow logs for complete plan)

Updated by CI — plan against test environment (run #237) at 2026-03-03 00:27:34 UTC.

@mishraomp mishraomp merged commit 3f49956 into main Mar 3, 2026
13 checks passed
@mishraomp mishraomp deleted the docs/ip-budget-breakdown branch March 3, 2026 02:43
@mishraomp mishraomp self-assigned this Mar 3, 2026
@mishraomp mishraomp linked an issue Mar 3, 2026 that may be closed by this pull request
Network Design | Gap | Improvements Needed #126
Closed
@mishraomp mishraomp mentioned this pull request Mar 3, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@mishraomp mishraomp

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Network Design | Gap | Improvements Needed

1 participant

@mishraomp