How to assign an ASGs in different regions with the same name using AZ CLI

Question

How to assign an ASGs in different regions with the same name using AZ CLI

Harris, Sean 25

We are using terraform modules to synchronize ASGs, using the same ASG name, across multiple regions. I am trying to use the AZ CLI command to add the ASG to a host in the eastus region. There are currently two asgs with the same name xxx-asg in eastus and centralus.

When running the command:

az network nic ip-config update --name ipconfig --nic-name AVDNAME --resource-group AVDRG --application-security-groups XXX-ASG

I receive the following error:

(InvalidResourceReference) Resource /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/AVDRG/providers/Microsoft.Network/applicationSecurityGroups/XXX-ASG referenced by resource /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/AVDRG/providers/Microsoft.Network/networkInterfaces/AVDNAME-nic was not found. Please make sure that the referenced resource exists, and that both resources are in the same region.

Code: InvalidResourceReference

My question is: Is there a way to reference the ASG's ResourceGroup, or Region when assigning the ASG to the NIC so we can continue to use the same ASG names in different regions?

Thank you

Sean

Prrudram-MSFT 28,281 Reputation points Moderator

2023-10-18T04:49:53.96+00:00

@Harris, Sean

I am reviewing this internally to find you the help needed here. Please standby.
GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2023-10-18T14:23:17.8033333+00:00

Hello @Harris, Sean ,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

Could you please confirm if both the ASGs with same name are in the same resource group or different resource groups?

Regards,

Gita
Harris, Sean 25 Reputation points

2023-10-18T14:25:40.47+00:00

Hello Gita,

The ASGs are in difference resource groups but the same subscription
GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2023-10-18T14:32:05.45+00:00

Thank you for the quick update, @Harris, Sean . I'm doing a lab for this; please allow me some time and I will keep you posted.
GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2023-10-25T09:10:17.3933333+00:00

@Harris, Sean , Just checking in to see if you had a chance to see the below answer. To help the community find the right answers, please do mark the post which was helpful by clicking on Accept Answer.

And, if you have any further questions do let us know.
GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2023-10-26T15:36:44.2833333+00:00

@Harris, Sean , Just checking in to see if you had a chance to see the below answer. To help the community find the right answers, please do mark the post which was helpful by clicking on Accept Answer.

And, if you have any further questions do let us know.
GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2023-10-27T12:49:35.39+00:00

Hello @Harris, Sean ,

Could you please provide an update on this post?

Kindly let us know if the below helps or you need further assistance on this issue.

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

Accepted answer

0 additional answers

Your answer

Prrudram-MSFT 28,281 Reputation points Moderator

2023-10-18T04:49:53.96+00:00

@Harris, Sean

I am reviewing this internally to find you the help needed here. Please standby.
GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2023-10-18T14:23:17.8033333+00:00

Hello @Harris, Sean ,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

Could you please confirm if both the ASGs with same name are in the same resource group or different resource groups?

Regards,

Gita
Harris, Sean 25 Reputation points

2023-10-18T14:25:40.47+00:00

Hello Gita,

The ASGs are in difference resource groups but the same subscription
GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2023-10-18T14:32:05.45+00:00

Thank you for the quick update, @Harris, Sean . I'm doing a lab for this; please allow me some time and I will keep you posted.
GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2023-10-25T09:10:17.3933333+00:00

@Harris, Sean , Just checking in to see if you had a chance to see the below answer. To help the community find the right answers, please do mark the post which was helpful by clicking on Accept Answer.

And, if you have any further questions do let us know.
GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2023-10-26T15:36:44.2833333+00:00

@Harris, Sean , Just checking in to see if you had a chance to see the below answer. To help the community find the right answers, please do mark the post which was helpful by clicking on Accept Answer.

And, if you have any further questions do let us know.
GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2023-10-27T12:49:35.39+00:00

Hello @Harris, Sean ,

Could you please provide an update on this post?

Kindly let us know if the below helps or you need further assistance on this issue.

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

Answer 1

Hello @Harris, Sean ,

I understand that you would like to know if there is a way to reference the ASG's Resource Group or Region when assigning the ASG to the NIC so that you can continue to use the same ASG names in different regions.

Yes, you can achieve this via Azure CLI, but you need to keep a few things in mind as below:

You can add NICs only to application security groups in the same virtual network and location as the NIC.

All network interfaces assigned to an application security group have to exist in the same virtual network that the first network interface assigned to the application security group is in.

https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-network-interface?tabs=azure-cli#add-or-remove-from-application-security-groups

https://learn.microsoft.com/en-us/azure/virtual-network/application-security-groups#allow-database-businesslogic

So, make sure that the ASG and the NIC to which you are assigning the ASG are both in the same region. They can be in different resource groups, but they should be in same region.

To add an ASG to a NIC via Azure CLI where both ASG and NIC are in same region but different resource groups, you can use the below commands:

#Put the ASG into a variable as below using the ASG resource ID which you would like to associate to the NIC:

asg=/subscriptions/xxxxxxxxxxxxxxx/resourceGroups/eastusrg1/providers/Microsoft.Network/applicationSecurityGroups/myasg

#Use the above ASG variable in the NIC update command to associate it:

az network nic ip-config update --name ipconfig1 --nic-name myvm909 --resource-group eastusrg --application-security-groups $asg

I confirmed this in my lab as below:

I have 2 ASGs in 2 different regions with the same name:

User's image

My NIC is in EastUS region but in a different resource group from the ASGs as below:

enter image description here

I used the above Azure CLI commands to add the EastUS ASG (eastusrg1 Resource Group) to a NIC in EastUS region (eastusrg Resource Group) and it worked successfully:

enter image description here

Kindly let us know if the above helps or you need further assistance on this issue.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Harris, Sean 25 Reputation points

2023-10-27T14:23:33.88+00:00

This worked perfectly. As long as I add the entire ID rather than just the NAME it works.

Thank you so much.

Share via

How to assign an ASGs in different regions with the same name using AZ CLI

0 additional answers

Your answer