diff --git a/docs/CustomizingAzdParameters.md b/docs/CustomizingAzdParameters.md index b71a16a3..a5d6799e 100644 --- a/docs/CustomizingAzdParameters.md +++ b/docs/CustomizingAzdParameters.md @@ -17,7 +17,7 @@ By default this template will use the environment name as the prefix to prevent | `AZURE_ENV_MODEL_CAPACITY` | integer | `150` | Set the Model Capacity (choose a number based on available GPT model capacity in your subscription). | | `AZURE_ENV_LOG_ANALYTICS_WORKSPACE_ID` | string | Guide to get your [Existing Workspace ID](/docs/re-use-log-analytics.md) | Set this if you want to reuse an existing Log Analytics Workspace instead of creating a new one. | | `AZURE_ENV_IMAGETAG` | string | `latest` | Set the Image tag Like (allowed values: latest, dev, hotfix) | -| `AZURE_ENV_JUMPBOX_SIZE` | string | `Standard_DS2_v2` | Specifies the size of the Jumpbox Virtual Machine. Set a custom value if `enablePrivateNetworking` is `true`. | +| `AZURE_ENV_VM_SIZE` | string | `Standard_D2s_v5` | Specifies the size of the Jumpbox Virtual Machine (e.g., `Standard_D2s_v5`, `Standard_D2s_v4`). Set a custom value if `enablePrivateNetworking` is `true`. | | `AZURE_ENV_JUMPBOX_ADMIN_USERNAME` | string | `JumpboxAdminUser` | Specifies the administrator username for the Jumpbox Virtual Machine. | | `AZURE_ENV_JUMPBOX_ADMIN_PASSWORD` | string | `JumpboxAdminP@ssw0rd1234!` | Specifies the administrator password for the Jumpbox Virtual Machine. | | `AZURE_ENV_COSMOS_SECONDARY_LOCATION` | string | *(not set by default)* | Specifies the secondary region for Cosmos DB. Required if `enableRedundancy` is `true`. | diff --git a/docs/DeploymentGuide.md b/docs/DeploymentGuide.md index 5095a71b..1225a8aa 100644 --- a/docs/DeploymentGuide.md +++ b/docs/DeploymentGuide.md @@ -202,11 +202,11 @@ Copy the contents from the production configuration file to your main parameters > **Note:** This section only applies if you selected **Production** deployment type in section 3.1. VMs are not deployed in the default Development/Testing configuration. -By default, random GUIDs are generated for VM credentials. To set custom credentials: +By default, hard-coded fallback values are used for VM credentials (`JumpboxAdminUser` / `JumpboxAdminP@ssw0rd1234!`). To set custom credentials: ```shell -azd env set AZURE_ENV_VM_ADMIN_USERNAME -azd env set AZURE_ENV_VM_ADMIN_PASSWORD +azd env set AZURE_ENV_JUMPBOX_ADMIN_USERNAME +azd env set AZURE_ENV_JUMPBOX_ADMIN_PASSWORD ``` ### 3.3 Advanced Configuration (Optional) diff --git a/docs/TroubleShootingSteps.md b/docs/TroubleShootingSteps.md index 95ebe363..f684d93b 100644 --- a/docs/TroubleShootingSteps.md +++ b/docs/TroubleShootingSteps.md @@ -61,7 +61,7 @@ Use these as quick reference guides to unblock your deployments. | **ServiceQuotaExceeded** | Free tier service quota limit reached for Azure AI Search | This error occurs when you attempt to deploy an Azure AI Search service but have already reached the **free tier quota limit** for your subscription. Each Azure subscription is limited to **one free tier Search service**.

