Add NAT Rule Only VM Check (#144)

mbrat2005 · web-flow · commit a6bab559f290 · 2025-06-05T14:31:00.000-06:00
* add validation check for mixed lb and as membership

* add nat rule only vm check
diff --git a/AzureBasicLoadBalancerUpgrade/module/AzureBasicLoadBalancerUpgrade/AzureBasicLoadBalancerUpgrade.psd1 b/AzureBasicLoadBalancerUpgrade/module/AzureBasicLoadBalancerUpgrade/AzureBasicLoadBalancerUpgrade.psd1
@@ -12,7 +12,7 @@
     RootModule = 'AzureBasicLoadBalancerUpgrade'
 
     # Version number of this module.
-    ModuleVersion = '2.4.24'
+    ModuleVersion = '2.5.0'
 
     # Supported PSEditions
     # CompatiblePSEditions = @()
@@ -107,7 +107,7 @@
             # IconUri = ''
 
             # ReleaseNotes of this module
-            ReleaseNotes = 'Added validation check for VM mixed LB backend pool and availability set membership.'
+            ReleaseNotes = 'Add check for NAT Rule member VMs outside backend pools on external LBs.'
 
             # Prerelease string of this module
             # Prerelease = 'beta'
diff --git a/AzureBasicLoadBalancerUpgrade/module/AzureBasicLoadBalancerUpgrade/modules/ValidateScenario/ValidateScenario.psm1 b/AzureBasicLoadBalancerUpgrade/module/AzureBasicLoadBalancerUpgrade/modules/ValidateScenario/ValidateScenario.psm1
@@ -79,6 +79,31 @@ function _GetScenarioBackendType {
     return $backendType
 }
 
+function _GetBackendMemberNicAndVM {
+    param(
+        [Parameter(Mandatory = $true)]
+        $backendIpConfigurationId
+    )
+       
+    $nic = Get-AzNetworkInterface -ResourceId ($backendIpConfigurationId -split '/ipconfigurations/')[0]
+
+    If (!$nic.VirtualMachineText) {
+        log -ErrorAction Stop -Severity 'Error' -Message "[Test-SupportedMigrationScenario] Load balancer '$($BasicLoadBalancer.Name)' backend pool member network interface '$($nic.id)' does not have an associated Virtual Machine. Backend pool members must be either a VMSS NIC or a NIC attached to a VM!"
+        return
+    }
+    Else {      
+        # add VM resources to array for later validation
+        try {
+            $vm = Get-AzVM -ResourceId $nic.VirtualMachine.id -ErrorAction Stop
+        }
+        catch {
+            log -terminateOnError -Severity 'Error' -Message "[Test-SupportedMigrationScenario] Error getting VM from NIC '$($nic.id)'. Error: $($_.Exception.Message)"
+        }
+
+        return $vm,$nic
+    }
+}
+
 Function Test-SupportedMigrationScenario {
     [CmdletBinding()]
     param (
@@ -406,29 +431,65 @@ Function Test-SupportedMigrationScenario {
         # create array of VMs associated with the load balancer for following checks and verify that NICs are associated to VMs
         $basicLBVMs = @()
         $basicLBVMNics = @()
+        $backendPoolVMs = @()
+        $natRuleOnlyVMs = @()
         foreach ($backendAddressPool in $BasicLoadBalancer.BackendAddressPools) {
             foreach ($backendIpConfiguration in $backendAddressPool.BackendIpConfigurations) {        
-                $nic = Get-AzNetworkInterface -ResourceId ($backendIpConfiguration.Id -split '/ipconfigurations/')[0]
-        
-                If (!$nic.VirtualMachineText) {
-                    log -ErrorAction Stop -Severity 'Error' -Message "[Test-SupportedMigrationScenario] Load balancer '$($BasicLoadBalancer.Name)' backend pool member network interface '$($nic.id)' does not have an associated Virtual Machine. Backend pool members must be either a VMSS NIC or a NIC attached to a VM!"
-                    return
+                $vm,$nic = _GetBackendMemberNicAndVM -backendIpConfigurationId $backendIpConfiguration.Id
+
+                $basicLBVMs += $vm
+                $backendPoolVMs += $vm
+                $basicLBVMNics += $nic
+            }
+        }
+        ## add VMs associcated directly to inbound NAT rules
+        foreach ($natRule in $BasicLoadBalancer.InboundNatRules) {
+            foreach ($natRuleBackendIpConfiguration in $natRule.BackendIpConfiguration) {
+                $vm,$nic = _GetBackendMemberNicAndVM -backendIpConfigurationId $natRuleBackendIpConfiguration.Id
+                
+                If ($vm.id -notin $backendPoolVMs.id) {
+                    $natRuleOnlyVMs += $vm
                 }
-                Else {      
-                    # add VM resources to array for later validation
-                    try {
-                        $basicLBVMs += Get-AzVM -ResourceId $nic.VirtualMachine.id -ErrorAction Stop
-                    }
-                    catch {
-                        log -terminateOnError -Severity 'Error' -Message "[Test-SupportedMigrationScenario] Error getting VM from NIC '$($nic.id)'. Error: $($_.Exception.Message)"
-                    }
 
