fix: use one big vnet and attach AKS clusters to it to avoid creating bastion multiple times

Author: awesomenix

e2e/README.md

@@ -20,38 +20,130 @@ From a high-level, for each scenario,
 To write an E2E scenario,
 
 - choose a testing cluster. There are a few defined
-  in [cluster.go](https://github.com/Azure/AgentBaker/blob/dev/e2e/cluster.go), e.g,
-    - ClusterKubenetAirgap
-    - ClusterAzureNetwork
+  in [cache.go](cache.go), e.g,
     - ClusterKubenet
+    - ClusterAzureNetwork
+    - ClusterAzureOverlayNetwork
+    - ClusterCiliumNetwork
 - use `NodeBootstrappingConfiugration` (`nbc`) to setup your scenario. it is used to invoke the primary
   node-bootstrapping
   API [GetLatestNodeBootstrapping](https://github.com/Azure/AgentBaker/blob/2e730b5a498c5be9b082d912fd08ac9346582db9/pkg/agent/bakerapi.go#L14).
   to modify agentpool properties, usually you need to set both`nbc.containerService.properties.AgentPoolProfiles[0].xxx`
   as well as `nbc.agentPoolProfile`. It is because when RP invokes AgentBaker, it will set the properties in this way
   and in e2e we follow the pattern.
 - use `VMConfigMutator` to set VMSS properties such as SKU when needed.
-  Check [vmss](https://github.com/Azure/AgentBaker/blob/dev/e2e/vmss.go) for other configs.
+  Check [vmss](vmss.go) for other configs.
   it is necessary to set `nbc.agentPoolProfile.VMSize` to match the VMSS SKU if you choose to change.
 - use `Validator` to include your own verification of the VM's live state, such as file existsnce, sysctl settings, etc.
 
