ARM template for VM that includes ASG( application security group)

Question

ARM template for VM that includes ASG( application security group)

Mike 20

Hello,

I am working migrating our citrix environment to Azure. We use their app layering Appliance which uses ARM templates. We also use application security groups that each VM needs to be added to. For the life of me I cannot find anything about adding a vm to an ASG in the ARM template. Would anyone be able to point me in the right direction? If you cannot do it in an ARM template. Is there a way to auto add it to everything in a resource group?

Thank you in advance for any assistance.

Mike

Accepted answer

0 additional answers

Your answer

Answer 1

KapilAnanth-MSFT 49,536 Microsoft Employee Moderator

@Mike

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

I understand that you would like to know how to add an VM to an ASG using ARM Templates.

Technically, you can do it in a couple of ways.

If the VM is not yet created, and you are planning to create it with a new NIC : https://learn.microsoft.com/en-us/azure/templates/microsoft.compute/virtualmachines?pivots=deployment-language-arm-template
- In this case, under "ipConfigurations"
Or you can add the NIC referenced by the VM to the ASG
In both these cases, the "id" references to the ASG Component created using : https://learn.microsoft.com/en-us/azure/templates/microsoft.network/applicationsecuritygroups?pivots=deployment-language-arm-template

With Powershell,

First, create an ASG : https://learn.microsoft.com/en-us/powershell/module/az.network/new-azapplicationsecuritygroup?view=azps-10.1.0
Then Update the IP Configuration of your NIC to add it to this ASG : https://learn.microsoft.com/en-us/powershell/module/az.network/set-aznetworkinterfaceipconfig?view=azps-10.1.0#2-associating-an-ip-configuration-with-an-application-security-group

$vnet = Get-AzVirtualNetwork -Name myvnet -ResourceGroupName myrg
$subnet = Get-AzVirtualNetworkSubnetConfig -Name mysubnet -VirtualNetwork $vnet
$asg = Get-AzApplicationSecurityGroup -Name myasg -ResourceGroupName myrg
$nic = Get-AzNetworkInterface -Name nic1 -ResourceGroupName myrg
$nic | Set-AzNetworkInterfaceIpConfig -Name ipconfig1 -PrivateIpAddress 10.0.0.11 -Subnet $subnet -ApplicationSecurityGroup $asg -Primary
$nic | Set-AzNetworkInterface

Kindly let us know if this helps or you need further assistance on this issue.

Thanks,

Kapil

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

Mike 20 Reputation points

2023-07-18T13:04:34.61+00:00
I have tried to add under ipConfiguration and get the below error. But I can manually add it to the VM under network without a problem. I even tried copying from the site you listed and just changing the name. Everything is in the same region and since i can add it manually i don't get why it says it cannot find it. I tried to add by name and by full id.

<Error>

{"code":"DeploymentFailed","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details.","details":

[{"code":"InvalidResourceReference","message":"Resource /subscriptions/Number/resourceGroups/Workstation-VM/providers/Microsoft.Network/applicationSecurityGroups/citrix_workstation_app_asg referenced by resource /subscriptions/number/resourceGroups/Workstation-VM/providers/Microsoft.Network/networkInterfaces/al-819224-nic was not found. Please make sure that the referenced resource exists, and that both resources are in the same region."}]}

Screen shot of security group name

Screen shot of it manually added to the machine

"ipConfigurations": [ { "name": "ipconfig1", "properties": { "privateIPAllocationMethod": "Dynamic", "subnet": { "id": "[variables('custom').subnetId]" }, "primary": true, "privateIPAddressVersion": "IPv4", "applicationSecurityGroups": [ { "id": "[variables('asgId')]" } ] } } ]

Under variables I have

"asgName": "citrix_workstation_app_asg", "asgId": "[resourceId('Microsoft.Network/applicationSecurityGroups',variables('asgName'))]"

Thank you for any assistance

KapilAnanth-MSFT 49,536 Microsoft Employee Moderator

I was able to successfully deploy a NIC and associate it to an ASG without any issue.

The template I used was,

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "networkInterfaces_asgnic_name": {
      "defaultValue": "asgnic",
      "type": "String"
    }
  },
  "variables": {},
  "resources": [
    {
      "type": "Microsoft.Network/networkInterfaces",
      "apiVersion": "2022-11-01",
      "name": "[parameters('networkInterfaces_asgnic_name')]",
      "location": "centralindia",
      "kind": "Regular",
      "properties": {
        "ipConfigurations": [
          {
            "name": "ipconfig1",
            "id": "[concat(resourceId('Microsoft.Network/networkInterfaces', parameters('networkInterfaces_asgnic_name')), '/ipConfigurations/ipconfig1')]",
            "etag": "W/\"22043fee-0af1-496b-be6a-ae7f4fd412fd\"",
            "type": "Microsoft.Network/networkInterfaces/ipConfigurations",
            "properties": {
              "provisioningState": "Succeeded",
              "privateIPAddress": "10.0.0.15",
              "privateIPAllocationMethod": "Dynamic",
              "subnet": {
                "id": "<SUBNET ID>"
              },
              "primary": true,
              "privateIPAddressVersion": "IPv4",
              "applicationSecurityGroups": [
                {
                  "id": "<ASG ID>"
                }
              ]
            }
          }
        ],
        "dnsSettings": {
          "dnsServers": []
        },
        "enableAcceleratedNetworking": true,
        "enableIPForwarding": false,
        "disableTcpStateTracking": false,
        "nicType": "Standard"
      }
    }
  ]
}

Can you try the above and let me know?

Cheers,

Kapil

Mike 20 Reputation points

2023-07-19T12:38:45.7833333+00:00

Using "id": "<ASG ID>" worked vs what was on the website. Thank you for your assistance.
KapilAnanth-MSFT 49,536 Reputation points Microsoft Employee Moderator

2023-07-20T03:49:00.4766667+00:00

@Mike

You are most welcome :)

Thanks for your continued contribution on Q&A and appreciate much for taking the time to share your feedback.

Cheers,

Kapil.

Share via

ARM template for VM that includes ASG( application security group)

0 additional answers

Your answer