CIDR math?

[JohnDelisle]

What's the idiomatic way to perform CIDR math in Bicep?

How for example do I calculate the Xth IP in a subnet, or split a prefix into two smaller prefixes?

[brwilkinson]

I am not sure if there is a one size fits all solution here, however perhaps this may give you a few ideas.

I always assign a networkid for any given Hub/Spoke deployment. I always assign a /20 address space, so that I can create either 8 * 512 (ip's) environments OR I can define 16 * 256 (ip's) Environments. I always assign 1 VNET per resource group. So I can essentially deploy 1 Hub, then 15 spokes OR 1 hub and 7 spokes, that all get peered from the Hub. I always assign the Hub as 0, then I can use lets say 1 to 7 OR 1 to 15 for the other resource groups. That number is what I call the deploymentID.

For the example lets say we are using the 8 * 512 model.

Globally I assign the /20 as below. .. I actually assign 1 of these in the primary region and a different one in the secondary/partner region, obviously this ensures no overlapping ip's.
https://github.com/brwilkinson/AzureDeploymentFramework/blob/9f56b47369b7d5e2c28187ecb5b8592ccf66d05f/ADF/tenants/AOA/Global-ACU1.json#L8
This is passed in via the 'Global' parameter, I use that below.

    "networkId": [
      "10.10.",
      144
    ],
    "DNSServers": [
      "10.10.144.75",
      "10.10.144.76"
    ],

Then whenever I create a resource group (an Environment), which also has the VNET, I pass in the DeploymentID which is 0 up to 8... I use that to calculate the networkID that I actually assign on the VNET for the addressPrefix, then also use it to construct the subnet addresses as well.

https://github.com/brwilkinson/AzureDeploymentFramework/blob/9f56b47369b7d5e2c28187ecb5b8592ccf66d05f/ADF/bicep/VNET.bicep#L62

Below I carve up the 512 addresses (which is why it's a /23) into smaller subnets, however I actually show also dedicating a full 256 (of the 512) to MT02 (the mid tier 02 subnet).

var networkId = '${Global.networkid[0]}${string((Global.networkid[1] - (2 * int(DeploymentID))))}'
var networkIdUpper = '${Global.networkid[0]}${string((1 + (Global.networkid[1] - (2 * int(DeploymentID)))))}'
var addressPrefixes = [
  '${networkId}.0/23'
]

then on my subnets, I simply define them as follows:

https://github.com/brwilkinson/AzureDeploymentFramework/blob/9f56b47369b7d5e2c28187ecb5b8592ccf66d05f/ADF/tenants/AOA/azuredeploy.1.ACU1.T5.parameters.json#L317

"SubnetInfo": [
          {
            "name": "snMT01",
            "prefix": "0/27",
            "NSG": 1,
            "FlowLogEnabled": true,
            "FlowAnalyticsEnabled": true,
            "delegations": "Microsoft.Web/serverfarms"
          },
          {
            "name": "snFE01",
            "prefix": "32/27",
            "NSG": 1,
            "FlowLogEnabled": true,
            "FlowAnalyticsEnabled": true
          },
          {
            "name": "snBE02",
            "prefix": "64/28",
            "NSG": 1,
            "Route": 1,
            "FlowLogEnabled": true,
            "FlowAnalyticsEnabled": true,
            "delegations": "Microsoft.ContainerInstance/containerGroups"
          },
          {
            "name": "snBE01", // APIM Dedicated
            "prefix": "80/28",
            "NSG": 1,
            "Route": 1,
            "FlowLogEnabled": true,
            "FlowAnalyticsEnabled": true
          },
          {
            "name": "AzureBastionSubnet",
            "prefix": "96/27",
            "NSG": 1,
            "FlowLogEnabled": true,
            "FlowAnalyticsEnabled": true
          },
          {
            "name": "snWAF01",
            "prefix": "128/25",
            "NSG": 1,
            "Route": 0,
            "FlowLogEnabled": true,
            "FlowAnalyticsEnabled": true
          },
          {
            "name": "snMT02",
            "prefix": "0/24",
            "NSG": 1,
            "Route": 1,
            "FlowLogEnabled": true,
            "FlowAnalyticsEnabled": true
          }
        ]

