[Storage] ip addresses with host bits set should be validated

[eric-therond]

Related command

az storage account network-rule add -g xxx --account-name xxx --ip-address 4.213.28.114/30

Description

It is possible through the azure portal to add ip addresses that have the host bits set but the az storage cli command doesn't accept that.

When an existing account storage has ip addresses with host bits set (added through the portal for instance) and then az storage account network-rule is used to add / remove ip addresses, the command will always fail, even if the ip addresses passed in parameter are valids and don't have host bit sets.

az storage account network-rule add -g xxx --account-name xxx --ip-address 137.135.190.48
The command failed with an unexpected error. Here is the traceback:
4.213.28.114/30 has host bits set

Here 4.213.28.114/30 is an existing ip address added through the portal.

Similar error in the past in another component:
#25031

[azure-client-tools-bot-prd]

Validation for Azure CLI Full Test Starting...

Thanks for your contribution!

[azure-client-tools-bot-prd]

Validation for Breaking Change Starting...

Thanks for your contribution!

[yonzhan]

Thank you for your contribution! We will review the pull request and get back to you soon.

[github-actions]

The git hooks are available for azure-cli and azure-cli-extensions repos. They could help you run required checks before creating the PR.

Please sync the latest code with latest dev branch (for azure-cli) or main branch (for azure-cli-extensions).
After that please run the following commands to enable git hooks:

pip install azdev --upgrade
azdev setup -c <your azure-cli repo path> -r <your azure-cli-extensions repo path>

[microsoft-github-policy-service]

Thank you for your contribution @eric-therond! We will review the pull request and get back to you soon.

[calvinhzy]

Please add tests to this, I have tried creating 4.213.28.114/30 in portal and it was also not allowed. 4.213.28.112/30 is allowed.

[eric-therond]

@calvinhzy look at this test case:

1/ Add x.x.x.x/x (IP address with host bits) by any means (in my case 4.213.28.114/30 was added via Terraform/API and not via the portal, sorry for the mistake).

2/ Now that the previous IP address has been added, try adding or removing any kind of IP (with or without host bits set) with the CLI tool, an error will occur, the storage network-rule configuration is no longer manageable via the CLI tool.

[calvinhzy]

Hi @eric-therond, usually CLI follows portal user behavior and it seems they only allow the starting ip address with the netmask so 4.213.28.112/30 is allowed. Adding @necusjz on network module behavior.

[necusjz]

Hi @eric-therond, usually CLI follows portal user behavior and it seems they only allow the starting ip address with the netmask so 4.213.28.112/30 is allowed. Adding @necusjz on network module behavior.

afaik, we only support start ip.

[eric-therond]

I found a solution in my Terraform/API script to only add "valid" IPs addresses to the storage account. So for me it's ok now.

I think there is still an inconsistency with the portal.

Let's say we have a storage account with the following configuration:

You can see that 4.213.28.114/30 is not valid but was added with success via Terraform/API.

Now let's say I want to add an IP, any kind ok IP, to the above existing configuration, for instance: 176.141.98.215

With the portal it works, but with the cli it fails:

az storage account network-rule add -g xxx --account-name xxxx --ip-address 176.141.98.215
The command failed with an unexpected error. Here is the traceback:
4.213.28.114/30 has host bits set
Traceback (most recent call last):
  File "/opt/homebrew/Cellar/azure-cli/2.71.0/libexec/lib/python3.12/site-packages/knack/cli.py", line 233, in invoke
    cmd_result = self.invocation.execute(args)
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/homebrew/Cellar/azure-cli/2.71.0/libexec/lib/python3.12/site-packages/azure/cli/core/commands/__init__.py", line 666, in execute
    raise ex
  File "/opt/homebrew/Cellar/azure-cli/2.71.0/libexec/lib/python3.12/site-packages/azure/cli/core/commands/__init__.py", line 734, in _run_jobs_serially
    results.append(self._run_job(expanded_arg, cmd_copy))
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/homebrew/Cellar/azure-cli/2.71.0/libexec/lib/python3.12/site-packages/azure/cli/core/commands/__init__.py", line 703, in _run_job
    result = cmd_copy(params)