Azure SQL managed instance bicep deployment issue

Question

Azure managed SQL instance unable to run as it finds bunch of routing intent NSG rule automatically added in Azure, therefore, breaking idempotency of bicep declarative syntax. I am getting these error (output redacted) -

All the error fails with NSG that were not defined in deployment but added during the deployment by MS to get MI running. I used as much code as documented on MS docs but routing intent NSG manifested on its own and now redeployment fails. It does even allow me to delete NSG. I am deleting MI hoping to delete NSG after that and redeploy but is painful for a resource that takes more than 2 hours to delete, especially when I need to understand these phantom resources and redeploy several times-

/subscriptions/abcd173-6666-888888-1171c6f3767/resourceGroups/avt-eus-dr-ase-apps-pctestappkpg5-rg/providers/Microsoft.Network/networkSecurityGroups/avt-eus-dr-ase-apps-pctestappkpg5-sqlmi-NSG conflicts with Network Intent Policy: mi_default_6cc22758-e99e-subxxxx Network Security Rule Name: deny_all_inbound, Id: /subscriptions/abcd173-6666-888888-1171c6f3767/resourceGroups/xyz-eus-dr-ase-apps-pctestappkpg5-rg/providers/Microsoft.Network/networkSecurityGroups/xyz-eus-dr-ase-apps-pctestappkpg5-sqlmi-NSG/securityRules/deny_all_inbound, Access: Deny, Direction: Inbound, Protocol: *, SourceAddressPrefix: *, SourcePortRange: *, DestinationAddressPrefix: *, DestinationPortRange: * conflicts with Network Intent Policy Security Rule: Name: mi-healthprobe-in-173-168-66-32-27-v11, Id: /subscriptions/abcd173-6666-888888-1171c6f3767/resourceGroups/xyz-eus-dr-ntw-rg/providers/Microsoft.Network/networkIntentPolicies/mi_default_6cc22758-e99e-subxxxx/securityRules/mi-healthprobe-in-173-168-66-32-27-v11, Access: Allow, Direction: Inbound, Protocol: *, SourceAddressPrefix: AzureLoadBalancer, SourcePortRange: *, DestinationAddressPrefix: 173.168.66.32/27, DestinationPortRange: * ---- Network Security Group doesn't have supporting Security Rule for Network Intent Policy Security Rule: Name: mi-internal-in-173-168-66-32-27-v11, Id: /subscriptions/abcd173-6666-888888-1171c6f3767/resourceGroups/xyz-eus-dr-ntw-rg/providers/Microsoft.Network/networkIntentPolicies/mi_default_6cc22758-e99e-subxxxx/securityRules/mi-internal-in-173-168-66-32-27-v11, Access: Allow, Direction: Inbound, Protocol: *, SourceAddressPrefix: 173.168.66.32/27, SourcePortRange: *, DestinationAddressPrefix: 173.168.66.32/27, DestinationPortRange: * ---- Network Security Group doesn't have supporting Security Rule for Network Intent Policy Security Rule: Name: mi-aad-out-173-168-66-32-27-v11, Id: /subscriptions/abcd173-6666-888888-1171c6f3767/resourceGroups/xyz-eus-dr-ntw-rg/providers/Microsoft.Network/networkIntentPolicies/mi_default_6cc22758-e99e-subxxxx/securityRules/mi-aad-out-173-168-66-32-27-v11, Access: Allow, Direction: Outbound, Protocol: Tcp, SourceAddressPrefix: 173.168.66.32/27, SourcePortRange: *, DestinationAddressPrefix: AzureActiveDirectory, DestinationPortRange: 443 ---- Network Security Group doesn't have supporting Security Rule for Network Intent Policy Security Rule: Name: mi-onedsc-out-173-168-66-32-27-v11, Id: /subscriptions/abcd173-6666-888888-1171c6f3767/resourceGroups/xyz-eus-dr-ntw-rg/providers/Microsoft.Network/networkIntentPolicies/mi_default_6cc22758-e99e-subxxxx/securityRules/mi-onedsc-out-173-168-66-32-27-v11, Access: Allow, Direction: Outbound, Protocol: Tcp, SourceAddressPrefix: 173.168.66.32/27, SourcePortRange: *, DestinationAddressPrefix: OneDsCollector, DestinationPortRange: 443 ---- Network Security Group doesn't have supporting Security Rule for Network Intent Policy Security Rule: Name: mi-internal-out-173-168-66-32-27-v11, Id: /subscriptions/abcd173-6666-888888-1171c6f3767/resourceGroups/xyz-eus-dr-ntw-rg/providers/Microsoft.Network/networkIntentPolicies/mi_default_6cc22758-e99e-subxxxx/securityRules/mi-internal-out-173-168-66-32-27-v11, Access: Allow, Direction: Outbound, Protocol: *, SourceAddressPrefix: 173.168.66.32/27, SourcePortRange: *, DestinationAddressPrefix: 173.168.66.32/27, DestinationPortRange: * ---- Network Security Group doesn't have supporting Security Rule for Network Intent Policy Security Rule: Name: mi-strg-p-out-173-168-66-32-27-v11, Id: /subscriptions/abcd173-6666-888888-1171c6f3767/resourceGroups/xyz-eus-dr-ntw-rg/providers/Microsoft.Network/networkIntentPolicies/mi_default_6cc22758-e99e-subxxxx/securityRules/mi-strg-p-out-173-168-66-32-27-v11, Access: Allow, Direction: Outbound, Protocol: *, SourceAddressPrefix: 173.168.66.32/27, SourcePortRange: *, DestinationAddressPrefix: Storage.eastus, DestinationPortRange: 443 ---- Network Security Group doesn't have supporting Security Rule for Network Intent Policy Security Rule: Name: mi-strg-s-out-173-168-66-32-27-v11, Id: /subscriptions/abcd173-6666-888888-1171c6f3767/resourceGroups/xyz-eus-dr-ntw-rg/providers/Microsoft.Network/networkIntentPolicies/mi_default_6cc22758-e99e-subxxxx/securityRules/mi-strg-s-out-173-168-66-32-27-v11, Access: Allow, Direction: Outbound, Protocol: *, SourceAddressPrefix: 173.168.66.32/27, SourcePortRange: *, DestinationAddressPrefix: Storage.westus, DestinationPortRange: 443 ---- ---- ---- (Code: ConflictWithNetworkIntentPolicy) Status Message: Found conflicts with NetworkIntentPolicy. Details: RouteTable cannot have resources which conflict with its subnets' network intent policies. Route Table: /subscriptions/abcd173-6666-888888-yyyyxxxc/resourceGroups/xyz-eus-dr-ase-apps-pctestappkpg5-rg/providers/Microsoft.Network/routeTables/xyz-eus-dr-ase-apps-pctestappkpg5-sqlmi-rt does not meet exact route match requirements of Network Intent Policy: mi_default_6cc22758-e99e-subxxxx Route Table doesn't have exact match Route for Network Intent Policy Route: Name: subnet-173-168-66-32-27-to-vnetlocal, Id: /subscriptions/abcd173-6666-888888-yyyyxxxc/resourceGroups/xyz-eus-dr-ntw-rg/providers/Microsoft.Network/networkIntentPolicies/mi_default_6cc22758-e99e-subxxxx/routes/subnet-173-168-66-32-27-to-vnetlocal, AddressPrefix: 173.168.66.32/27, NextHopType: VnetLocal, NextHopIpAddress: Route Table doesn't have exact match Route for Network Intent Policy Route: Name: mi-AzureActiveDirectory, Id: /subscriptions/abcd173-6666-888888-yyyyxxxc/resourceGroups/xyz-eus-dr-ntw-rg/providers/Microsoft.Network/networkIntentPolicies/mi_default_6cc22758-e99e-subxxxx/routes/mi-AzureActiveDirectory, AddressPrefix: AzureActiveDirectory, NextHopType: Internet, NextHopIpAddress: