Azure · Gordonby · Mar 29, 2023 · Mar 16, 2023 · Mar 17, 2023 · Mar 17, 2023
diff --git a/bicep/main.bicep b/bicep/main.bicep
@@ -1054,6 +1054,7 @@ param AutoscaleProfile object = {
   'loadBalancer'
   'managedNATGateway'
   'userAssignedNATGateway'
+  'userDefinedRouting'
 ])
 @description('Outbound traffic type for the egress traffic of your cluster')
 param aksOutboundTrafficType string = 'loadBalancer'

diff --git a/bicep/network.bicep b/bicep/network.bicep
@@ -119,7 +119,7 @@ resource vnet_udr 'Microsoft.Network/routeTables@2022-07-01' = if (azureFirewall
       {
         name: 'AKSNodesEgress'
         properties: {
-          addressPrefix: '0.0.0.0/1'
+          addressPrefix: '0.0.0.0/0'
           nextHopType: 'VirtualAppliance'
           nextHopIpAddress: azureFirewalls ? calcAzFwIp.outputs.FirewallPrivateIp : null
         }

diff --git a/helper/src/components/deployTab.js b/helper/src/components/deployTab.js
@@ -107,7 +107,7 @@ export default function DeployTab({ defaults, updateFn, tabValues, invalidArray,
         ...(addons.appgwKVIntegration && addons.csisecret === 'akvNew' && { appgwKVIntegration: true })
       })
     }),
-    ...(net.vnet_opt === "byo" && {
+    ...(net.vnet_opt !== "default" && {
       ...(net.aksOutboundTrafficType !== defaults.net.aksOutboundTrafficType && {aksOutboundTrafficType: net.aksOutboundTrafficType})
     }),
     ...(cluster.keyVaultKms !== defaults.cluster.keyVaultKms && {

diff --git a/helper/src/components/networkTab.js b/helper/src/components/networkTab.js
@@ -158,6 +158,9 @@ export default function NetworkTab ({ defaults, tabValues, updateFn, invalidArra
                 <Stack horizontal tokens={{ childrenGap: 50 }}>
                     <Stack.Item>
                         <MessageBar messageBarType={MessageBarType.info}>NAT Gateway allows more traffic flows than a Load Balancer.<a target="_target" href="https://docs.microsoft.com/azure/aks/nat-gateway">docs</a></MessageBar>
+                        {net.aksOutboundTrafficType==='userDefinedRouting' && net.vnet_opt === 'byo' &&
+                          <MessageBar styles={{ root: { width:'400px', marginTop: '10px !important'}}} messageBarType={MessageBarType.warning}>Ensure that the AKS Subnet is configured with a UDR and that your Virtual Network Appliance is <Link href="https://learn.microsoft.com/azure/aks/limit-egress-traffic">properly configured</Link> to allow necessary traffic</MessageBar>
+                        }
                         {hasError(invalidArray, 'aksOutboundTrafficType') &&
                             <MessageBar messageBarType={MessageBarType.error}>{getError(invalidArray, 'aksOutboundTrafficType')}</MessageBar>
                         }
@@ -169,7 +172,8 @@ export default function NetworkTab ({ defaults, tabValues, updateFn, invalidArra
                             options={[
                                 { key: 'loadBalancer', text: 'Load Balancer'  },
                                 { key: 'managedNATGateway', text: 'Managed NAT Gateway' },
-                                { key: 'userAssignedNATGateway', text: 'Assigned NAT Gateway'}
+                                { key: 'userAssignedNATGateway', text: 'Assigned NAT Gateway'},
+                                { key: 'userDefinedRouting', text: 'User Defined Routing'}
                             ]}
                             onChange={(ev, { key }) => updateFn("aksOutboundTrafficType", key)}
                         />
@@ -182,7 +186,7 @@ export default function NetworkTab ({ defaults, tabValues, updateFn, invalidArra
                             label="Create NAT Gateway for AKS Subnet (Custom VNet Only)"
                         />
                         <Slider
-                            disabled={net.aksOutboundTrafficType==='loadBalancer' || net.vnet_opt === 'byo'}
+                            disabled={net.aksOutboundTrafficType==='loadBalancer' || net.aksOutboundTrafficType==='userDefinedRouting' || net.vnet_opt === 'byo'}
                             buttonProps={{ "data-testid": "net-natGwIp-slider"}}
                             styles={{ root: { width: 450 } }}
                             label={'Nat Gateway Ip Count'} min={1}  max={16} step={1}
@@ -191,7 +195,7 @@ export default function NetworkTab ({ defaults, tabValues, updateFn, invalidArra
                         />
 