**Example error message:**
`ServiceQuotaExceeded: Operation would exceed 'free' tier service quota. You are using 1 out of 1 'free' tier service quota.`

**Common causes:**
  • Already have a free tier Azure AI Search service in the subscription
  • Previous deployment created a free tier Search service that wasn't deleted
  • Attempting to deploy multiple environments with free tier Search services

**Resolution:**
  • **Option 1: Delete existing free tier Search service:**
    `az search service list --query "[?sku.name=='free']" -o table`
    `az search service delete --name --resource-group --yes`
  • **Option 2: Upgrade to a paid SKU:**
    Modify your Bicep/ARM template to use `basic`, `standard`, or higher SKU instead of `free`
  • **Option 3: Use existing Search service:**
    Reference the existing free tier Search service in your deployment instead of creating a new one
  • **Request quota increase:**
    Submit a support request with issue type 'Service and subscription limits (quota)' and quota type 'Search' via [Azure Quota Request](https://aka.ms/AddQuotaSubscription)

**Reference:**
  • [Azure AI Search service limits](https://learn.microsoft.com/en-us/azure/search/search-limits-quotas-capacity)
  • [Azure AI Search pricing tiers](https://learn.microsoft.com/en-us/azure/search/search-sku-tier)
| | **InsufficientQuota** | Not enough quota available in subscription |
  • Check if you have sufficient quota available in your subscription before deployment
  • To verify, refer to the [quota_check](../docs/quota_check.md) file for details
| | **MaxNumberOfRegionalEnvironmentsInSubExceeded** | Maximum Container App Environments limit reached for region |This error occurs when you attempt to create more **Azure Container App Environments** than the regional quota limit allows for your subscription. Each Azure region has a specific limit on the number of Container App Environments that can be created per subscription.

**Common Causes:**
  • Deploying to regions with low quota limits (e.g., Sweden Central allows only 1 environment)
  • Multiple deployments without cleaning up previous environments
  • Exceeding the standard limit of 15 environments in most major regions

**Resolution:**
  • **Delete unused environments** in the target region, OR
  • **Deploy to a different region** with available capacity, OR
  • **Request quota increase** via [Azure Support](https://go.microsoft.com/fwlink/?linkid=2208872)

**Reference:**
  • [Azure Container Apps quotas](https://learn.microsoft.com/en-us/azure/container-apps/quotas)
  • [Azure subscription and service limits](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/azure-subscription-service-limits)
| -| **SkuNotAvailable** | Requested SKU not available in selected location or zone | You receive this error in the following scenarios:
  • When the resource SKU you've selected, such as VM size, isn't available for a location or zone
  • If you're deploying an Azure Spot VM or Spot scale set instance, and there isn't any capacity for Azure Spot in this location. For more information, see Spot error messages
| +| **SkuNotAvailable** | Requested SKU not available in selected location or zone | This error occurs when the resource SKU you've selected (such as VM size) isn't available for the target location or availability zone.

**In this deployment**, the jumpbox VM defaults to `Standard_D2s_v5`. While this size is available in 60+ regions, certain regions or zones may not support it.

**Resolution:**
  • **Check SKU availability** for your target region:
    `az vm list-skus --location --size Standard_D2s --output table`
  • **Override the VM size** if the default isn't available in your region:
    `azd env set AZURE_ENV_VM_SIZE Standard_D2s_v4`
  • **Recommended alternatives** (all support accelerated networking + Premium SSD):
    - `Standard_D2s_v4` — previous gen, identical pricing
    - `Standard_D2as_v5` — AMD-based, similar pricing
    - `Standard_D2s_v3` — older gen, widely available
  • **Avoid A-series VMs** (e.g., `Standard_A2m_v2`) — they do not support accelerated networking or Premium SSD, which are required by this deployment

**Reference:**
  • [Resolve errors for SKU not available](https://learn.microsoft.com/en-us/azure/azure-resource-manager/troubleshooting/error-sku-not-available)
  • [Azure VM sizes - Dsv5 series](https://learn.microsoft.com/en-us/azure/virtual-machines/sizes/general-purpose/dsv5-series)
| | **Conflict - No available instances to satisfy this request** | Azure App Service has insufficient capacity in the region | This error occurs when Azure App Service doesn't have enough available compute instances in the selected region to provision or scale your app.