+## Infrastructure Architecture
+
+All E2E clusters share a single VNet and Azure Bastion in the `abe2e-{location}` resource group. This
+avoids creating a per-cluster Bastion (~10 min each) and ensures all clusters are reachable from a
+single SSH entry point.
+
+```mermaid
+graph TB
+    subgraph RG["abe2e-{location} Resource Group"]
+        subgraph VNET["abe2e-shared-vnet (10.0.0.0/8)"]
+            BASTION_SUBNET["AzureBastionSubnet<br/>10.0.0.0/26"]
+            FW_SUBNET["AzureFirewallSubnet<br/>10.0.1.0/24"]
+            KUBENET_SUBNET["aks-subnet-abe2e-kubenet-v5<br/>10.1.0.0/20"]
+            AZNET_SUBNET["aks-subnet-abe2e-azure-network-v4<br/>10.1.16.0/20"]
+            OVERLAY_SUBNET["aks-subnet-abe2e-azure-overlay-...<br/>10.1.32.0/20"]
+            MORE_SUBNETS["... more cluster subnets"]
+        end
+        BASTION["abe2e-shared-bastion<br/>(Standard SKU, Tunneling)"]
+        FIREWALL["abe2e-fw<br/>(Azure Firewall)"]
+    end
+
+    subgraph MC_KUBENET["MC_abe2e-kubenet-v5 Resource Group"]
+        VMSS_K["VMSS (system pool)"]
+        VMSS_K_TEST["VMSS (test VMs)"]
+        RT_K["Route Table<br/>(pod routes + firewall)"]
+    end
+
+    subgraph MC_AZNET["MC_abe2e-azure-network-v4 Resource Group"]
+        VMSS_A["VMSS (system pool)"]
+        VMSS_A_TEST["VMSS (test VMs)"]
+    end
+
+    BASTION --> BASTION_SUBNET
+    FIREWALL --> FW_SUBNET
+    VMSS_K --> KUBENET_SUBNET
+    VMSS_K_TEST --> KUBENET_SUBNET
+    RT_K -.->|associated| KUBENET_SUBNET
+    VMSS_A --> AZNET_SUBNET
+    VMSS_A_TEST --> AZNET_SUBNET
+
+    DEV["Developer / CI"]
+    DEV -->|SSH via tunnel| BASTION
+    BASTION -->|"connects to any VM<br/>in shared VNet"| VMSS_K_TEST
+    BASTION -->|"connects to any VM<br/>in shared VNet"| VMSS_A_TEST
+```
+
+### Shared Infrastructure Setup
+
+The shared infrastructure is created **automatically** on first test run via cached idempotent
+functions — no separate setup script is needed.
+
+| Resource | Name | Details |
+|----------|------|---------|
+| VNet | `abe2e-shared-vnet` | `10.0.0.0/8` — supports ~4096 `/20` cluster subnets |
+| Bastion | `abe2e-shared-bastion` | Standard SKU with tunneling enabled for native SSH |
+| Bastion Subnet | `AzureBastionSubnet` | `10.0.0.0/26` (required by Azure Bastion) |
+| Firewall Subnet | `AzureFirewallSubnet` | `10.0.1.0/24` (created by shared infra, firewall on-demand) |
+
+Each AKS cluster gets its own `/20` subnet (4091 usable IPs) in the shared VNet. The subnet is
+named `aks-subnet-{clusterName}`.
+
+### How It Works
+
+1. **`CachedEnsureSharedInfra`** — runs once per location per test run. Creates/verifies the shared
+   VNet, Bastion, and Firewall subnet.
+2. **`CachedEnsureClusterSubnet`** — runs once per cluster. Creates/verifies the cluster's dedicated
+   subnet in the shared VNet.
+3. Each cluster model sets `VnetSubnetID` on the agent pool profile (BYOV — Bring Your Own VNet).
+4. AKS creates VMSS and route tables in the `MC_` resource group, but uses the shared VNet's subnet.
+5. SSH to test VMs goes through the shared Bastion, which can reach any VM in the VNet.
+
+### Test Flow
+
 ```mermaid
 sequenceDiagram
-    E2E->>+ARM: Get or Create AKS Cluster
-    ARM-->>-E2E: Cluster details
-    E2E->>+AgentBakerCode: Fetch VM Configuration (include CSE)
-    AgentBakerCode-->>-E2E: VM Configuration
-    E2E->>+ARM: Create VM using fetched VM Config in cluster network
-    ARM-->>-E2E: VM instance
-    E2E->>+Bastion: Create SSH Tunnel
-    Bastion->>+VM: Forward SSH Connection
-    E2E->>VM: Healthcheck via SSH Tunnel
-    VM-->>E2E: Healthcheck OK
-    E2E->>+KubeAPI: Verify Node Ready
-    KubeAPI-->>-E2E: Node Ready
-    E2E->>VM: Execute test validators via SSH Tunnel
-    VM-->>-E2E: Test results
-    Bastion-->>-E2E: Close SSH Tunnel
+    participant CI as Developer / CI
+    participant Infra as Shared Infra (cached)
+    participant ARM as Azure Resource Manager
+    participant AB as AgentBaker API
+    participant Bastion as Shared Bastion
+    participant VM as Test VM
+    participant K8s as Kube API Server
+
+    CI->>Infra: Ensure shared VNet + Bastion
+    Infra-->>CI: Ready (cached after first run)
+
+    CI->>Infra: Ensure cluster subnet
+    Infra-->>CI: Subnet ID
+
+    CI->>ARM: Create/Get AKS cluster (BYOV subnet)
+    ARM-->>CI: Cluster details
+
+    CI->>AB: Generate CSE + CustomData
+    AB-->>CI: VM configuration
+
+    CI->>ARM: Create VMSS in cluster subnet
+    ARM-->>CI: VM instance
+
+    CI->>Bastion: SSH tunnel to VM private IP
+    Bastion->>VM: Forward SSH connection
+
+    CI->>VM: Run health checks + validators
+    VM-->>CI: Results
+
+    CI->>K8s: Verify node ready
+    K8s-->>CI: Node ready ✓
+
+    Bastion-->>CI: Close tunnel
 ```
 