                         <Slider
-                            disabled={net.aksOutboundTrafficType==='loadBalancer' || net.vnet_opt === 'byo'}
+                            disabled={net.aksOutboundTrafficType==='loadBalancer' || net.aksOutboundTrafficType==='userDefinedRouting' || net.vnet_opt === 'byo'}
                             buttonProps={{ "data-testid": "net-natGwTimeout-slider"}}
                             styles={{ root: { width: 450 } }}
                             label={'Nat Gateway Idle Timeout (Minutes)'} min={5}  max={120} step={1}
@@ -210,9 +214,9 @@ export default function NetworkTab ({ defaults, tabValues, updateFn, invalidArra
                     <MessageBar messageBarType={MessageBarType.error}>{getError(invalidArray, 'afw')}</MessageBar>
                 }
                 <Checkbox
-                    styles={{ root: { marginLeft: '50px', marginTop: '10 !important' } }}
+                    styles={{ root: { marginLeft: '50px', marginTop: '10px !important' } }}
                     disabled={net.vnet_opt !== 'custom'}
-                    errorMessage={getError(invalidArray, 'afw')}
+                    errorMessage={getError(invalidArray, 'afw(')}
                     checked={net.afw}
                     onChange={(ev, v) => updateFn("afw", v)}
                     label="Implement Azure Firewall & UDR next hop" />

diff --git a/helper/src/components/portalnav.js b/helper/src/components/portalnav.js
@@ -382,12 +382,23 @@ export default function PortalNav({ config }) {
   invalidFn('net', 'byoAKSSubnetId', net.vnet_opt === 'byo' && !net.byoAKSSubnetId.match('^/subscriptions/[^/ ]+/resourceGroups/[^/ ]+/providers/Microsoft.Network/virtualNetworks/[^/ ]+/subnets/[^/ ]+$'), 'Enter a valid Subnet Id where AKS nodes will be installed')
   invalidFn('net', 'byoAGWSubnetId', net.vnet_opt === 'byo' && addons.ingress === 'appgw' && !net.byoAGWSubnetId.match('^/subscriptions/[^/ ]+/resourceGroups/[^/ ]+/providers/Microsoft.Network/virtualNetworks/[^/ ]+/subnets/[^/ ]+$'), 'Enter a valid Subnet Id where Application Gateway is installed')
   invalidFn('net', 'vnet_opt', net.vnet_opt === "default" && (net.afw || net.vnetprivateend), 'Cannot use default networking of you select Firewall or Private Link')
-  invalidFn('net', 'afw', net.afw && net.vnet_opt !== "custom",
-    net.vnet_opt === "byo" ?
-      'Please de-select, when using Bring your own VNET, configure a firewall as part of your own VNET setup, (in a subnet or peered network)'
-      :
-      'This template can only deploy Azure Firewall in single VNET with Custom Networking')
-  invalidFn('net', 'aksOutboundTrafficType', (net.aksOutboundTrafficType === 'managedNATGateway' && net.vnet_opt !== "default") || (net.aksOutboundTrafficType === 'userAssignedNATGateway' && net.vnet_opt === "default"), 'When using Managed Nat Gateway, only default networking is supported. For other networking options, use Assigned NAT Gateway')
+  invalidFn('net', 'afw',
+    (net.afw && net.vnet_opt !== "custom") ||
+    (!net.afw && net.aksOutboundTrafficType === 'userDefinedRouting' && net.vnet_opt === "custom"),
+     net.afw && net.vnet_opt === "byo" ?
+     'Please de-select, when using Bring your own VNET, configure a firewall as part of your own VNET setup, (in a subnet or peered network)'
+     : net.afw && net.vnet_opt === "default" ?
+      'This template can only deploy Azure Firewall in single VNET with Custom Networking'
+     :'Ensure to select Azure Firewall when using Custom Networking and User Defined Routing for Outbound Traffic Type')
+
+  invalidFn('net', 'aksOutboundTrafficType',
+    (net.aksOutboundTrafficType === 'managedNATGateway' && net.vnet_opt !== "default") ||
+    (net.aksOutboundTrafficType === 'userAssignedNATGateway' && net.vnet_opt === "default") ||
+    (net.aksOutboundTrafficType === 'userDefinedRouting' && net.vnet_opt === "default"),
+     net.aksOutboundTrafficType === 'userDefinedRouting' ?
+     'When using User Defined Routing, only custom and Bring your Own networking is supported.'
+     :
+     'When using Managed Nat Gateway, only default networking is supported. For other networking options, use Assigned NAT Gateway')
   invalidFn('net', 'serviceCidr',  net.vnet_opt === "custom" && !isCidrValid(net.serviceCidr), invalidCidrMessage)
   invalidFn('net', 'podCidr', !isCidrValid(net.podCidr), invalidCidrMessage)
   invalidFn('net', 'dnsServiceIP', !isIPValid(net.dnsServiceIP), 'Enter a valid IP')