Command "Update-AzKeyVaultNetworkRuleSet" should accept up to 1000 IP Addresses for the "-IpAddressRange" parameter

[FabianGonzalez-MSFT]

Description

According to AKV's service limits for Firewall, the # of IPv4 rules supported is 1K: https://learn.microsoft.com/en-us/azure/key-vault/general/network-security

However, when you run the "Update-AzKeyVaultNetworkRuleSet" cmdlet with more than 127 IPs for the "-IpAddressRange" parameter, you get an error like this:

Update-AzKeyVaultNetworkRuleSet : Cannot validate argument on parameter 'IpAddressRange'. The number of provided arguments, (135), exceeds the maximum number of allowed arguments (127). Provide fewer than 127 arguments, and then try the command again.

127 used to be the old/previous limit on allowed # of IPv4 rules, however, that was changed at the service level to support 1000, but it looks like PSH still makes a check for the old limit.

Issue script & Debug output

Update-AzKeyVaultNetworkRuleSet -ResourceGroupName $resourceGroupName -Name $keyVaultName -IpAddressRange $ipRanges

Environment data

Name                           Value
----                           -----
PSVersion                      5.1.22000.2003
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.22000.2003
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

Module versions

ModuleType Version    Name                                ExportedCommands
---------- -------    ----                                ----------------
Script     4.7.0      Az.KeyVault                         {Add-AzKeyVaultCertificate, Add-AzKeyVaultCertificateConta...

Error output

Message        : Cannot validate argument on parameter 'IpAddressRange'. The number of provided arguments, (135),
                 exceeds the maximum number of allowed arguments (127). Provide fewer than 127 arguments, and then try
                 the command again.
StackTrace     :    at System.Management.Automation.ParameterBinderBase.BindParameter(CommandParameterInternal
                 parameter, CompiledCommandParameter parameterMetadata, ParameterBindingFlags flags)
                    at
                 System.Management.Automation.CmdletParameterBinderController.BindParameter(CommandParameterInternal
                 argument, MergedCompiledCommandParameter parameter, ParameterBindingFlags flags)
                    at System.Management.Automation.CmdletParameterBinderController.BindParameter(UInt32
                 parameterSets, CommandParameterInternal argument, MergedCompiledCommandParameter parameter,
                 ParameterBindingFlags flags)
                    at System.Management.Automation.CmdletParameterBinderController.BindParameters(UInt32
                 parameterSets, Collection`1 arguments)
                    at System.Management.Automation.CmdletParameterBinderController.BindCommandLineParametersNoValidati
                 on(Collection`1 arguments)
                    at
                 System.Management.Automation.CmdletParameterBinderController.BindCommandLineParameters(Collection`1
                 arguments)
                    at System.Management.Automation.CommandProcessor.BindCommandLineParameters()
                    at System.Management.Automation.CommandProcessor.Prepare(IDictionary psDefaultParameterValues)
                    at System.Management.Automation.CommandProcessorBase.DoPrepare(IDictionary
                 psDefaultParameterValues)
                    at System.Management.Automation.Internal.PipelineProcessor.Start(Boolean incomingStream)
                    at System.Management.Automation.Internal.PipelineProcessor.SynchronousExecuteEnumerate(Object
                 input)
                 --- End of stack trace from previous location where exception was thrown ---
                    at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
                    at System.Management.Automation.Internal.PipelineProcessor.SynchronousExecuteEnumerate(Object
                 input)
                    at System.Management.Automation.PipelineOps.InvokePipeline(Object input, Boolean ignoreInput,
                 CommandParameterInternal[][] pipeElements, CommandBaseAst[] pipeElementAsts, CommandRedirection[][]
                 commandRedirections, FunctionContext funcContext)
                    at System.Management.Automation.Interpreter.ActionCallInstruction`6.Run(InterpretedFrame frame)
                    at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(InterpretedFrame
                 frame)
Exception      : System.Management.Automation.ParameterBindingValidationException
InvocationInfo : {Update-AzKeyVaultNetworkRuleSet}
Line           : Update-AzKeyVaultNetworkRuleSet -ResourceGroupName FabianGRG -Name adetestkv2 -IpAddressRange
                 $ipRanges -Verbose
Position       : At line:1 char:95
                 + ... roupName FabianGRG -Name adetestkv2 -IpAddressRange $ipRanges -Verbos ...
                 +                                                         ~~~~~~~~~

[isra-fel]

Thanks for reporting!

@BethanyZhou can you double check with key vault team (and CLI) if it's OK to update the limit to 1000? Thanks.

[FabianGonzalez-MSFT]

@BethanyZhou please let us know when completed. :)

[BethanyZhou]

Please expect the fix available on 2023-08-01.