 ## Running Locally

e2e/aks_model.go

@@ -173,6 +173,8 @@ func getBaseClusterModel(clusterName, location, k8sSystemPoolSKU string) *armcon
 			},
 			NetworkProfile: &armcontainerservice.NetworkProfile{
 				NetworkPlugin: to.Ptr(armcontainerservice.NetworkPluginKubenet),
+				ServiceCidr:   to.Ptr("172.16.0.0/16"),
+				DNSServiceIP:  to.Ptr("172.16.0.10"),
 			},
 			AddonProfiles: map[string]*armcontainerservice.ManagedClusterAddonProfile{
 				"omsagent": {
@@ -303,113 +305,34 @@ func getFirewall(ctx context.Context, location, firewallSubnetID, publicIPID str
 func addFirewallRules(
 	ctx context.Context, clusterModel *armcontainerservice.ManagedCluster,
 ) error {
-	location := *clusterModel.Location
 	defer toolkit.LogStepCtx(ctx, "adding firewall rules")()
 
-	rg := *clusterModel.Properties.NodeResourceGroup
-	vnet, err := getClusterVNet(ctx, rg)
+	nodeRG := *clusterModel.Properties.NodeResourceGroup
+	vnet, err := getClusterVNet(ctx, clusterModel)
 	if err != nil {
 		return err
 	}
 
+	// Get the shared firewall's private IP (firewall was created by ensureSharedInfra)
+	infra, err := CachedEnsureSharedInfra(ctx, *clusterModel.Location)
+	if err != nil {
+		return fmt.Errorf("getting shared infra for firewall IP: %w", err)
+	}
+	firewallPrivateIP := infra.FirewallIP
+
 	// For kubenet, the AKS-managed route table must stay attached so that pod
 	// routes (managed by cloud-provider-azure) and firewall routes coexist.
 	// For Azure CNI variants, the subnet may not have any route table, so we
 	// create and associate a dedicated one before adding the firewall routes.
-	aksSubnetResp, err := config.Azure.Subnet.Get(ctx, rg, vnet.name, "aks-subnet", nil)
+	aksSubnetResp, err := config.Azure.Subnet.Get(ctx, vnet.resourceGroup, vnet.name, vnet.subnetName, nil)
 	if err != nil {
 		return fmt.Errorf("failed to get AKS subnet: %w", err)
 	}
-	aksRTName, err := ensureFirewallRouteTable(ctx, clusterModel, vnet.name, aksSubnetResp.Subnet)
+	aksRTName, err := ensureFirewallRouteTable(ctx, clusterModel, vnet, aksSubnetResp.Subnet)
 	if err != nil {
 		return err
 	}
 