**Common Causes:**
  • High demand in the selected region (e.g., East US, West Europe)
  • Specific SKUs experiencing capacity constraints (Free, Shared, or certain Premium tiers)
  • Multiple rapid deployments in the same region

**Resolution:**
  • **Wait and Retry** (15-30 minutes): `azd up`
  • **Deploy to a New Resource Group** (Recommended for urgent cases):
    ```
    azd down --force --purge
    azd up
    ```
  • **Try a Different Region:**
    Update region in `main.bicep` or `azure.yaml` to a less congested region (e.g., `westus2`, `centralus`, `northeurope`)
  • **Use a Different SKU/Tier:**
    If using Free/Shared tier, upgrade to Basic or Standard
    Check SKU availability: `az appservice list-locations --sku `

**Reference:** [Azure App Service Plans](https://learn.microsoft.com/en-us/azure/app-service/overview-hosting-plans) | -------------------------------- @@ -120,7 +120,7 @@ Use these as quick reference guides to unblock your deployments. |-----------------|-------------|------------------| | **NetcfgSubnetRangeOutsideVnet** | Subnet IP range outside virtual network address space |
  • Ensure the subnet's IP address range falls within the virtual network's address space
  • Always validate that the subnet CIDR block is a subset of the VNet range
  • For Azure Bastion, the AzureBastionSubnet must be at least /27
  • Confirm that the AzureBastionSubnet is deployed inside the VNet
| | **DisableExport_PublicNetworkAccessMustBeDisabled** | Public network access must be disabled when export is disabled |
  • **Check container source:** Confirm whether the deployment is using a Docker image or Azure Container Registry (ACR)
  • **Verify ACR configuration:** If ACR is included, review its settings to ensure they comply with Azure requirements
  • **Check export settings:** If export is disabled in ACR, make sure public network access is also disabled
  • **Redeploy after fix:** Correct the configuration and redeploy. This will prevent the Conflict error during deployment
  • For more information refer [ACR Data Loss Prevention](https://learn.microsoft.com/en-us/azure/container-registry/data-loss-prevention) document
| -| **VMSizeIsNotPermittedToEnableAcceleratedNetworking** | VM size does not support accelerated networking | This error occurs when you attempt to enable accelerated networking on a VM size that does not support it.

**How to reproduce:**
  • Create or deploy a VM (e.g., via ARM/Bicep) with size `Standard_A2m_v2`
  • In the network interface configuration, set `"enableAcceleratedNetworking": true`
  • Submit the request → Azure throws `VMSizeIsNotPermittedToEnableAcceleratedNetworking`

**Resolution:**
  • Use a supported VM size that supports accelerated networking
  • Check the [Microsoft list of supported VM sizes for accelerated networking](https://learn.microsoft.com/en-us/azure/virtual-network/accelerated-networking-overview#supported-vm-instances)
  • Alternatively, disable accelerated networking if the feature is not required for your workload
| +| **VMSizeIsNotPermittedToEnableAcceleratedNetworking** | VM size does not support accelerated networking | This error occurs when you attempt to enable accelerated networking on a VM size that does not support it. This deployment's jumpbox VM **requires** accelerated networking.

**Default VM size:** `Standard_D2s_v5` — supports accelerated networking.

**How this error happens:**
  • You override the VM size (via `AZURE_ENV_VM_SIZE`) with a size that doesn't support accelerated networking (e.g., `Standard_A2m_v2`, A-series, or B-series VMs)
  • Azure rejects the deployment with `VMSizeIsNotPermittedToEnableAcceleratedNetworking`

**Resolution:**
  • Use the default `Standard_D2s_v5`, or override with a D-series VM that supports accelerated networking:
    `azd env set AZURE_ENV_VM_SIZE Standard_D2s_v5`
  • **Supported alternatives:** `Standard_D2s_v4`, `Standard_D2as_v5`, `Standard_D2s_v3`
  • **Do NOT use:** A-series (`Standard_A2m_v2`), B-series (`Standard_B2s`) — these do not support accelerated networking
  • Check supported sizes: [Accelerated networking supported VM instances](https://learn.microsoft.com/en-us/azure/virtual-network/accelerated-networking-overview#supported-vm-instances)
| **NetworkSecurityGroupNotCompliantForAzureBastionSubnet** / **SecurityRuleParameterContainsUnsupportedValue** | NSG rules blocking required Azure Bastion ports | This error occurs when the Network Security Group (NSG) attached to `AzureBastionSubnet` explicitly denies inbound TCP ports 443 and/or 4443, which Azure Bastion requires for management and tunneling.

