feat(azure): NSG firewaller support for dual-stack (Task 6)#22758
Draft
gfouillet wants to merge 2 commits into
Draft
feat(azure): NSG firewaller support for dual-stack (Task 6)#22758gfouillet wants to merge 2 commits into
gfouillet wants to merge 2 commits into
Conversation
- Implement FirewallFeatureQuerier on azureEnviron: SupportsRulesWithIPV6CIDRs returns true - Extend securityGroupInfo struct to include optional IPv6 address - Scan for IPv6 NIC configuration (primary-ipv6) in primarySecurityGroupInfo - Add family-aware destination selection in openPortsOnGroup for IPv4/IPv6 CIDRs - Replace blanket wildcard normalization in ingressRulesForGroup with family-aware logic - Add unit tests for dual-stack NSG rules, IPv6-only rules on IPv4 machines, and wildcard normalization - Add unit test for SupportsRulesWithIPV6CIDRs in environ_test.go
- Extract fetchIPv6Address: scans IPv6 config on NIC, returns pointer or nil - Extract fetchPrimaryIPv4AndSecurityGroup: finds primary IPv4 and NSG, handles API calls - Simplify primarySecurityGroupInfo: orchestrate the two helpers - No functional change; improves separation of concerns and testability
1697fac to
087ca38
Compare
5 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why this change is needed and what it does
This PR implements Task 6 of JUJU-9599: Azure NSG firewaller support for dual-stack IPv6 ingress rules.
Azure NSGs (Network Security Groups) now correctly handle IPv6 source CIDRs and destination addresses when the model is configured with
ip-family=dual-stack. This enables the firewaller to create and manage IPv6 security rules alongside existing IPv4 rules.Changes
environ.go: Implementenvirons.FirewallFeatureQuerierinterface onazureEnviron—SupportsRulesWithIPV6CIDRsreturnstrue, signalling the firewaller that Azure NSGs natively support IPv6 CIDR rules.instance.go:securityGroupInfostruct with an optionalipv6Addressfield.fetchIPv6Addresshelper: scans NIC IP configurations for an IPv6 address (theprimary-ipv6config created by Task 3 / feat(azure): provision dual-stack machines with ip-family=dual #22736).fetchPrimaryIPv4AndSecurityGrouphelper: finds the primary IPv4 configuration and associated NSG (from NIC or subnet).primarySecurityGroupInfoto orchestrate the two helpers.openPortsOnGroup: IPv6 source CIDRs route to the IPv6 destination address; IPv4 source CIDRs route to the IPv4 destination address.0.0.0.0/0wildcard normalisation iningressRulesForGroupwith family-aware logic keyed off the destination address family.Checklist
Integration testsdoc.go added or updated in changed packagesQA steps
This PR depends on #22736 (Task 3: dual-stack provisioning) which creates the
primary-ipv6NIC configuration. It will be mergeable once #22736 lands.QA steps
Both 0.0.0.0/0 (IPv4) and ::/0 (IPv6) source prefixes should appear.
curl -sq4 http://<public-ipv4>:80 -o /dev/null -w "%{http_code}\n"Should return 200.
curl -sq6 http://[<public-ipv6>]:80 -o /dev/null -w "%{http_code}\n"Should return 200.
Links
Jira card: JUJU-9971