Azure Kubernetes Service Private Clusters should be enabled: When enforcment mode is Deny, blocks deployment of Azure Monitor even if cluster is private

[eehret]

Details of the scenario you tried and the problem that is occurring

Verbose logs showing the problem

{
  "code": "InvalidTemplateDeployment",
  "message": "The template deployment failed because of policy violation. Please see details for more information.",
  "details": [
    {
      "code": "RequestDisallowedByPolicy",
      "target": "aks-dtb-azops-aksmodule-t4",
      "message": "Resource 'aks-dtb-azops-aksmodule-t4' was disallowed by policy. Reasons: 'Public network access must be disabled for PaaS services.'. See error details for policy resource IDs.",
      "additionalInfo": [
        {
          "type": "PolicyViolation",
          "info": {
            "evaluationDetails": {
              "evaluatedExpressions": [
                {
                  "result": "True",
                  "expressionKind": "Field",
                  "expression": "type",
                  "path": "type",
                  "expressionValue": "microsoft.containerservice/managedclusters",
                  "targetValue": "Microsoft.ContainerService/managedClusters",
                  "operator": "Equals"
                },
                {
                  "result": "True",
                  "expressionKind": "Field",
                  "expression": "Microsoft.ContainerService/managedClusters/apiServerAccessProfile.enablePrivateCluster",
                  "path": "properties.apiServerAccessProfile.enablePrivateCluster",
                  "targetValue": "True",
                  "operator": "NotEquals"
                }
              ],
              "reason": "Public network access must be disabled for PaaS services."
            },
            "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8",
            "policySetDefinitionId": "/providers/Microsoft.Management/managementGroups/lzroot/providers/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints",
            "policyDefinitionReferenceId": "AKSDenyPaasPublicIP",
            "policySetDefinitionName": "Deny-PublicPaaSEndpoints",
            "policySetDefinitionDisplayName": "Public network access should be disabled for PaaS services",
            "policyDefinitionName": "040732e8-d947-40b8-95d6-854c95024bf8",
            "policyDefinitionDisplayName": "Azure Kubernetes Service Private Clusters should be enabled",
            "policyDefinitionEffect": "Deny",
            "policyAssignmentId": "/providers/Microsoft.Management/managementGroups/lzroot-corp/providers/Microsoft.Authorization/policyAssignments/Deny-Public-Endpoints",
            "policyAssignmentName": "Deny-Public-Endpoints",
            "policyAssignmentDisplayName": "Public network access should be disabled for PaaS services",
            "policyAssignmentScope": "/providers/Microsoft.Management/managementGroups/lzroot-corp",
            "policyAssignmentParameters": {
              "storagePublicIpDenyEffect": "Audit"
            },
            "policyExemptionIds": []
          }
        }
      ]
    }
  ]
}

Suggested solution to the issue

Since the cluster in question is already private, this policy is falsely reporting an issue that does not exist, when you try to deploy Azure Monitor. Either the policy needs to be adjusted, or the Azure Monitor solution needs to be modified so that it does not violate the policy ; perhaps the Azure Monitor solution is incorrectly setting a property that is causing the policy violation.

If policy is Guest Configuration - details about target node

n/a