Create networking resources

Since you want to place apps in your Azure Spring Apps service behind an Azure Application Gateway, you will need to provide the networking resources for the Spring Apps service and the Application Gateway. You can deploy all of them in the same virtual network, in which case you will need at least 3 subnets, with one of them for the Application Gateway and 2 for the Spring Apps service. You will also need to create a subnet for private endpoints that provide connectivity to any backend services your applications use, such as the Azure Key Vault instance, the Service Bus namespace and the Event Hub namespace. You will also need an additional subnet to deploy your MySQL Flexible Server database into. You can use the following guidance to implement these changes:

• Create a Virtual Network and default subnet.
• Add subnets to a Virtual Network.
• Deploy Azure Spring Apps in a virtual network.

In later exercises you will be creating the private endpoints for the backend services and redeploy the database server.

Step by step guidance

1. From the Git Bash prompt, run the following command to create a virtual network.

   VIRTUAL_NETWORK_NAME=vnet-$APPNAME-$UNIQUEID
   az network vnet create --resource-group $RESOURCE_GROUP \
       --name $VIRTUAL_NETWORK_NAME \
       --location $LOCATION \
       --address-prefix 10.1.0.0/16
   

2. Create subnets in this virtual network. Store the subnet names in environment variables, which will allow you to reference them later in this exercise. Your setup will need:
   • 2 subnets intended for hosting Azure Spring Apps in this virtual network.
   • 1 subnet intended for Application Gateway
   • 1 subnet for the private endpoints of the Azure Key Vault instance, the MySQL Flexible server and optionally also your Service Bus and Event Hub.

   SERVICE_RUNTIME_SUBNET_CIDR=10.1.0.0/24
   APP_SUBNET_CIDR=10.1.1.0/24
   APPLICATION_GATEWAY_SUBNET_CIDR=10.1.2.0/24
   PRIVATE_ENDPOINTS_SUBNET_CIDR=10.1.3.0/24
   
   APPLICATION_GATEWAY_SUBNET_NAME=app-gw-subnet
   PRIVATE_ENDPOINTS_SUBNET_NAME=private-endpoints-subnet
      
   az network vnet subnet create --resource-group $RESOURCE_GROUP \
       --vnet-name $VIRTUAL_NETWORK_NAME \
       --address-prefixes $SERVICE_RUNTIME_SUBNET_CIDR \
       --name service-runtime-subnet 
   az network vnet subnet create --resource-group $RESOURCE_GROUP \
       --vnet-name $VIRTUAL_NETWORK_NAME \
       --address-prefixes $APP_SUBNET_CIDR \
       --name apps-subnet
   az network vnet subnet create \
       --name $APPLICATION_GATEWAY_SUBNET_NAME \
       --resource-group $RESOURCE_GROUP \
       --vnet-name $VIRTUAL_NETWORK_NAME \
       --address-prefix $APPLICATION_GATEWAY_SUBNET_CIDR
   az network vnet subnet create \
       --name $PRIVATE_ENDPOINTS_SUBNET_NAME \
       --resource-group $RESOURCE_GROUP \
       --vnet-name $VIRTUAL_NETWORK_NAME \
       --address-prefix $PRIVATE_ENDPOINTS_SUBNET_CIDR
   

3. Assign the Owner role-based access control (RBAC) role to the Azure Service Provider for Spring Apps access in the scope of the newly created virtual network. This will allow the resource provider to create its resources in the service-runtime-subnet and apps-subnet subnets. The GUID used in the second command is the service principal id for Azure Spring Apps.

   The export MSYS_NO_PATHCONV=1 must be included to address an issue with implementing role assignment when using Azure CLI in Git Bash shell, as documented on GitHub.

   VIRTUAL_NETWORK_RESOURCE_ID=`az network vnet show \
       --name $VIRTUAL_NETWORK_NAME \
       --resource-group $RESOURCE_GROUP \
       --query "id" \
       --output tsv`
   
   export MSYS_NO_PATHCONV=1
   
   az role assignment create \
       --role "Owner" \
       --scope $VIRTUAL_NETWORK_RESOURCE_ID \
       --assignee e8de9221-a19c-4c81-b814-fd37c6caf9d2