-	// Create AzureFirewallSubnet - this subnet name is required by Azure Firewall
-	firewallSubnetName := "AzureFirewallSubnet"
-	firewallSubnetParams := armnetwork.Subnet{
-		Properties: &armnetwork.SubnetPropertiesFormat{
-			AddressPrefix: to.Ptr("10.225.0.0/24"), // Use a different CIDR that doesn't overlap with 10.224.0.0/16
-		},
-	}
-
-	toolkit.Logf(ctx, "Creating subnet %s in VNet %s", firewallSubnetName, vnet.name)
-	subnetPoller, err := config.Azure.Subnet.BeginCreateOrUpdate(
-		ctx,
-		rg,
-		vnet.name,
-		firewallSubnetName,
-		firewallSubnetParams,
-		nil,
-	)
-	if err != nil {
-		return fmt.Errorf("failed to start creating firewall subnet: %w", err)
-	}
-
-	subnetResp, err := subnetPoller.PollUntilDone(ctx, config.DefaultPollUntilDoneOptions)
-	if err != nil {
-		return fmt.Errorf("failed to create firewall subnet: %w", err)
-	}
-
-	firewallSubnetID := *subnetResp.ID
-	toolkit.Logf(ctx, "Created firewall subnet with ID: %s", firewallSubnetID)
-
-	// Create public IP for the firewall
-	publicIPName := "abe2e-fw-pip"
-	publicIPParams := armnetwork.PublicIPAddress{
-		Location: to.Ptr(location),
-		SKU: &armnetwork.PublicIPAddressSKU{
-			Name: to.Ptr(armnetwork.PublicIPAddressSKUNameStandard),
-		},
-		Properties: &armnetwork.PublicIPAddressPropertiesFormat{
-			PublicIPAllocationMethod: to.Ptr(armnetwork.IPAllocationMethodStatic),
-		},
-	}
-
-	toolkit.Logf(ctx, "Creating public IP %s", publicIPName)
-	pipPoller, err := config.Azure.PublicIPAddresses.BeginCreateOrUpdate(
-		ctx,
-		rg,
-		publicIPName,
-		publicIPParams,
-		nil,
-	)
-	if err != nil {
-		return fmt.Errorf("failed to start creating public IP: %w", err)
-	}
-
-	pipResp, err := pipPoller.PollUntilDone(ctx, config.DefaultPollUntilDoneOptions)
-	if err != nil {
-		return fmt.Errorf("failed to create public IP: %w", err)
-	}
-
-	publicIPID := *pipResp.ID
-	toolkit.Logf(ctx, "Created public IP with ID: %s", publicIPID)
-
-	firewallName := "abe2e-fw"
-	firewall := getFirewall(ctx, location, firewallSubnetID, publicIPID)
-	fwPoller, err := config.Azure.AzureFirewall.BeginCreateOrUpdate(ctx, rg, firewallName, *firewall, nil)
-	if err != nil {
-		return fmt.Errorf("failed to start Firewall creation: %w", err)
-	}
-	fwResp, err := fwPoller.PollUntilDone(ctx, nil)
-	if err != nil {
-		return fmt.Errorf("failed to create Firewall: %w", err)
-	}
-
-	// Get the firewall's private IP address
-	var firewallPrivateIP string
-	if fwResp.Properties != nil && fwResp.Properties.IPConfigurations != nil && len(fwResp.Properties.IPConfigurations) > 0 {
-		if fwResp.Properties.IPConfigurations[0].Properties != nil && fwResp.Properties.IPConfigurations[0].Properties.PrivateIPAddress != nil {
-			firewallPrivateIP = *fwResp.Properties.IPConfigurations[0].Properties.PrivateIPAddress
-			toolkit.Logf(ctx, "Firewall private IP: %s", firewallPrivateIP)
-		}
-	}
-
-	if firewallPrivateIP == "" {
-		return fmt.Errorf("failed to get firewall private IP address")
-	}
-
 	// Add firewall routes to the existing AKS route table using individual
 	// route operations. This avoids replacing the entire table (which would
 	// race with cloud-provider-azure pod route updates) and preserves the
@@ -418,7 +341,7 @@ func addFirewallRules(
 		{
 			Name: to.Ptr("vnet-local"),
 			Properties: &armnetwork.RoutePropertiesFormat{
-				AddressPrefix: to.Ptr("10.224.0.0/16"),
+				AddressPrefix: to.Ptr(vnet.addressPrefix),
 				NextHopType:   to.Ptr(armnetwork.RouteNextHopTypeVnetLocal),
 			},
 		},
@@ -434,7 +357,7 @@ func addFirewallRules(
 
 	for _, route := range firewallRoutes {
 		toolkit.Logf(ctx, "Adding route %q to AKS route table %q", *route.Name, aksRTName)
-		poller, err := config.Azure.Routes.BeginCreateOrUpdate(ctx, rg, aksRTName, *route.Name, route, nil)
+		poller, err := config.Azure.Routes.BeginCreateOrUpdate(ctx, nodeRG, aksRTName, *route.Name, route, nil)
 		if err != nil {
 			return fmt.Errorf("failed to start adding route %q: %w", *route.Name, err)
 		}
@@ -451,7 +374,7 @@ func addFirewallRules(
 func ensureFirewallRouteTable(
 	ctx context.Context,
 	clusterModel *armcontainerservice.ManagedCluster,
-	vnetName string,
+	vnet VNet,
 	aksSubnet armnetwork.Subnet,
 ) (string, error) {
 	if aksSubnet.Properties == nil {
@@ -493,7 +416,7 @@ func ensureFirewallRouteTable(
 	aksSubnet.Properties.RouteTable = &armnetwork.RouteTable{
 		ID: routeTableResp.ID,
 	}
-	if err := updateSubnet(ctx, clusterModel, aksSubnet, vnetName); err != nil {
+	if err := updateSubnet(ctx, clusterModel, aksSubnet, vnet); err != nil {
 		return "", fmt.Errorf("failed to associate firewall route table %q with AKS subnet: %w", routeTableName, err)
 	}
 