-                    # add VM nics to array for later validation
-                    $basicLBVMNics += $nic
+                $basicLBVMs += $vm
+                $basicLBVMNics += $nic
+            }
+        }
+
+        # check if LB backend VMs does not have public IPs
+        log -Message "[Test-SupportedMigrationScenario] Checking if backend VMs have public IPs..."
+        $AnyVMsHavePublicIP = $false
+        $AllVMsHavePublicIPs = $true
+        ForEach ($VM in $basicLBVMs) {
+            $VMHasPublicIP = $false
+            :vmNICs ForEach ($nicId in $VM.NetworkProfile.NetworkInterfaces.Id) {
+                $nicConfig = Get-AzResource -Id $nicId | Get-AzNetworkInterface
+                ForEach ($ipConfig in $nicConfig.ipConfigurations) {
+                    If ($ipConfig.PublicIPAddress.Id) {
+                        $AnyVMsHavePublicIP = $true
+                        $VMHasPublicIP = $true
+
+                        break :vmNICs
+                    }
                 }
             }
+            If (!$VMHasPublicIP) {
+                $AllVMsHavePublicIPs = $false
+            }
         }
 
+        # check that all NAT Rule associated VMs are also in backend pools for external LBs
+        log -Message "[Test-SupportedMigrationScenario] Checking that all NAT Rule associated VMs are also in backend pools for external LBs or have Public IPs"
+        If ($scenario.ExternalOrInternal -eq 'External' -and $natRuleOnlyVMs -and !$AllVMsHavePublicIPs) {
+
+            $message = "[Test-SupportedMigrationScenario] The following VMs are associated with Inbound NAT Rules but not in the backend pool of the Basic Load Balancer: '$($natRuleOnlyVMs.Id -join ', ')' and not all VMs have Public IP addresses. All NAT Rule associated VMs must have public IPs associated or be in the backend pool of the Basic Load Balancer to have outbound network connectivity post-migration. Either add Public IPs to all VMs or re-run with the -Force parameter and configure outbound connectivity post-migration."
+            log -Message $message -Severity 'Error' -terminateOnError:$(!$force)
+
+            if ($force) {
+                log -Message "[Test-SupportedMigrationScenario] -Force or -ValidateOnly parameter was used, so continuing with migration validation"
+            }
+        }  
+
         # check if load balancer backend pool contains VMs which are part of another LBs backend pools
         log -Message "[Test-SupportedMigrationScenario] Checking if backend pools contain members which are members of another load balancer's backend pools..."
 
@@ -464,28 +525,6 @@ Function Test-SupportedMigrationScenario {
             log -Message "[Test-SupportedMigrationScenario] All VM load balancer associations are with the Basic LB(s) to be migrated." -Severity Information
         }        
 