**How to reproduce:**
  • Deploy the template with `enablePrivateNetworking=true` so the virtualNetwork module creates `AzureBastionSubnet` and a Network Security Group that denies ports 443 and 4443
  • Attempt to deploy Azure Bastion into that subnet
  • During validation, Bastion detects the deny rules and fails with `NetworkSecurityGroupNotCompliantForAzureBastionSubnet`

**Resolution:**
  • Allow inbound TCP 443 and 4443 on `AzureBastionSubnet` by updating or removing the NSG deny rules
  • Alternatively, deploy Bastion to a subnet without restrictive NSG rules
  • For more details, refer to [Azure Bastion NSG requirements](https://learn.microsoft.com/en-us/azure/bastion/bastion-nsg)
| | **RouteTableCannotBeAttachedForAzureBastionSubnet** | Route table attached to Azure Bastion subnet | This error occurs because Azure Bastion subnet (`AzureBastionSubnet`) has a platform restriction that prevents route tables from being attached.

**How to reproduce:**
  • In `virtualNetwork.bicep`, add `attachRouteTable: true` to the `AzureBastionSubnet` configuration:
    `{ name: 'AzureBastionSubnet', addressPrefixes: ['10.0.10.0/26'], attachRouteTable: true }`
  • Add a Route Table module to the template
  • Update subnet creation to attach route table conditionally:
    `routeTableResourceId: subnet.?attachRouteTable == true ? routeTable.outputs.resourceId : null`
  • Deploy the template → Azure throws `RouteTableCannotBeAttachedForAzureBastionSubnet`

**Resolution:**
  • Remove the `attachRouteTable: true` flag from `AzureBastionSubnet` configuration
  • Ensure no route table is associated with `AzureBastionSubnet`
  • Route tables can only be attached to other subnets, not `AzureBastionSubnet`
  • For more details, refer to [Azure Bastion subnet requirements](https://learn.microsoft.com/en-us/azure/bastion/configuration-settings#subnet)
| @@ -134,7 +134,7 @@ Use these as quick reference guides to unblock your deployments. | **Conflict - Cannot use the SKU Basic with File Change Audit for site** | File Change Audit not supported on Basic SKU |
  • This error happens because File Change Audit logs aren't supported on Basic SKU App Service Plans
  • Upgrading to Premium/Isolated SKU (supports File Change Audit), or
  • Disabling File Change Audit in Diagnostic Settings if you must stay on Basic
  • Always cross-check the [supported log types](https://aka.ms/supported-log-types) before adding diagnostic logs to your Bicep templates
| | **AccountPropertyCannotBeUpdated** | Read-only property cannot be modified after creation | The property **`isHnsEnabled`** (Hierarchical Namespace for Data Lake Gen2) is **read-only** and can only be set during **storage account creation**. Once a storage account is created, this property **cannot be updated**. Trying to update it via ARM template, Bicep, CLI, or Portal will fail.

**Resolution:**
  • Create a **new storage account** with `isHnsEnabled=true` if you require hierarchical namespace
  • Migration may be needed if you already have data
  • Refer to [Storage Account Update Restrictions](https://aka.ms/storageaccountupdate) for more details
| | **Conflict - Local authentication is disabled** | App Configuration store has local authentication disabled but application is using local auth mode | This error occurs when your Azure App Configuration store has **local authentication disabled** (`disableLocalAuth: true`) but your application is trying to access it using **connection strings or access keys** instead of **Azure AD/Managed Identity authentication**.

