Ensure NSG rules cleanup excludes Destination Application Security Groups

Author: zarvd

pkg/provider/loadbalancer/securitygroup/securitygroup.go

@@ -386,9 +386,12 @@ func (helper *RuleHelper) SecurityGroup() (*network.SecurityGroup, bool, error)
 		rules = make([]network.SecurityRule, 0, len(helper.rules))
 	)
 	for _, r := range helper.rules {
-		noDstPrefixes := ptr.Deref(r.DestinationAddressPrefix, "") == "" &&
-			len(ptr.Deref(r.DestinationAddressPrefixes, []string{})) == 0
-		if noDstPrefixes {
+		var (
+			dstAddresses = ListDestinationPrefixes(r)
+			dstASGs      = ptr.Deref(r.DestinationApplicationSecurityGroups, []network.ApplicationSecurityGroup{})
+		)
+
+		if len(dstAddresses) == 0 && len(dstASGs) == 0 {
 			// Skip the rule without destination prefixes.
 			continue
 		}

pkg/provider/loadbalancer/testutil/fixture/azure_securitygroup.go

@@ -62,16 +62,29 @@ func (f *AzureFixture) NoiseSecurityRules(nRules int) []network.SecurityRule {
 					fmt.Sprintf("130.0.50.%d", i),
 				}),
 				SourcePortRange: ptr.To("*"),
-				DestinationAddressPrefixes: ptr.To([]string{
-					fmt.Sprintf("222.111.0.%d", i), // NOTE: keep the source IP / destination IP unique to LB ips.
-					fmt.Sprintf("200.0.50.%d", i),
-				}),
 				DestinationPortRanges: ptr.To([]string{
 					fmt.Sprintf("4000%d", i),
 					fmt.Sprintf("5000%d", i),
 				}),
 			},
 		}
+
+		switch i % 3 {
+		case 0:
+			rule.DestinationAddressPrefixes = ptr.To([]string{
+				fmt.Sprintf("222.111.0.%d", i),
+				fmt.Sprintf("200.0.50.%d", i),
+			})
+		case 1:
+			rule.DestinationAddressPrefix = ptr.To(fmt.Sprintf("222.111.0.%d", i))
+		case 2:
+			rule.DestinationApplicationSecurityGroups = &[]network.ApplicationSecurityGroup{
+				{
+					ID: ptr.To(fmt.Sprintf("/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/the-rg/providers/Microsoft.Network/applicationSecurityGroups/the-asg-%d", i)),
+				},
+			}
+		}
+
 		rv = append(rv, rule)
 
 		initPriority++