Route Table doesn't have exact match Route for Network Intent Policy Route: Name: mi-OneDsCollector, Id: /subscriptions/abcd173-6666-888888-yyyyxxxc/resourceGroups/xyz-eus-dr-ntw-rg/providers/Microsoft.Network/networkIntentPolicies/mi_default_6cc22758-e99e-subxxxx/routes/mi-OneDsCollector, AddressPrefix: OneDsCollector, NextHopType: Internet, NextHopIpAddress: Route Table doesn't have exact match Route for Network Intent Policy Route: Name: mi-Storage.eastus, Id: /subscriptions/abcd173-6666-888888-yyyyxxxc/resourceGroups/xyz-eus-dr-ntw-rg/providers/Microsoft.Network/networkIntentPolicies/mi_default_6cc22758-e99e-subxxxx/routes/mi-Storage.eastus, AddressPrefix: Storage.eastus, NextHopType: Internet, NextHopIpAddress: Route Table doesn't have exact match Route for Network Intent Policy Route: Name: mi-Storage.westus, Id: /subscriptions/abcd173-6666-888888-yyyyxxxc/resourceGroups/xyz-eus-dr-ntw-rg/providers/Microsoft.Network/networkIntentPolicies/mi_default_6cc22758-e99e-subxxxx/routes/mi-Storage.westus, AddressPrefix: Storage.westus, NextHopType: Internet, NextHopIpAddress: ---- ---- (Code: ConflictWithNetworkIntentPolicy) Status Message: At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details. (Code: DeploymentFailed) - { "error": { "code": "ConflictWithNetworkIntentPolicy", "message": "Found conflicts with NetworkIntentPolicy. Details: Network Security Group cannot have resources which conflict with its subnets' network intent policies.\r\nNetwork Security Group: /subscriptions/abcd173-6666-888888-yyyyxxxc/resourceGroups/xyz-eus-dr-ase-apps-pctestappkpg5-rg/providers/Microsoft.Network/networkSecurityGroups/xyz-eus-dr-ase-apps-pctestappkpg5-sqlmi-NSG conflicts with Network Intent Policy: mi_default_6cc22758-e99e-subxxxx\r\n Network Security Rule Name: deny_all_inbound, Id: /subscriptions/abcd173-6666-888888-yyyyxxxc/resourceGroups/xyz-eus-dr-ase-apps-pctestappkpg5-rg/providers/Microsoft.Network/networkSecurityGroups/xyz-eus-dr-ase-apps-pctestappkpg5-sqlmi-NSG/securityRules/deny_all_inbound, Access: Deny, Direction: Inbound, Protocol: *, SourceAddressPrefix: *, SourcePortRange: *, DestinationAddressPrefix: *, DestinationPortRange: * conflicts with \r\n Network Intent Policy Security Rule: Name: mi-healthprobe-in-173-168-66-32-27-v11, Id: /subscriptions/abcd173-6666-888888-yyyyxxxc/resourceGroups/xyz-eus-dr-ntw-rg/providers/Microsoft.Network/networkIntentPolicies/mi_default_6cc22758-e99e-subxxxx/securityRules/mi-healthprobe-in-173-168-66-32-27-v11, Access: Allow, Direction: Inbound, Protocol: *, SourceAddressPrefix: AzureLoadBalancer, SourcePortRange: *, DestinationAddressPrefix: 173.168.66.32/27, DestinationPortRange: *\r\n ----\r\n Network Security Group doesn't have supporting Security Rule for Network Intent Policy Security Rule: Name: mi-internal-in-173-168-66-32-27-v11, Id: /subscriptions/abcd173-6666-888888-yyyyxxxc/resourceGroups/xyz-eus-dr-ntw-rg/providers/Microsoft.Network/networkIntentPolicies/mi_default_6cc22758-e99e-subxxxx/securityRules/mi-internal-in-173-168-66-32-27-v11, Access: Allow, Direction: Inbound, Protocol: *, SourceAddressPrefix: 173.168.66.32/27, SourcePortRange: *, DestinationAddressPrefix: 173.168.66.32/27, DestinationPortRange: *\r\n ----\r\n Network