Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
778 questions
I am getting same issue. if any one know the solution it is great help
How to fixError: creating Managed Cluster Failure sending request: StatusCode=0 -- Original Error: Code="ExistingRouteTableNotAssociatedWithSubnet"
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(224.00000000000003, 23%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EH%3C/text%3E%3C/svg%3E)
HussainShaik
0
Reputation points
resource "azurerm_resource_group" "aks_egress_rg" {
name = "aks-egress-rg"
location = "japaneast"
}
resource "azurerm_virtual_network" "aks_vnet" {
name = "aks-vnet"
address_space = ["10.0.0.0/8"]
location = azurerm_resource_group.aks_egress_rg.location
resource_group_name = azurerm_resource_group.aks_egress_rg.name
}
resource "azurerm_subnet" "aks_subnet" {
name = "aks_subnet"
resource_group_name = azurerm_resource_group.aks_egress_rg.name
virtual_network_name = azurerm_virtual_network.aks_vnet.name
address_prefixes = ["10.1.0.0/16"]
#route_table_id = azurerm_route_table.aks_egress_fwrt.id
}
resource "azurerm_subnet" "fw_subnet" {
name = "AzureFirewallSubnet"
resource_group_name = azurerm_resource_group.aks_egress_rg.name
virtual_network_name = azurerm_virtual_network.aks_vnet.name
address_prefixes = ["10.3.6.0/24"]
}
resource "azurerm_public_ip" "fw_public_ip" {
name = "fw-public-ip"
location = azurerm_resource_group.aks_egress_rg.location
resource_group_name = azurerm_resource_group.aks_egress_rg.name
allocation_method = "Static"
sku = "Standard"
}
resource "azurerm_firewall" "fw" {
name = "fw"
location = azurerm_resource_group.aks_egress_rg.location
resource_group_name = azurerm_resource_group.aks_egress_rg.name
sku_name = "AZFW_VNet"
sku_tier = "Standard"
ip_configuration {
name = "fw-ip-config"
subnet_id = azurerm_subnet.fw_subnet.id
public_ip_address_id = azurerm_public_ip.fw_public_ip.id
}
firewall_policy_id = azurerm_firewall_policy.firewallpolicy.id
depends_on = [azurerm_firewall_policy.firewallpolicy]
}
resource "azurerm_firewall_policy" "firewallpolicy" {
name = "firewallpolicy"
resource_group_name = azurerm_resource_group.aks_egress_rg.name
location = azurerm_resource_group.aks_egress_rg.location
dns {
proxy_enabled = "true"
}
}
# Resource: Associate user define routing table to subnet
resource "azurerm_subnet_route_table_association" "UDR_asso_to_aks_subnet" {
depends_on = [azurerm_route_table.aks_egress_fwrt]
subnet_id = azurerm_subnet.aks_subnet.id
route_table_id = azurerm_route_table.aks_egress_fwrt.id
}
resource "azurerm_route_table" "aks_egress_fwrt" {
depends_on = [azurerm_firewall.fw]
name = "aks-egress-fwrt"
resource_group_name = azurerm_resource_group.aks_egress_rg.name
location = azurerm_resource_group.aks_egress_rg.location
disable_bgp_route_propagation = false
route {
name = "aks-egress-fwrn"
address_prefix = "0.0.0.0/0"
next_hop_type = "VirtualAppliance"
next_hop_in_ip_address = azurerm_firewall.fw.ip_configuration[0].private_ip_address
}
route {
name = "aks-egress-fwinternet"
address_prefix = "${azurerm_public_ip.fw_public_ip.ip_address}/32"
next_hop_type = "Internet"
}
}
resource "azurerm_firewall_policy_rule_collection_group" "rulecollection" {
name = "rulecollection"
firewall_policy_id = azurerm_firewall_policy.firewallpolicy.id
priority = 500
network_rule_collection {
name = "network_rule_collection1"
priority = 200
action = "Allow"
rule {
name = "AllowOutboundDNS"
protocols = ["UDP", "TCP"]
source_addresses = ["*"]
destination_addresses = ["*"]
