[BUG] SDK client-side validation in NetworkSecurityRuleImpl incorrectly limits security rule priority to 4096 #48429
Description
Describe the bug
The Azure SDK for Java enforces a maximum security rule priority of 4096 in
com.azure.resourcemanager.network.implementation.NetworkSecurityRuleImpl, but the Azure Portal
and REST API allow rule priorities up to 65000+. This client-side validation is more restrictive
than the actual Azure service limits, preventing users from programmatically managing rules
with higher priorities.
Exception or Stack Trace
java.lang.IllegalArgumentException: The priority of the rule has to be between 100 and 4096
To Reproduce
- In the Azure Portal, create a Network Security Group rule with a priority greater than 4096
(e.g., 65000) — this succeeds. - Using the Azure SDK for Java, attempt to create or update a security rule with the same
priority value (e.g., 65000). - The SDK rejects the request with a validation error at the client-side validation in
NetworkSecurityRuleImpl.
Code Snippet
nsg.securityRules()
.define("deny-rule")
.withPriority(65000) // Fails SDK-side validation despite being valid in Azure
.withDirection(SecurityRuleDirection.INBOUND)
.withAccess(SecurityRuleAccess.DENY)
.withProtocol(SecurityRuleProtocol.ASTERISK)
.withSourceAddressPrefix("")
.withDestinationAddressPrefix("")
.withSourcePortRange("")
.withDestinationPortRange("")
.attach();
Expected behavior
The client-side validation in NetworkSecurityRuleImpl should allow the same priority range as
the Azure Portal and REST API, not cap it at 4096.
Additional context
- Root cause location: com.azure.resourcemanager.network.implementation.NetworkSecurityRuleImpl
— contains a hardcoded client-side validation that limits priority to a maximum of 4096. - The Azure REST API and Portal both accept priorities beyond 4096, confirming this is an
SDK-only restriction.