-        # check if internal LB backend VMs does not have public IPs
-        log -Message "[Test-SupportedMigrationScenario] Checking if backend VMs have public IPs..."
-        $AnyVMsHavePublicIP = $false
-        $AllVMsHavePublicIPs = $true
-        ForEach ($VM in $basicLBVMs) {
-            $VMHasPublicIP = $false
-            :vmNICs ForEach ($nicId in $VM.NetworkProfile.NetworkInterfaces.Id) {
-                $nicConfig = Get-AzResource -Id $nicId | Get-AzNetworkInterface
-                ForEach ($ipConfig in $nicConfig.ipConfigurations) {
-                    If ($ipConfig.PublicIPAddress.Id) {
-                        $AnyVMsHavePublicIP = $true
-                        $VMHasPublicIP = $true
-
-                        break :vmNICs
-                    }
-                }
-            }
-            If (!$VMHasPublicIP) {
-                $AllVMsHavePublicIPs = $false
-            }
-        }
-
         # check if some backend VMs have ILIPs but not others
         If ($AnyVMsHavePublicIP -and !$AllVMsHavePublicIPs -and $Scenario.ExternalOrInternal -eq 'External') {
             $message = "[Test-SupportedMigrationScenario] Some but not all load balanced VMs have instance-level Public IP addresses and the load balancer is external. It is not supported to create an Outbound rule on a LB when any backend VM has a PIP; therefore, VMs which do not have PIPs will loose outbound internet connecticity post-migration."
@@ -580,7 +619,7 @@ Function Test-SupportedMigrationScenario {
         }
 
         # check if backend VMs are part of an Availability Set and if there are other members of the same availability set which are not part of the load balancer backend pool or inbound nat pools
-        log -Message "[Test-SupportedMigrationScenario] Checking if backend VMs are part of an Availability Set and if there are other members of the same availability set which are not part of the load balancer backend pool..."
+        log -Message "[Test-SupportedMigrationScenario] Checking if backend VMs are part of an Availability Set and if there are other members of the same availability set which are not part of the load balancer backend pool, NAT pool, or associated with NAT Rules..."
         $availabilitySetVMs = @()
         $availabilitySetReference = $basicLBVMs | Where-Object { $_.AvailabilitySetReference -ne $null } | Select-Object -ExpandProperty AvailabilitySetReference 
         
@@ -590,7 +629,7 @@ Function Test-SupportedMigrationScenario {
             $extraAvailabilitySetVMs = $availabilitySetVMs | Where-Object { $_ -notin $basicLBVMs.Id } | Sort-Object | Get-Unique
 