**Example error message:**
`The operation cannot be performed because the configuration store is using local authentication mode and local authentication is disabled. To enable access to data plane resources while local authentication is disabled, please use pass-through authentication mode.`

**Common causes:**
  • App Configuration store deployed with `disableLocalAuth: true` for security compliance
  • Application code using connection strings instead of Managed Identity
  • SDK client initialized with access keys rather than `DefaultAzureCredential`

**Resolution:**
  • **Option 1: Update application to use Managed Identity (Recommended)**
    ```python
    from azure.identity import DefaultAzureCredential
    from azure.appconfiguration import AzureAppConfigurationClient

    credential = DefaultAzureCredential()
    client = AzureAppConfigurationClient(
    endpoint="https://your-appconfig.azconfig.io",
    credential=credential
    )
    ```
  • **Option 2: Re-enable local authentication (Not recommended for production)**
    Set `disableLocalAuth: false` in your Bicep/ARM template
  • **Ensure proper RBAC assignment:** Verify that the Managed Identity has `App Configuration Data Reader` or `App Configuration Data Owner` role assigned

**Reference:**
  • [Disable local authentication in Azure App Configuration](https://learn.microsoft.com/en-us/azure/azure-app-configuration/howto-disable-access-key-authentication)
  • [Use Managed Identities to access App Configuration](https://learn.microsoft.com/en-us/azure/azure-app-configuration/howto-integrate-azure-managed-service-identity)
| -| **PropertyChangeNotAllowed** | Immutable VM property cannot be changed after creation | This error occurs when you attempt to modify an immutable property (such as `osProfile.adminUsername`) on an existing VM.

**Cause (Azure Limitation):**
Once a VM is created, the `osProfile.adminUsername` property is immutable and cannot be changed. If you modify the VM username or password in the template and redeploy, this issue will occur.

**Resolution:**
  • Delete the existing deployment and redeploy with new credentials:
    `azd down --force --purge`
  • Set new credentials before redeployment:
    `azd env set AZURE_ENV_VM_ADMIN_USERNAME "newusername"`
    `azd env set AZURE_ENV_VM_ADMIN_PASSWORD "NewSecurePassword123!"`
  • Redeploy:
    `azd up`

**Note:** Some VM properties are immutable by design. Always plan credential and configuration changes before initial deployment. | +| **PropertyChangeNotAllowed** | Immutable VM property cannot be changed after creation | This error occurs when you attempt to modify an immutable property (such as `osProfile.adminUsername`) on an existing VM.

**Cause (Azure Limitation):**
Once a VM is created, the `osProfile.adminUsername` property is immutable and cannot be changed. If you modify the VM username or password in the template and redeploy, this issue will occur.

**Resolution:**
  • Delete the existing deployment and redeploy with new credentials:
    `azd down --force --purge`
  • Set new credentials before redeployment:
    `azd env set AZURE_ENV_JUMPBOX_ADMIN_USERNAME "newusername"`
    `azd env set AZURE_ENV_JUMPBOX_ADMIN_PASSWORD "NewSecurePassword123!"`
  • Redeploy:
    `azd up`

