How to add an Azure Traffic Manager endpoint using ARM templates?

Asked 5/2, 2018 at 19:18 Answered 7/2, 2018 at 11:10

azure azure-rm-template azure-traffic-manager

I am attempting to add an endpoint to an existing Azure Traffic Manager. When deploying the template below with New-AzureRmResourceGroupDeployment it erases previous endpoint configurations.

Is it possible to add an endpoint to an existing Traffic Manager through ARM templates without removing the previous ones? Or is the recommendation to use the Azure PowerShell client instead?

{
    "$schema": "http://schema.management.azure.com/schemas/2014-04-01-preview/deploymentTemplate.json",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "trafficManagerName": {
            "type": "String"
        },
        "webAppName": {
            "type": "String"
        },
        "webAppLocationRegion": {
            "type": "String"
        },
        "monitorPath": {
            "type": "String"
        }
    },
    "resources": [
        {
            "type": "Microsoft.Network/trafficManagerProfiles",
            "name": "[parameters('trafficManagerName')]",
            "apiVersion": "2017-05-01",
            "location": "global",
            "properties": {
                "profileStatus": "Enabled",
                "trafficRoutingMethod": "Performance",
                "dnsConfig": {
                    "relativeName": "[parameters('trafficManagerName')]",
                    "ttl": 70
                },
                "monitorConfig": {
                    "protocol": "HTTPS",
                    "port": 443,
                    "path": "[parameters('monitorPath')]"
                },
                "endpoints": [
                    {
                        "name": "[parameters('webAppName')]",
                        "type": "Microsoft.Network/trafficManagerProfiles/azureEndpoints",
                        "properties": {
                            "endpointStatus": "Enabled",
                            "targetResourceId": "[resourceId('Microsoft.Web/sites', parameters('webAppName'))]",
                            "weight": 1,
                            "priority": 1,
                            "endpointLocation": "[parameters('webAppLocationRegion')]"
                        }
                    }
                ]
            }
        }
    ]
}

As an analogy, it is possible to incrementally add access policies to Azure Key Vault like so:

{
  "type": "Microsoft.KeyVault/vaults/accessPolicies",
  "name": "[concat(parameters('keyVaultSettings').name, '/add')]", <!-- notice the "/add" -->
  "apiVersion": "2015-06-01",        
  "properties": {
      "mode": "Incremental", 
      "accessPolicies": [
        {
          "tenantId": "[reference(concat(resourceId('Microsoft.Web/sites', parameters('webAppName')),'/providers/Microsoft.ManagedIdentity/Identities/default'), '2015-08-31-PREVIEW').tenantId]",
          "objectId": "[reference(concat(resourceId('Microsoft.Web/sites', parameters('webAppName')),'/providers/Microsoft.ManagedIdentity/Identities/default'), '2015-08-31-PREVIEW').principalId]",
          "permissions": {
            "secrets": [
              "get",
              "list"
            ]
          }
        }
    ]
  }
}

Arleen answered 5/2, 2018 at 19:18 Comment(1)

Did you manage to solve this? If so, could you please help me out and share the solution? The link in the upvoted answer is broken. – Nowise 31/7, 2021 at 15:13

Yes, you can.

The trick is to understand that Traffic Manager endpoints are simultaneously both properties of the profile, but also child resources in their own right.

Your template can therefore deploy an endpoint as a child resource. This will not affect other endpoints or any other profile properties.

For an example, take a look at the Azure Traffic Manager / Web Apps sample in the template gallery.Traffic Manager template.

That sample uses a CopyIndex loop to deploy multiple endpoints incrementally, one for each Web App. You can simplify this, removing the loop, to incrementally add a single endpoint.

Micro answered 7/2, 2018 at 11:10 Comment(4)

+1 and interesting: Azure Support have informed me that it is unsafe to do simultaneous traffic manager changes within a single subscription, which would seem to be guaranteed with that template. – Copernicus 20/9, 2018 at 4:23

You should ask Azure support to check with the product group. I expect they are referring to concurrent profile-level updates, not concurrent endpoint-as-child-resource-level updates.If you're nervous about it, use "mode": "serial" and "batchSize": 1 in your template copy loop to force sequential endpoint updates (see learn.microsoft.com/en-us/azure/azure-resource-manager/…). – Micro 21/9, 2018 at 9:43

Thanks @Jonathan, perhaps you are right (it was profile-level updates). The error they quoted was

Cannot modify this subscription as there is another operation in progress. ... OperationName: RegisterTrafficManagerProfile

This from an ARM template deployment that succeeded, but they spotted the error on their end. Whole thing is very brittle. – Copernicus 21/9, 2018 at 9:49

Hi I'm trying to do the same (in bicep) but the link is broken. Can you please provide a code example in your answer? I would appreciate it. – Nowise 31/7, 2021 at 15:0

It is posible, but due to the fact that the configuration is declarative you need to specify all the existing endpoints and add a new one to those, else they will get deleted like you observe.

anything not specified in the template will get removed ;)

Iphigenia answered 5/2, 2018 at 20:13 Comment(3)

Thanks, I updated the question to include an analogy to adding a KeyVault access policy, which can be incrementally updated without erasing previous policies. – Arleen 5/2, 2018 at 20:21

this got me thinking, did you try to replicate that? – Iphigenia 5/2, 2018 at 20:39

learn.microsoft.com/en-us/azure/api-management/… – Arleen 5/2, 2018 at 23:7

Recommended topics

Hot tags