             If ($extraAvailabilitySetVMs) {
-                $message = "[Test-SupportedMigrationScenario] VMs ('$($extraAvailabilitySetVMs -join ';')') are part of an Availability Set and there are other members of the same Availability Set which are part of the load balancer backend pools. This is not supported for migration. To work around this, create a new backend pool on the basic LB which is not associated with a load balancing rule and add the extra VMs to it temporarily, then retry migration."
+                $message = "[Test-SupportedMigrationScenario] VMs ('$($extraAvailabilitySetVMs -join ';')') belong(s) to an Availability Set and there are other members of the same Availability Set which are part of the load balancer backend pools, NAT pools, or associated with NAT Rules. This is not supported for migration. To work around this, create a new backend pool on the basic LB which is not associated with a load balancing rule and add the extra VMs to it temporarily, then retry migration."
                 log -Message $message -Severity 'Error' -terminateOnError
             }
             Else {
diff --git a/AzureBasicLoadBalancerUpgrade/testEnvs/scenarios/118-vms-lb-nat-rules-ext-no-bep.bicep b/AzureBasicLoadBalancerUpgrade/testEnvs/scenarios/118-vms-lb-nat-rules-ext-no-bep.bicep
@@ -0,0 +1,164 @@
+targetScope = 'subscription'
+param location string
+param resourceGroupName string
+param randomGuid string = newGuid()
+
+// Resource Group
+module rg '../modules/Microsoft.Resources/resourceGroups/deploy.bicep' = {
+  name: '${resourceGroupName}-${location}'
+  params: {
+    name: resourceGroupName
+    location: location
+  }
+}
+
+// vnet
+module virtualNetworks '../modules/Microsoft.Network/virtualNetworks/deploy.bicep' = {
+  name: '${uniqueString(deployment().name)}-virtualNetworks'
+  scope: resourceGroup(resourceGroupName)
+  params: {
+    // Required parameters
+    location: location
+    addressPrefixes: [
+      '10.0.0.0/16'
+    ]
+    name: 'vnet-01'
+    subnets: [
+      {
+        name: 'subnet-01'
+        addressPrefix: '10.0.1.0/24'
+      }
+    ]
+  }
+  dependsOn: [
+    rg
+  ]
+}
+
+module publicIp01 '../modules/Microsoft.Network/publicIPAddresses/deploy.bicep' = {
+  name: 'pip-01'
+  params: {
+    name: 'pip-01'
+    location: location
+    publicIPAddressVersion: 'IPv4'
+    skuTier: 'Regional'
+    skuName: 'Basic'
+    publicIPAllocationMethod: 'Dynamic'
+  }
+  scope: resourceGroup(resourceGroupName)
+  dependsOn: [
+    rg
+  ]
+}
+
+// basic lb
+module loadbalancer '../modules/Microsoft.Network/loadBalancers_custom/deploy.bicep' = {
+  name: 'lb-basic01'
+  scope: resourceGroup(resourceGroupName)
+  params: {
+    name: 'lb-basic-01'
+    location: location
+    frontendIPConfigurations: [
+      {
+        name: 'fe-01'
+        publicIPAddressId: publicIp01.outputs.resourceId
+      }
+    ]
+    backendAddressPools: []
+    inboundNatRules: [
+      {
+        name: 'nat-01'
+        frontendIPConfigurationName: 'fe-01'
+        frontendPort: 81
+        backendPort: 81
+        protocol: 'Tcp'        
+      }
+    ]
+    loadBalancerSku: 'Basic'
+    loadBalancingRules: [
+    ]
+    probes: [
+      {
+        intervalInSeconds: 5
+        name: 'probe-01'
+        numberOfProbes: 2
+        port: '80'
+        protocol: 'Tcp'
+      }
+    ]
+  }
+  dependsOn: [
+    rg
+  ]
+}
+
+module storageAccounts '../modules/Microsoft.Storage/storageAccounts/deploy.bicep' = {
+  name: 'bootdiag-storage-01'
+  scope: resourceGroup(resourceGroupName)
+  params: {
+    name: 'bootdiag${uniqueString(deployment().name)}'
+    location: location
+    storageAccountSku: 'Standard_LRS'
+    storageAccountKind: 'StorageV2'
+    supportsHttpsTrafficOnly: true
+  }
+  dependsOn: [
+    rg
+  ]
+}
+
+module availabilitySet '../modules/Microsoft.Compute/availabilitySets/deploy.bicep' = {
+  scope: resourceGroup(resourceGroupName)
+  name: 'as-01'
+  params: {
+    location: location
+    name: 'as-01'
+  }
+  dependsOn: [
+    rg
+  ]
+}
+
+module vm '../modules/Microsoft.Compute/virtualMachines_custom/deploy.bicep' = {
+  scope: resourceGroup(resourceGroupName)
+  name: 'vm-01'
+  params: {
+    name: 'vm-01'
+    adminUsername: 'admin-vm'
+    adminPassword: '${uniqueString(randomGuid)}rpP@340'
+    availabilitySetResourceId: availabilitySet.outputs.resourceId
+    location: location
+    imageReference: {
+      offer: 'WindowsServer'
+      publisher: 'MicrosoftWindowsServer'
+      sku: '2022-Datacenter'
+      version: 'latest'
+    }
+    nicConfigurations: [
+      {
+        location: location
+        ipConfigurations: [
+          {
+            name: 'ipconfig1'
+            subnetResourceId: virtualNetworks.outputs.subnetResourceIds[0]
+            loadBalancerInboundNatRules: [
+              {
+                id: '${loadbalancer.outputs.resourceId}/inboundNatRules/nat-01'
+              }
+            ]
+          }
+        ]
+        nicSuffix: 'nic'
+      }
+    ]
+    osDisk: {
+      createOption: 'fromImage'
+      diskSizeGB: '128'
+      managedDisk: {
+        storageAccountType: 'Standard_LRS'
+      }
+    }
+    osType: 'Windows'
+    vmSize: 'Standard_DS1_v2'
+  }
+}
diff --git a/AzureBasicLoadBalancerUpgrade/testEnvs/scenarios/119-vms-lb-nat-rules-ext-no-bep-pip.bicep b/AzureBasicLoadBalancerUpgrade/testEnvs/scenarios/119-vms-lb-nat-rules-ext-no-bep-pip.bicep