**Note:** Some VM properties are immutable by design. Always plan credential and configuration changes before initial deployment. | ---------------------------------- diff --git a/infra/main.bicep b/infra/main.bicep index d79d5628..88b4efce 100644 --- a/infra/main.bicep +++ b/infra/main.bicep @@ -637,9 +637,9 @@ module virtualMachine 'br/public:avm/res/compute/virtual-machine:0.20.0' = if (e enableTelemetry: enableTelemetry computerName: take(virtualMachineResourceName, 15) osType: 'Windows' - vmSize: vmSize ?? 'Standard_D2s_v3' - adminUsername: vmAdminUsername ?? 'JumpboxAdminUser' - adminPassword: vmAdminPassword ?? 'JumpboxAdminP@ssw0rd1234!' + vmSize: !empty(vmSize) ? vmSize : 'Standard_D2s_v5' + adminUsername: !empty(vmAdminUsername) ? vmAdminUsername : 'JumpboxAdminUser' + adminPassword: !empty(vmAdminPassword) ? vmAdminPassword : 'JumpboxAdminP@ssw0rd1234!' managedIdentities: { systemAssigned: true } diff --git a/infra/main.json b/infra/main.json index 79030b7f..9141a8ca 100644 --- a/infra/main.json +++ b/infra/main.json @@ -6,10 +6,10 @@ "_generator": { "name": "bicep", "version": "0.41.2.15936", - "templateHash": "9733680305260753032" + "templateHash": "18262017557117529046" }, "name": "Modernize Your Code Solution Accelerator", - "description": "CSA CTO Gold Standard Solution Accelerator for Modernize Your Code. \n" + "description": "CSA CTO Gold Standard Solution Accelerator for Modernize Your Code. \r\n" }, "parameters": { "solutionName": { @@ -12902,11 +12902,11 @@ }, "dependsOn": [ "applicationInsights", + "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').ods)]", + "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').agentSvc)]", "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').storageBlob)]", "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').oms)]", "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').monitor)]", - "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').ods)]", - "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').agentSvc)]", "dataCollectionEndpoint", "logAnalyticsWorkspace", "virtualNetwork" @@ -16625,13 +16625,13 @@ "value": "Windows" }, "vmSize": { - "value": "[coalesce(parameters('vmSize'), 'Standard_D2s_v3')]" + "value": "[if(not(empty(parameters('vmSize'))), parameters('vmSize'), 'Standard_D2s_v5')]" }, "adminUsername": { - "value": "[coalesce(parameters('vmAdminUsername'), 'JumpboxAdminUser')]" + "value": "[if(not(empty(parameters('vmAdminUsername'))), parameters('vmAdminUsername'), 'JumpboxAdminUser')]" }, "adminPassword": { - "value": "[coalesce(parameters('vmAdminPassword'), 'JumpboxAdminP@ssw0rd1234!')]" + "value": "[if(not(empty(parameters('vmAdminPassword'))), parameters('vmAdminPassword'), 'JumpboxAdminP@ssw0rd1234!')]" }, "managedIdentities": { "value": { @@ -31929,9 +31929,9 @@ }, "dependsOn": [ "aiServices", + "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').openAI)]", "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').aiServices)]", "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').cognitiveServices)]", - "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').openAI)]", "virtualNetwork" ] }, @@ -40182,8 +40182,8 @@ }, "dependsOn": [ "appIdentity", - "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').storageBlob)]", "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').storageFile)]", + "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').storageBlob)]", "logAnalyticsWorkspace", "virtualNetwork" ] diff --git a/infra/main.parameters.json b/infra/main.parameters.json index da8b3cc7..43bdc3da 100644 --- a/infra/main.parameters.json +++ b/infra/main.parameters.json @@ -38,15 +38,6 @@ "azureAiServiceLocation": { "value": "${AZURE_ENV_AI_SERVICE_LOCATION}" }, - "vmSize": { - "value": "${AZURE_ENV_JUMPBOX_SIZE}" - }, - "vmAdminUsername": { - "value": "${AZURE_ENV_JUMPBOX_ADMIN_USERNAME}" - }, - "vmAdminPassword": { - "value": "${AZURE_ENV_JUMPBOX_ADMIN_PASSWORD}" - }, "backendExists": { "value": "${SERVICE_BACKEND_RESOURCE_EXISTS=false}" }, diff --git a/infra/main.waf.parameters.json b/infra/main.waf.parameters.json index 98a1ead9..5b32c51e 100644 --- a/infra/main.waf.parameters.json +++ b/infra/main.waf.parameters.json @@ -38,15 +38,15 @@ "azureAiServiceLocation": { "value": "${AZURE_ENV_AI_SERVICE_LOCATION}" }, - "vmSize": { - "value": "${AZURE_ENV_JUMPBOX_SIZE}" - }, "vmAdminUsername": { "value": "${AZURE_ENV_JUMPBOX_ADMIN_USERNAME}" }, "vmAdminPassword": { "value": "${AZURE_ENV_JUMPBOX_ADMIN_PASSWORD}" }, + "vmSize": { + "value": "${AZURE_ENV_VM_SIZE}" + }, "backendExists": { "value": "${SERVICE_BACKEND_RESOURCE_EXISTS=false}" }, diff --git a/infra/main_custom.bicep b/infra/main_custom.bicep index 79076ca4..c1746731 100644 --- a/infra/main_custom.bicep +++ b/infra/main_custom.bicep @@ -566,9 +566,9 @@ module virtualMachine 'br/public:avm/res/compute/virtual-machine:0.20.0' = if (e enableTelemetry: enableTelemetry computerName: take(virtualMachineResourceName, 15) osType: 'Windows' - vmSize: vmSize ?? 'Standard_D2s_v3' - adminUsername: vmAdminUsername ?? 'JumpboxAdminUser' - adminPassword: vmAdminPassword ?? 'JumpboxAdminP@ssw0rd1234!' + vmSize: !empty(vmSize) ? vmSize : 'Standard_D2s_v5' + adminUsername: !empty(vmAdminUsername) ? vmAdminUsername : 'JumpboxAdminUser' + adminPassword: !empty(vmAdminPassword) ? vmAdminPassword : 'JumpboxAdminP@ssw0rd1234!' managedIdentities: { systemAssigned: true } diff --git a/infra/modules/virtualNetwork.bicep b/infra/modules/virtualNetwork.bicep index 54b507bc..82b158f6 100644 --- a/infra/modules/virtualNetwork.bicep +++ b/infra/modules/virtualNetwork.bicep @@ -170,10 +170,12 @@ param resourceSuffix string // VM Size Notes: // 1 B-series VMs (like Standard_B2ms) do not support accelerated networking. -// 2 Pick a VM size that does support accelerated networking (the usual jump-box candidates): -// Standard_DS2_v2 (2 vCPU, 7 GiB RAM, Premium SSD) // The most broadly available (it’s a legacy SKU supported in virtually every region). -// Standard_D2s_v3 (2 vCPU, 8 GiB RAM, Premium SSD) // next most common -// Standard_D2s_v4 (2 vCPU, 8 GiB RAM, Premium SSD) // Newest, so fewer regions available +// 2 Pick a VM size that supports accelerated networking + Premium SSD (the usual jump-box candidates): +// Standard_D2s_v5 (2 vCPU, 8 GiB RAM, Premium SSD/v2/Ultra) // DEFAULT - current-gen Intel, broad regional availability. +// Standard_D2as_v5 (2 vCPU, 8 GiB RAM, Premium SSD/Ultra) // AMD alternative, typically ~15% cheaper. +// Standard_D2s_v4 (2 vCPU, 8 GiB RAM, Premium SSD) // Previous gen, also broadly available. +// Standard_DS2_v2 (2 vCPU, 7 GiB RAM, Premium SSD) // Legacy SKU, being retired from some regions - avoid for new deployments. +// 3 A-series (Av2) is NOT suitable: no Premium SSD support, no accelerated networking. // Subnet Classless Inter-Domain Routing (CIDR) Sizing Reference Table (Best Practices) // | CIDR | # of Addresses | # of /24s | Notes | diff --git a/infra/samples/network-subnet-design.bicep b/infra/samples/network-subnet-design.bicep index 50347a91..63c90c39 100644 --- a/infra/samples/network-subnet-design.bicep +++ b/infra/samples/network-subnet-design.bicep @@ -110,7 +110,7 @@ import { jumpBoxConfigurationType } from 'network/jumpbox.bicep' @description('Optional. Configuration for the Jumpbox VM. Leave null to omit Jumpbox creation.') param jumpboxConfiguration jumpBoxConfigurationType = { name: 'vm-jumpbox-${resourcesName}' - size: 'Standard_D2s_v3' // Default size, can be overridden + size: 'Standard_D2s_v5' // Default size, can be overridden username: vmAdminUsername password: vmAdminPassword subnet: { diff --git a/infra/samples/network/network-resources.bicep b/infra/samples/network/network-resources.bicep index 7e2e8658..076d9ae1 100644 --- a/infra/samples/network/network-resources.bicep +++ b/infra/samples/network/network-resources.bicep @@ -75,7 +75,7 @@ module jumpbox 'jumpbox.bicep' = if (!empty(jumpboxConfiguration)) { params: { name: jumpboxConfiguration.?name ?? 'vm-jumpbox-${resourcesName}' vnetName: virtualNetwork.outputs.name - size: jumpboxConfiguration.?size ?? 'Standard_D2s_v3' + size: jumpboxConfiguration.?size ?? 'Standard_D2s_v5' logAnalyticsWorkspaceId: logAnalyticsWorkSpaceResourceId location: location subnet: jumpboxConfiguration.?subnet