Azure
Bug Report - App Service Guardrails fails for newer api-version
Built in Policy Definition 801543d1-1953-4a90-b8b0-8cf6d41473a5 (Deny-AppService-Vnet-Routing) fails when using a newer api-version to build App Services.
The policy alias Microsoft.Web/sites/vnetContentShareEnabled maps to resource properties.vnetContentShareEnabled, but this property is not included in the api-version Microsoft.Web/sites@2024-11-01. The property is now properties.outboundVnetRouting.contentShareTraffic and it is mapped to the policy alias Microsoft.Web/sites/outboundVnetRouting.contentShareTraffic. All policy aliases.
https://github.com/Azure/Enterprise-Scale/blob/a64a6cb7066e267e6a7294164486f6c1f3927b43/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-AppServices.json#L218-L228
Steps to reproduce
module appServicePlan 'br/public:avm/res/web/serverfarm:0.5.0' = {
scope: rg
params: {
name: 'example-asp'
skuName: 'S1'
skuCapacity: 1
zoneRedundant: false
kind: 'linux'
reserved: true
}
}
var subnetId = '/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.Network/virtualNetworks/<virtual-network-name>/subnets/<subnet-name>'
module webApp 'br/public:avm/res/web/site:0.19.3' = {
scope: rg
params: {
name: 'example-app'
kind: 'app,linux,container'
serverFarmResourceId: appServicePlan.outputs.resourceId
virtualNetworkSubnetResourceId: subnetId
outboundVnetRouting: { imagePullTraffic: true, contentShareTraffic: true, allTraffic: true }
publicNetworkAccess: 'Enabled'
siteConfig: {
linuxFxVersion: 'DOCKER|nginx:1.28.0-alpine'
}
}
}
Screenshots
Same occurs for policy definition Deny-AppServiceApps-Rfc (a691eacb-474d-47e4-b287-b4813ca44222).
New property properties.outboundVnetRouting.applicationTraffic has this description in the new api-version:
- This causes all outbound traffic to have Virtual Network Security Groups and User Defined Routes applied. Previously called VnetRouteAllEnabled.
And for policy definitions about slots:
- f5c0bfb3-acea-47b1-b477-b0edcdf6edc1
- 5747353b-1ca9-42c1-a4dd-b874b894f3d4
@picccard please can you open support tickets for this issue. These are due to API changes by PG where they are not updating THEIR policies to support the changes. This team does not have any influence or ability to update built-in policies, we can only update the custom policies we provide as part of the ALZ solution (not built-in).
Can everyone impact please open a support case. The more people making noise, the more likely we can get a fix from PG.
PLEASE do keep reporting here though, even if we can't fix the issue, we need evidence to push product owners and this helps.
@picccard please note that the azure-policy Github repo is read-only. No one in the product group is actively monitoring this, as they work off another repository. Appreciate the issue is a concern. Please create an Azure support ticket for this issue.
I'm unable to create a ticket without a support plan.
With your Basic support plan, you can create support requests for billing, subscription management, and quota increase. For technical support, upgrade to a paid support plan or explore our free resources.