AdventureWorks: On-premises connectivity with Hub & Spoke, ARM template deployment is failing

[akn9050]

Describe the bug:
AdventureWorks: On-premises connectivity with Hub & Spoke, ARM template deployment is failing, with following errors for particular resources failures

First failed resource: EntScale-SubnetNsgIdentity-centralus398ea8d5-d1d2-5f96-918a-595b

{
    "status": "Failed",
    "error": {
        "code": "DeploymentFailed",
        "message": "At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.",
        "details": [
            {
                "code": "BadRequest",
                "message": "{\r\n  \"error\": {\r\n    \"code\": \"InvalidCreatePolicyAssignmentRequest\",\r\n    \"message\": \"The policy definition specified in policy assignment 'Deny-Subnet-Without-Nsg' is out of scope. Policy definitions should be specified only at or above the policy assignment scope. If the management groups hierarchy changed recently or if assigning a management group policy to new subscription, please allow up to 30 minutes for the hierarchy changes to apply and try again.\"\r\n  }\r\n}"
            }
        ]
    }
}

Second failed resource: EntScale-CorpPeering-centralus398ea8d5-d1d2-5f96-918a-595b9b0
Error message:

{
    "status": "Failed",
    "error": {
        "code": "DeploymentFailed",
        "message": "At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.",
        "details": [
            {
                "code": "NotFound",
                "message": "{\r\n  \"error\": {\r\n    \"code\": \"InvalidResourceNamespace\",\r\n    \"message\": \"The resource namespace 'subscriptions' is invalid.\"\r\n  }\r\n}"
            }
        ]
    }
}

Third failed resource: EntScale-IDPeering-centralus398ea8d5-d1d2-5f96-918a-595b9b9d77b5

{
    "status": "Failed",
    "error": {
        "code": "DeploymentFailed",
        "message": "At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.",
        "details": [
            {
                "code": "NotFound",
                "message": "{\r\n  \"error\": {\r\n    \"code\": \"InvalidResourceNamespace\",\r\n    \"message\": \"The resource namespace 'subscriptions' is invalid.\"\r\n  }\r\n}"
            }
        ]
    }
}

Steps to reproduce

1. Passed values to parameters as per first screenshot below(Deployment - Review and Create)
2. Second screenshot for deployment failure

Screenshots
Deployment - Review and Create:

Deployment failure:

[krnese]

Thanks. This is a a known issue you potentially can run into as described here: https://github.com/Azure/Enterprise-Scale/blob/main/docs/EnterpriseScale-Known-Issues.md#deploying-the-reference-implementation-fails-due-to-policy--cannot-be-found-404

Resolution:

1. Re-run the deployment
2. Provide the exact same input parameters (management group prefix & use the same deployment location).

Can you try this and report back?

[akn9050]

Thanks @krnese for prompt response.

I have tried this and it fixed the deployment of one resource EntScale-SubnetNsgIdentity-centralus398ea8d5-d1d2-5f96-918a-595b
But other two resources deployment Second and Third mentioned above are still failing. I tried to deploy the template 4 times with exactly same input parameters, No Luck with that. Please suggest if it can be fixed somehow.

Any ETA on the permanent resolution for this. We are using this content for one of the lab of a workshop as part of Azure Immersion Workshop and lot of attendees\students are going to use this content for practicing ES solutions.

Thanks,
Amit Kumar

[daltondhcp]

Hi @akn9050,

I can see that you have selected the same subscription (L3 - ES MANAGEMENT SUB - 1558) for Management and Connectivity, which is not supported.
When selecting the 'dedicated' subscription option, you need to use different/dedicated subscriptions for the platform. If you want to use the same subscription for all platform functions you can select the 'single platform subscription' option

Can you please give it a try and report back your results?

[akn9050]

hi @daltondhcp , thanks for your response, I will try it today and will get back with updates on it

[akn9050]

Hi @daltondhcp , we tried dedicated subscription for each platform, and it fixed the deployment issue, however intermittent deployment issues are still there with ARM template, which are getting fixed with redeploying the template with same input parameters.

Screenshots on guide here https://github.com/Azure/Enterprise-Scale/wiki/Deploying-Enterprise-Scale, are guiding wrong , in these screenshots after selecting dedicated subscriptions for platform, there is management subscription is selected for both Management and Connectivity platforms. Please enhance the guide and update screenshots.

Thanks for the help and support!

Amit

[krnese]

Thanks, we will update the screenshot so they are not confusing in terms of subscription uniqueness for each platform aspect.

[akn9050]

Hi @krnese , @daltondhcp, today deployment got failed with another error, however redeploying the template with same input parameters fixed the issue. I are seeing these kind of intermittent failure, which are getting fixed with redeploying the template.
Please find the screenshot and error message below:
Error Message:

EntScale-RDPIdentity-centralus : for this deployment got failed 
{
    "status": "Failed",
    "error": {
        "code": "DeploymentFailed",
        "message": "At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.",
        "details": [
            {
                "code": "BadRequest",
                "message": "{\r\n  \"error\": {\r\n    \"code\": \"InvalidCreatePolicyAssignmentRequest\",\r\n    \"message\": \"The policy definition specified in policy assignment 'Deny-RDP-from-internet' is out of scope. Policy definitions should be specified only at or above the policy assignment scope. If the management groups hierarchy changed recently or if assigning a management group policy to new subscription, please allow up to 30 minutes for the hierarchy changes to apply and try again.\"\r\n  }\r\n}"
            }
        ]
    }
}