Can you use a different Public IP for VIP than the one at deployment in a vSec Azure cluster?

Tom_Gunckel — Sun, 03 Jun 2018 06:20:46 GMT

We deployed a new vSec cluster in Azure a few days ago to upgrade our old one. Support said we could use the old public IP addresses so we moved them from the old resource group. They worked fine for the members, but in a failover, the API deletes "cluster-vip" and when it tries to recreate it on the new active member, it tries to find the original public IP at deployment, which has been moved to a different resource group. If I could rename the Public IP for the VIP in Azure, I think everything would be fine. But we cant.

Any ideas on a work around for either renaming an IP in Azure, or how to adjust the config file?

Here is a lengthy description what we tried, I am using dummy names:

Original deployment a year ago named "YearAgovSec". Members were named "YearAgovSec1", "YearAgovSec2". Public IPs for members were named "YearAgovSec1", "YearAgovSec2". Public IP for VIP was named "YearAgovSec". Resource group named "YearAgovSec"

New deployment this year named "ThisYearvSec". Members were named "ThisYearvSec1", "ThisYearvSec2". Public IPs for members were named "ThisYearvSec1", "ThisYearvSec2". Public IP for VIP was named "ThisYearvSec". Resource group named "ThisYearvSec"

We moved out the Public IP Address "ThisYearvSec" to another resource group, and moved in "YearAgovSec" Public IP Address into the "ThisYearvSec" resource group.

In failover, the routes would get re-written correctly, the "cluster-vip" would get removed from the failing member, then things would stop. The "cluster-vip" would never get added to the active member. If we added it manually, everything worked fine.

The error we would get is:
RequestException: HTTP/1.1 404 Not Found
{"error":{"code":"ResourceNotFound","message":"The Resource'Microsoft.Network/publicIPAddresses/ThisYearvSec' under resource group 'ThisYearvSec' was not found."}}

The azure-ha.json has these settings:
"clusterName": "ThisYearvSec",
"clusterNetworkInterfaces": {
    "eth0": [
      "10.5.1.9",
      "ThisYearvSec"
    ]

We saw in azure_had.py it determines the public IP name with:
public_ip_id = (conf['baseId'] +
'Microsoft.Network/publicIPAddresses/' + conf['clusterName'])

So we changed "ClusterName" in azure-ha.json from "ThisYearvSec" to "YearAgovSec"

When we test the config, now we get:

The hostname ThisYearvSec2 should be either 'YearAgovSec1' or 'YearAgovSec2' because of this line in azure_ha_test.py:
conf['hostname'] = conf.get('hostname', socket.gethostname())
    cluster_name = conf['clusterName'].lower()
    if conf['hostname'] not in {cluster_name + '1', cluster_name + '2'}:
        raise Exception('The hostname %s should be either \'%s\' or \'%s\'' % (
            conf['hostname'], cluster_name + '1', cluster_name + '2'))

At this point, we gave up trying to trick it with the config file.

Re: Can you use a different Public IP for VIP than the one at deployment in a vSec Azure cluster?

Tom_Gunckel — Tue, 05 Jun 2018 14:26:56 GMT

We figured it out with trial and error. You need to change this section of the azure-ha.json file to have the name of the public IP address you are using. The example below is using variables from my posted example. If you were to add a different public IP, you would change "YearAgovSec" to the name of your new public IP.

"proxy": "",
"virtualNetwork": "{YOUR VNET}",
"clusterName": "ThisYearvSec",
"clusterNetworkInterfaces": {
    "eth0": [
      "{YOUR VIP ETH0 IP ADDRESS}",
      "YearAgovSec"
    ]
},
"lbName": "frontend-lb"
}

topic Can you use a different Public IP for VIP than the one at deployment in a vSec Azure cluster? in Cloud Firewall

Can you use a different Public IP for VIP than the one at deployment in a vSec Azure cluster?

Re: Can you use a different Public IP for VIP than the one at deployment in a vSec Azure cluster?