Security Group doesn't have supporting Security Rule for Network Intent Policy Security Rule: Name: mi-aad-out-173-168-66-32-27-v11, Id: /subscriptions/abcd173-f5ce-4169-982c-yyyyxxxc/resourceGroups/xyz-eus-dr-ntw-rg/providers/Microsoft.Network/networkIntentPolicies/mi_default_6cc22758-e99e-subxxxx/securityRules/mi-aad-out-173-168-66-32-27-v11, Access: Allow, Direction: Outbound, Protocol: Tcp, SourceAddressPrefix: 173.168.66.32/27, SourcePortRange: *, DestinationAddressPrefix: AzureActiveDirectory, DestinationPortRange: 443\r\n ----\r\n Network Security Group doesn't have supporting Security Rule for Network Intent Policy Security Rule: Name: mi-onedsc-out-173-168-66-32-27-v11, Id: /subscriptions/abcd173-f5ce-4169-982c-yyyyxxxc/resourceGroups/xyz-eus-dr-ntw-rg/providers/Microsoft.Network/networkIntentPolicies/mi_default_6cc22758-e99e-subxxxx/securityRules/mi-onedsc-out-173-168-66-32-27-v11, Access: Allow, Direction: Outbound, Protocol: Tcp, SourceAddressPrefix: 173.168.66.32/27, SourcePortRange: *, DestinationAddressPrefix: OneDsCollector, DestinationPortRange: 443\r\n ----\r\n Network Security Group doesn't have supporting Security Rule for Network Intent Policy Security Rule: Name: mi-internal-out-173-168-66-32-27-v11, Id: /subscriptions/abcd173-f5ce-4169-982c-yyyyxxxc/resourceGroups/xyz-eus-dr-ntw-rg/providers/Microsoft.Network/networkIntentPolicies/mi_default_6cc22758-e99e-subxxxx/securityRules/mi-internal-out-173-168-66-32-27-v11, Access: Allow, Direction: Outbound, Protocol: *, SourceAddressPrefix: 173.168.66.32/27, SourcePortRange: *, DestinationAddressPrefix: 173.168.66.32/27, DestinationPortRange: *\r\n ----\r\n Network Security Group doesn't have supporting Security Rule for Network Intent Policy Security Rule: Name: mi-strg-p-out-173-168-66-32-27-v11, Id: /subscriptions/abcd173-f5ce-4169-982c-yyyyxxxc/resourceGroups/xyz-eus-dr-ntw-rg/providers/Microsoft.Network/networkIntentPolicies/mi_default_6cc22758-e99e-subxxxx/securityRules/mi-strg-p-out-173-168-66-32-27-v11, Access: Allow, Direction: Outbound, Protocol: *, SourceAddressPrefix: 173.168.66.32/27, SourcePortRange: *, DestinationAddressPrefix: Storage.eastus, DestinationPortRange: 443\r\n ----\r\n Network Security Group doesn't have supporting Security Rule for Network Intent Policy Security Rule: Name: mi-strg-s-out-173-168-66-32-27-v11, Id: /subscriptions/abcd173-f5ce-4169-982c-yyyyxxxc/resourceGroups/xyz-eus-dr-ntw-rg/providers/Microsoft.Network/networkIntentPolicies/mi_default_6cc22758-e99e-subxxxx/securityRules/mi-strg-s-out-173-168-66-32-27-v11, Access: Allow, Direction: Outbound, Protocol: *, SourceAddressPrefix: 173.168.66.32/27, SourcePortRange: *, DestinationAddressPrefix: Storage.westus, DestinationPortRange: 443\r\n ----\r\n---- ----", "details": [] } } (Code:BadRequest) - { "error": { "code": "ConflictWithNetworkIntentPolicy", "message": "Found conflicts with NetworkIntentPolicy. Details: RouteTable cannot have resources which conflict with its subnets' network intent policies.