func newNetworkProfile( client network.ManagementClient, vmName string, apiPort *int, internalSubnet *network.Subnet, resourceGroup string, location string, tags map[string]string, ) (*compute.NetworkProfile, error) { logger.Debugf("creating network profile for %q", vmName) // Create a public IP for the NIC. Public IP addresses are dynamic. logger.Debugf("- allocating public IP address") pipClient := network.PublicIPAddressesClient{client} publicIPAddressParams := network.PublicIPAddress{ Location: to.StringPtr(location), Tags: toTagsPtr(tags), Properties: &network.PublicIPAddressPropertiesFormat{ PublicIPAllocationMethod: network.Dynamic, }, } publicIPAddressName := vmName + "-public-ip" publicIPAddress, err := pipClient.CreateOrUpdate(resourceGroup, publicIPAddressName, publicIPAddressParams) if err != nil { return nil, errors.Annotatef(err, "creating public IP address for %q", vmName) } // Determine the next available private IP address. nicClient := network.InterfacesClient{client} privateIPAddress, err := nextSubnetIPAddress(nicClient, resourceGroup, internalSubnet) if err != nil { return nil, errors.Annotatef(err, "querying private IP addresses") } // Create a primary NIC for the machine. This needs to be static, so // that we can create security rules that don't become invalid. logger.Debugf("- creating primary NIC") ipConfigurations := []network.InterfaceIPConfiguration{{ Name: to.StringPtr("primary"), Properties: &network.InterfaceIPConfigurationPropertiesFormat{ PrivateIPAddress: to.StringPtr(privateIPAddress), PrivateIPAllocationMethod: network.Static, Subnet: &network.SubResource{internalSubnet.ID}, PublicIPAddress: &network.SubResource{publicIPAddress.ID}, }, }} primaryNicName := vmName + "-primary" primaryNicParams := network.Interface{ Location: to.StringPtr(location), Tags: toTagsPtr(tags), Properties: &network.InterfacePropertiesFormat{ IPConfigurations: &ipConfigurations, }, } primaryNic, err := nicClient.CreateOrUpdate(resourceGroup, primaryNicName, primaryNicParams) if err != nil { return nil, errors.Annotatef(err, "creating network interface for %q", vmName) } // Create a network security rule for the machine if we need to open // the API server port. if apiPort != nil { logger.Debugf("- querying network security group") securityGroupClient := network.SecurityGroupsClient{client} securityGroupName := internalSecurityGroupName securityGroup, err := securityGroupClient.Get(resourceGroup, securityGroupName) if err != nil { return nil, errors.Annotate(err, "querying network security group") } // NOTE(axw) this looks like TOCTTOU race territory, but it's // safe because we only allocate/deallocate rules in this // range during machine (de)provisioning, which is managed by // a single goroutine. Non-internal ports are managed by the // firewaller exclusively. nextPriority, err := nextSecurityRulePriority( securityGroup, securityRuleInternalSSHInbound+1, securityRuleInternalMax, ) if err != nil { return nil, errors.Trace(err) } apiSecurityRuleName := fmt.Sprintf("%s-api", vmName) apiSecurityRule := network.SecurityRule{ Name: to.StringPtr(apiSecurityRuleName), Properties: &network.SecurityRulePropertiesFormat{ Description: to.StringPtr("Allow API access to server machines"), Protocol: network.SecurityRuleProtocolTCP, SourceAddressPrefix: to.StringPtr("*"), SourcePortRange: to.StringPtr("*"), DestinationAddressPrefix: to.StringPtr(privateIPAddress), DestinationPortRange: to.StringPtr(fmt.Sprint(*apiPort)), Access: network.Allow, Priority: to.IntPtr(nextPriority), Direction: network.Inbound, }, } logger.Debugf("- creating API network security rule") securityRuleClient := network.SecurityRulesClient{client} _, err = securityRuleClient.CreateOrUpdate( resourceGroup, securityGroupName, apiSecurityRuleName, apiSecurityRule, ) if err != nil { return nil, errors.Annotate(err, "creating API network security rule") } } // For now we only attach a single, flat network to each machine. networkInterfaces := []compute.NetworkInterfaceReference{{ ID: primaryNic.ID, Properties: &compute.NetworkInterfaceReferenceProperties{ Primary: to.BoolPtr(true), }, }} return &compute.NetworkProfile{&networkInterfaces}, nil }