azure-search-openai-demo icon indicating copy to clipboard operation
azure-search-openai-demo copied to clipboard

Published 20 hours ago verified publisher icon Azure-Samples

Deploy within an environment that strictly disallows public network access

Open DuboisABB opened this issue 1 year ago • 3 comments

This issue is for a: (mark with an x)

- [ ] bug report -> please search issues before submitting
- [x] feature request
- [ ] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)

Minimal steps to reproduce

Trying to deploy with azd env set AZURE_USE_PRIVATE_ENDPOINT true azd env set AZURE_PUBLIC_NETWORK_ACCESS Disabled azd up

Any log messages given by the failure

Our Azure environment does not allow public network access at all, and the above fails with:

(✓) Done: Resource group: ISWEACEDEV01-RG-01 (✓) Done: App Service plan: plan-xzr2h4erskcqg (✓) Done: Azure OpenAI: cog-xzr2h4erskcqg (✓) Done: Virtual Network: vnet-xzr2h4erskcqg (✓) Done: Document Intelligence: cog-di-xzr2h4erskcqg (✓) Done: Search service: gptkb-xzr2h4erskcqg | =| Creating/Updating resources ERROR: error executing step command 'provision': deployment failed: error deploying infrastructure: deploying to subscription:

Deployment Error Details: InvalidTemplateDeployment: The template deployment failed because of policy violation. Please see details for more information. RequestDisallowedByPolicy: Resource 'userstxzr2h4erskcqg' was disallowed by policy. Reasons: 'Public network access must be disabled for PaaS services.'. See error details for policy resource IDs.

TraceID: 0742395aac02059fd2be8eaad2c546fd

Expected/desired behavior

Successful provisionning

OS and Version?

Windows 11

azd version?

azd version 1.9.3 (commit e1624330dcc7dde440ecc1eda06aac40e68aa0a3)

Versions

Forked from 905b62e349e1ade9828326f02778f48f0952cf8d (2024-06-17)

DuboisABB avatar Jun 25 '24 19:06 DuboisABB

Hi @DuboisABB can you please share the full deployment log? I don't know what resource specifically is the one that this deployment has an issue with. Thank you!

mattgotteiner avatar Jul 02 '24 16:07 mattgotteiner

Sorry somehow I missed your reply. I finally understood that "Public network access must be disabled for PaaS services" is not a single policy but a whole set of policies. Apparently the config in the bicep files when AZURE_PUBLIC_NETWORK_ACCESS="Disabled" were not strict enough.

The bit that was causing problem was this in storage-account.bicep:

var networkAcls = {
  bypass: bypass
  defaultAction: 'Allow'
}

I changed it to this (I also added a parameter for allowed IP address):

param networkAcls object = {
  bypass: publicNetworkAccess == 'Enabled' ? bypass : 'AzureServices'
  virtualNetworkRules: publicNetworkAccess == 'Enabled' ? [] : []
  ipRules: publicNetworkAccess == 'Enabled' ? [] : (empty(allowedIpAddress) ? [] : [
    {
      value: allowedIpAddress
      action: 'Allow'
    }
  ])
  defaultAction: publicNetworkAccess == 'Enabled' ? 'Allow' : 'Deny'
}

DuboisABB avatar Jul 23 '24 19:07 DuboisABB

I just merged a different approach to private deployment which sets up a P2S VPN gateway that you can use for deployment, which works with the current NetworkACLs. But perhaps we need more flexibility for folks who are deploying a different way - am not sure how to test it myself since I don't have that sort of setup. Will leave this issue open for others to find.

pamelafox avatar Aug 04 '25 17:08 pamelafox