\r\nRoute Table: /subscriptions/prexx-f5ce-4169-982c-yyyyxxxc/resourceGroups/xyz-eus-dr-ase-apps-pctestappkpg5-rg/providers/Microsoft.Network/routeTables/xyz-eus-dr-ase-apps-pctestappkpg5-sqlmi-rt does not meet exact route match requirements of Network Intent Policy: mi_default_6cc22758-e99e-subxxxx\r\n Route Table doesn't have exact match Route for Network Intent Policy Route: Name: subnet-173-168-66-32-27-to-vnetlocal, Id: /subscriptions/prexx-f5ce-4169-982c-yyyyxxxc/resourceGroups/xyz-eus-dr-ntw-rg/providers/Microsoft.Network/networkIntentPolicies/mi_default_123456-e99e-subxxxx/routes/subnet-173-168-66-32-27-to-vnetlocal, AddressPrefix: 173.168.66.32/27, NextHopType: VnetLocal, NextHopIpAddress: \r\n Route Table doesn't have exact match Route for Network Intent Policy Route: Name: mi-AzureActiveDirectory, Id: /subscriptions/prexx-f5ce-4169-982c-yyyyxxxc/resourceGroups/xyz-eus-dr-ntw-rg/providers/Microsoft.Network/networkIntentPolicies/mi_default_123456-e99e-subxxxx/routes/mi-AzureActiveDirectory, AddressPrefix: AzureActiveDirectory, NextHopType: Internet, NextHopIpAddress: \r\n Route Table doesn't have exact match Route for Network Intent Policy Route: Name: mi-OneDsCollector, Id: /subscriptions/prexx-f5ce-4169-982c-yyyyxxxc/resourceGroups/xyz-eus-dr-ntw-rg/providers/Microsoft.Network/networkIntentPolicies/mi_default_123456-e99e-subxxxx/routes/mi-OneDsCollector, AddressPrefix: OneDsCollector, NextHopType: Internet, NextHopIpAddress: \r\n Route Table doesn't have exact match Route for Network Intent Policy Route: Name: mi-Storage.eastus, Id: /subscriptions/prexx-f5ce-4169-982c-yyyyxxxc/resourceGroups/xyz-eus-dr-ntw-rg/providers/Microsoft.Network/networkIntentPolicies/mi_default_123456-e99e-subxxxx/routes/mi-Storage.eastus, AddressPrefix: Storage.eastus, NextHopType: Internet, NextHopIpAddress: \r\n Route Table doesn't have exact match Route for Network Intent Policy Route: Name: mi-Storage.westus, Id: /subscriptions/prexx-f5ce-4169-982c-yyyyxxxc/resourceGroups/xyz-eus-dr-ntw-rg/providers/Microsoft.Network/networkIntentPolicies/mi_default_123456-e99e-subxxxx/routes/mi-Storage.westus, AddressPrefix: Storage.westus, NextHopType: Internet, NextHopIpAddress: \r\n---- ----", "details": [] } } (Code:BadRequest) CorrelationId: 00-6fc8-467e-ad4c-444455677

Answer 1

Hi,

I've come across this issue myself, it's anti-deployment/idempotent in my opinion. To get around this you must specify all the network intent NSG and routing rules. I've created these v11 network intent rules in Bicep already here:

https://gist.github.com/riosengineer/3cbb4bf725030d0ee54f3944a35427d8

This will then make the SQL MI deployment functional - I am able to consistently deploy my Bicep after adding the rules from the above Bicep.

There's more information on the intent rules which I built these Bicep out from here:

https://learn.microsoft.com/en-gb/azure/azure-sql/managed-instance/connectivity-architecture-overview?view=azuresql&tabs=current#mandatory-security-rules-with-service-aided-subnet-configuration

In addition, there is a GitHub issue here that explains the issue too (of which I've also shared my Bicep code): https://github.com/Azure/bicep-types-az/issues/1755

Please mark this answer as accepted if you found it useful :)

Answer 2

I deployed from MS bicep module. Imported and decompile and created each NSG and routing rule exactly the same by assigning paramemters for IP subnet conversion by replacing . and / with - and now am able to redeploy it.