@@ -512,7 +435,7 @@ func addPrivateAzureContainerRegistry(ctx context.Context, cluster *armcontainer
 	if err := createPrivateAzureContainerRegistryPullSecret(ctx, cluster, kube, resourceGroupName, isNonAnonymousPull); err != nil {
 		return fmt.Errorf("create private acr pull secret: %w", err)
 	}
-	vnet, err := getClusterVNet(ctx, *cluster.Properties.NodeResourceGroup)
+	vnet, err := getClusterVNet(ctx, cluster)
 	if err != nil {
 		return err
 	}
@@ -533,7 +456,7 @@ func addNetworkIsolatedSettings(ctx context.Context, clusterModel *armcontainers
 	location := *clusterModel.Location
 	defer toolkit.LogStepCtx(ctx, fmt.Sprintf("Adding network settings for network isolated cluster %s in rg %s", *clusterModel.Name, *clusterModel.Properties.NodeResourceGroup))
 
-	vnet, err := getClusterVNet(ctx, *clusterModel.Properties.NodeResourceGroup)
+	vnet, err := getClusterVNet(ctx, clusterModel)
 	if err != nil {
 		return err
 	}
@@ -549,16 +472,18 @@ func addNetworkIsolatedSettings(ctx context.Context, clusterModel *armcontainers
 		return err
 	}
 
+	subnetAddressPrefix := vnet.addressPrefix
+
 	subnetParameters := armnetwork.Subnet{
 		ID: to.Ptr(subnetId),
 		Properties: &armnetwork.SubnetPropertiesFormat{
-			AddressPrefix: to.Ptr("10.224.0.0/16"),
+			AddressPrefix: to.Ptr(subnetAddressPrefix),
 			NetworkSecurityGroup: &armnetwork.SecurityGroup{
 				ID: nsg.ID,
 			},
 		},
 	}
-	if err = updateSubnet(ctx, clusterModel, subnetParameters, vnet.name); err != nil {
+	if err = updateSubnet(ctx, clusterModel, subnetParameters, vnet); err != nil {
 		return err
 	}
 
@@ -944,7 +869,11 @@ func createPrivateDNSLink(ctx context.Context, vnet VNet, nodeResourceGroup, pri
 		return nil
 	}
 
-	vnetForId, err := config.Azure.VNet.Get(ctx, nodeResourceGroup, vnet.name, nil)
+	vnetRG := vnet.resourceGroup
+	if vnetRG == "" {
+		vnetRG = nodeResourceGroup
+	}
+	vnetForId, err := config.Azure.VNet.Get(ctx, vnetRG, vnet.name, nil)
 	if err != nil {
 		return fmt.Errorf("failed to get vnet: %w", err)
 	}
@@ -1118,8 +1047,8 @@ func createNetworkIsolatedSecurityGroup(ctx context.Context, cluster *armcontain
 	return &nsg, nil
 }
 
-func updateSubnet(ctx context.Context, cluster *armcontainerservice.ManagedCluster, subnetParameters armnetwork.Subnet, vnetName string) error {
-	poller, err := config.Azure.Subnet.BeginCreateOrUpdate(ctx, *cluster.Properties.NodeResourceGroup, vnetName, config.Config.DefaultSubnetName, subnetParameters, nil)
+func updateSubnet(ctx context.Context, cluster *armcontainerservice.ManagedCluster, subnetParameters armnetwork.Subnet, vnet VNet) error {
+	poller, err := config.Azure.Subnet.BeginCreateOrUpdate(ctx, vnet.resourceGroup, vnet.name, vnet.subnetName, subnetParameters, nil)
 	if err != nil {
 		return err
 	}