Adding rule to existing NSG, but not in same ARM Template Deployment.

Category: azure automation

Question

TommyWebApp on Sat, 09 Feb 2019 17:29:22


Hi, 

I'm deploying an ARM Template, and I need to add a rule to an existing NSG within a different resource group.

        {
            "type": "Microsoft.Network/networkSecurityGroups/securityRules",
            "name": "[concat(parameters('nsgRule'), 'Test')]",
            "apiVersion": "2018-08-01",
            "properties": {
                "networkSecurityGroup": "[resourceId('NAME-RSG-NAME', 'Microsoft.Network/networkSecurityGroups/',variables('existingNSG'))]",
                "protocol": "TCP",
                "sourcePortRange": "*",
                "destinationPortRange": "80",
                "sourceAddressPrefix": "*",
                "destinationAddressPrefix": "*",
                "access": "Allow",
                "priority": 100,
                "direction": "Inbound",
                "sourcePortRanges": [],
                "destinationPortRanges": [],
                "sourceAddressPrefixes": [],
                "destinationAddressPrefixes": []
            }
        }

But I'm getting issues. The first issue is it's ignoring the resource group name and trying to locate the NSG in the ResourceGroup it's deploying to, and secondly if <g class="gr_ gr_17 gr-alert gr_tiny gr_spell gr_inline_cards gr_run_anim ContextualSpelling multiReplace" data-gr-id="17" id="17">i</g> remove the reference to the existing resource group name, a difference error appears 

as incorrect segment lengths. A nested resource type must have identical number of segments as its resource name. A root
          resource type must have segment length one greater than its resource name. Please see https://aka.ms/arm-template/#resources for usage details.'.

Any ideas?

Thanks


Replies

Stanislav Zhelyazkov on Mon, 11 Feb 2019 06:45:49


Hi,

It is unclear how exactly you execute the template. First you need to make sure that you execute the template against the resource group where the NSG is located. If your template is executed in another resource group different from the NSG group you can start deployment to that group:

https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-cross-resource-group-deployment

Also because your type is :

"Microsoft.Network/networkSecurityGroups/securityRules",

The resource name needs to be something like this:
"name": "[concat(variables('existingNSG'), '/', parameters('nsgRule'))]",

As you are missing these vital details I would suggest also go trough the ARM Template documentation again.

Mark this reply as answer if it has helped you.

TommyWebApp on Mon, 11 Feb 2019 08:39:03


Thanks, Stanislav.

The problem really is that the NSG is in a different resource group to where I'm deploying this template to.

So I need to use the Reference Function or ResourceID function to specify the NSG in the other ResourceGroup, so where do specify the function because this line seems to be ignored.

"networkSecurityGroup": "[resourceId('NAME-RSG-NAME', 'Microsoft.Network/networkSecurityGroups/',variables('existingNSG'))]",

Thanks


Stanislav Zhelyazkov on Mon, 11 Feb 2019 15:46:13


Hi,

As I have specified in my previous reply you need to make a deployment to the resource group where the NSG is located. Reference will not work as it is just reference. Please read the documentation on the links I have posted. Reference function is needed when you need to Take properties of resources located in the same resource groups or other resource groups. ReasoureId function is used when you need to take the resource id of resources in the same resource group or other resource groups. None of these functions does deployment in another RG.