I'm experimenting with Azure AKS, and I'm running into problems with adding a vnet rule for my SQL server via the Azure CLI. It dies with an error:
Error occurred in request., RetryError: HTTPSConnectionPool(host='management.azure.com', port=443): Max retries exceeded with url:
/subscriptions/...path omitted.../mysql/virtualNetworkRules/my-vnet-rule?api-version=2015-05-01-preview (Caused by ResponseError('too many 500 error responses',))
This is what I've done so far:
az group create --name myrg --location centralus
az aks create -n mycluster -g myrg --generate-ssh-keys
az aks get-credentials -g myrg -n mycluster
az sql server create --name mysql -g myrg --location centralus --admin-user myuser --admin-password mypassword
at this point I end up with two RGs, one named "myrg" and one named "CM_myrg_mycluster_centralus". My SQL server is in "myrg" and there is a vnet "aks-vnet-1234567" in CM_*. The vnet contains a subnet "aks-subnet".
I then try to add the vnet rule:
az sql server vnet-rule create --name my-vnet-rule --server mysql --vnet "MC_myrg_mycluster_centralus/aks-vnet" -g mygroup --subnet "aks-subnet"
And get the error above.
I also tried specifying the vnet including the number postfix (e.g. aks-vnet-1234567) but same error.
This probably means I'm not using the right syntax somewhere. Could someone clarify?
AZ CLI 2.0.21 Linux (Ubuntu)
I solved it this way:
Before this can be done, I needed to add sql to service endpoints:
az network vnet subnet update -n aks-subnet -g myrg --vnet-name aks-vnet-xxx --service-endpoints "Microsoft.Sql"
Reworked the query to use --subnet ID instead of --subnet NAME and --vnet-name. It should probably be doable using the previous syntax as well.
Vnet-name will be something like /subscriptions/.../resourceGroups.../aks-subnet
Your rule should now be created. You can also use -i to ignore service endpoints during the rule creation, but i believe that will end up with a disabled rule.