destination_ports = ["53"]
}
rule {
name = "apiudp"
# description = "apiudp"
protocols = ["UDP"]
source_addresses = ["*"]
destination_addresses = ["AzureCloud.japaneast"]
destination_ports = ["1194"]
# action = "Allow"
}
rule {
name = "apitcp"
# description = "apitcp"
protocols = ["TCP"]
source_addresses = ["*"]
destination_addresses = ["AzureCloud.japaneast"]
destination_ports = ["9000"]
# action = "Allow"
}
rule {
name = "time"
# description = "time"
protocols = ["UDP"]
source_addresses = ["*"]
destination_fqdns = ["ntp.ubuntu.com"]
destination_ports = ["123"]
# action = "Allow"
}
}
application_rule_collection {
name = "apprulecollection"
priority = 400
action = "Allow"
rule {
name = "fqdn1"
source_addresses = ["*"]
protocols {
port = "80"
type = "Http"
}
destination_fqdns = ["AzureKubernetesService"]
}
rule {
name = "fqdn2"
source_addresses = ["*"]
protocols {
port = "443"
type = "Https"
}
destination_fqdns = ["AzureKubernetesService"]
}
}
}
resource "azurerm_kubernetes_cluster" "aks" {
name = "aks-egress"
location = azurerm_resource_group.aks_egress_rg.location
resource_group_name = azurerm_resource_group.aks_egress_rg.name
dns_prefix = "aks-egress"
default_node_pool {
name = "default"
node_count = 1
vm_size = "Standard_DS2_v2"
type = "VirtualMachineScaleSets"
vnet_subnet_id = azurerm_subnet.aks_subnet.id
}
# Identity (System Assigned or Service Principal)
identity {
type = "SystemAssigned"
}
network_profile {
network_plugin = "azure"
load_balancer_sku = "standard"
outbound_type = "userDefinedRouting"
}
}
Azure Firewall
Azure Kubernetes Service (AKS)
Azure Kubernetes Service (AKS)
An Azure service that provides serverless Kubernetes, an integrated continuous integration and continuous delivery experience, and enterprise-grade security and governance.
2,441 questions
{count} votes
-
HussainShaik 0 Reputation points
2023-06-13T08:19:45.3+00:00 i am using below architecture
-
HussainShaik 0 Reputation points
2023-06-13T08:45:22.58+00:00 -
deherman-MSFT 38,021 Reputation points Microsoft Employee Moderator2023-06-20T21:11:20.2233333+00:00 If you still have questions, please let us know in the "comments" and we would be happy to help you. Comment is the fastest way of notifying the experts.
If the answer has been helpful, we appreciate hearing from you and would love to help others who may have the same question. Accepting answers helps increase visibility of this question for other members of the Microsoft Q&A community.
Thank you for helping to improve Microsoft Q&A!
Sign in to comment
2 answers
Sort by: Most helpful
-
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 94%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAK%3C/text%3E%3C/svg%3E)
Akram Kathimi 1,206 Reputation points Microsoft Employee2023-06-13T12:12:41.5866667+00:00 Hi @HussainShaik ,
Thank you for your question.
From the terraform file you've shared, the subnet association step is before the creation of the route table:
# Resource: Associate user define routing table to subnet resource "azurerm_subnet_route_table_association" "UDR_asso_to_aks_subnet" { depends_on = [azurerm_route_table.aks_egress_fwrt] subnet_id = azurerm_subnet.aks_subnet.id route_table_id = azurerm_route_table.aks_egress_fwrt.id } resource "azurerm_route_table" "aks_egress_fwrt" { ... ...Please make sure to flip the above steps, to have the association run after the route table creation.
Thank you.
Please Accept the answer if the information helped you. This will help us and others in the community as well.