Then when creating the VNET, you can see I just concatenate the networkid with the prefix from the subnets lookup.
https://github.com/brwilkinson/AzureDeploymentFramework/blob/9f56b47369b7d5e2c28187ecb5b8592ccf66d05f/ADF/bicep/VNET.bicep#L109

resource VNET 'Microsoft.Network/virtualNetworks@2021-02-01' = {
  name: '${Deployment}-vn'
  location: resourceGroup().location
  properties: {
    addressSpace: {
      addressPrefixes: addressPrefixes
    }
    dhcpOptions: {
      dnsServers: array(DNSServers)
    }
    subnets: [for sn in SubnetInfo: {
      name: sn.name
      properties: {
        addressPrefix: '${((sn.name == 'snMT02') ? networkIdUpper : networkId)}.${sn.Prefix}'
        networkSecurityGroup: ((contains(sn, 'NSG') && (sn.NSG == 1)) ? json('{"id":"${string(resourceId('Microsoft.Network/networkSecurityGroups', '${Deploymentnsg}-nsg${sn.name}'))}"}') : json('null'))
        routeTable: ((contains(sn, 'Route') && (sn.Route == 1)) ? RouteTableGlobal : json('null'))
        privateEndpointNetworkPolicies: 'Disabled'
        delegations: (contains(sn, 'delegations') ? delegations[sn.delegations] : delegations.default)
      }
    }]
  }
}

So I know this may seem complicated, however it means that I know I can easily deploy 8 or 16 environments and the subnet and address space is always automatically generated (when doing hub/spoke). if I need to define a load balancer or vm with a static IP, I can just give it the single IP and it always calculates it to the environment that it is currently being deployed into. i.e. I just pass in the last octet IP and it then figures out the rest. So as an example below the load balancer front end ip is just 254.

https://github.com/brwilkinson/AzureDeploymentFramework/blob/9f56b47369b7d5e2c28187ecb5b8592ccf66d05f/ADF/tenants/AOA/azuredeploy.1.ACU1.T5.parameters.json#L1027

          {
            "LBName": "API",
            "ASName": "API",
            "Sku": "Standard",
            "Type": "Private",
            "BackEnd": [
              "API"
            ],
            "FrontEnd": [
              {
                "LBFEName": "API",
                "SNName": "MT02",
                "LBFEIP": "254"

So hopefully this may give you some ideas and you can see that you can do inline math with + - * Etc.

If this is not helpful, feel free to share some more specific ideas that you have or what kind of calculations that you want to perform Etc?

[JohnDelisle]

@brwilkinson Wow, thank you for taking the time to deliver such a detailed write-up. Your approach makes sense in the context of your ADF, which I'm going to take a deep look at asap, it's very interesting.

For my simple needs, I have a multi-regional application that requires subnets of varying sizes due to network constraints outside of my control.

I want to apply a static IP to VMs serving as DNS servers in my regional VNets. They're the targets of conditional forwarder zones in AD to handle private endpoint DNS resolution.

In Terraform, it's easy to say "use the 5th IP in the prefix" using their built-in CIDR functions, and regardless the prefix, it'll return the IP. All my per-environment code needs to pass is "dns_host_number = 5", and the modules themselves do the subnet math and assignment of the fifth IP using the functions. It makes my environment configuration crisp and consistent.

Unfortunately because I have inconsistent prefix sizes to contend with, I don't think I can apply your approach without some re-engineering. I'll give it some thought.

I feel like this is an oversight by MS - CIDR functions are important, I'd expect them to be built-in like in Terraform. I suppose I could tokenize my environment configs and use some powershell to massage them and do the CIDR math prior to deployment.. but that feels like a cludge.

[brwilkinson]

Oh yeah, I think I see what you mean given your example.

So it is (mainly) this cidrhost functionality that you are after?

https://www.terraform.io/docs/language/functions/cidrhost.html

[JohnDelisle]

Yes, I'm particularly after a cidrhost() replacement.

[JohnDelisle]

I'm playing with this idea, but I really dislike it for obvious reasons.

// works for a /24 or other prefixes ending in a .0
// it's a cludge, but there's no cidrhost() in Bicep

param vm_host_number int
param subnet_prefix string

var network = split(subnet_prefix, '/')[0]
var privateIPAddress = '${split(network, '.')[0]}.${split(network, '.')[1]}.${split(network, '.')[2]}.${vm_host_number}'

[brwilkinson]

@JohnDelisle yeah I can see the pain there.

I'll ask around and see if anyone has any ideas.

[brwilkinson]

@JohnDelisle

This is now being tracked #3975