azure-container-serviceazure-sql-server

Adding vnet rule through AZ cli fails with 500 errors


I'm experimenting with Azure AKS, and I'm running into problems with adding a vnet rule for my SQL server via the Azure CLI. It dies with an error:

Error occurred in request., RetryError: HTTPSConnectionPool(host='management.azure.com', port=443): Max retries exceeded with url:

/subscriptions/...path omitted.../mysql/virtualNetworkRules/my-vnet-rule?api-version=2015-05-01-preview (Caused by ResponseError('too many 500 error responses',))

This is what I've done so far:

az group create --name myrg --location centralus
az aks create -n mycluster  -g myrg --generate-ssh-keys
az aks get-credentials -g myrg -n mycluster
az sql server create --name mysql  -g myrg  --location centralus  --admin-user myuser --admin-password mypassword

at this point I end up with two RGs, one named "myrg" and one named "CM_myrg_mycluster_centralus". My SQL server is in "myrg" and there is a vnet "aks-vnet-1234567" in CM_*. The vnet contains a subnet "aks-subnet".

I then try to add the vnet rule:

az sql server vnet-rule create --name my-vnet-rule --server mysql --vnet "MC_myrg_mycluster_centralus/aks-vnet" -g mygroup --subnet "aks-subnet"

And get the error above.

I also tried specifying the vnet including the number postfix (e.g. aks-vnet-1234567) but same error.

This probably means I'm not using the right syntax somewhere. Could someone clarify?

AZ CLI 2.0.21 Linux (Ubuntu)


Solution

  • I solved it this way:

    1. Before this can be done, I needed to add sql to service endpoints:

      az network vnet subnet update -n aks-subnet -g myrg --vnet-name aks-vnet-xxx --service-endpoints "Microsoft.Sql"

    2. Reworked the query to use --subnet ID instead of --subnet NAME and --vnet-name. It should probably be doable using the previous syntax as well.

    Vnet-name will be something like /subscriptions/.../resourceGroups.../aks-subnet

    Your rule should now be created. You can also use -i to ignore service endpoints during the rule creation, but i believe that will end up with a disabled rule.