azure-policy icon indicating copy to clipboard operation
azure-policy copied to clipboard
verified publisher icon Azure

BuiltIn Policy for App Service should enable vnet routing fails for newer api-version

Open picccard opened this issue 4 months ago • 2 comments

First reported in Azure/Enterprise-Scale#2050.

Built in Policy Definition 801543d1-1953-4a90-b8b0-8cf6d41473a5 (Deny-AppService-Vnet-Routing) fails when using a newer api-version to build App Services.

The policy alias Microsoft.Web/sites/vnetContentShareEnabled maps to resource properties.vnetContentShareEnabled, but this property is not included in the api-version Microsoft.Web/sites@2024-11-01. The property is now properties.outboundVnetRouting.contentShareTraffic and it is mapped to the policy alias Microsoft.Web/sites/outboundVnetRouting.contentShareTraffic. All policy aliases.

https://github.com/Azure/Enterprise-Scale/blob/a64a6cb7066e267e6a7294164486f6c1f3927b43/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-AppServices.json#L218-L228

Steps to reproduce

module appServicePlan 'br/public:avm/res/web/serverfarm:0.5.0' = {
  scope: rg
  params: {
    name: 'example-asp'
    skuName: 'S1'
    skuCapacity: 1
    zoneRedundant: false
    kind: 'linux'
    reserved: true
  }
}

var subnetId = '/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.Network/virtualNetworks/<virtual-network-name>/subnets/<subnet-name>'

module webApp 'br/public:avm/res/web/site:0.19.3' = {
  scope: rg
  params: {
    name: 'example-app'
    kind: 'app,linux,container'
    serverFarmResourceId: appServicePlan.outputs.resourceId
    virtualNetworkSubnetResourceId: subnetId
    outboundVnetRouting: { imagePullTraffic: true, contentShareTraffic: true, allTraffic: true }
    publicNetworkAccess: 'Enabled' 
    siteConfig: {
      linuxFxVersion: 'DOCKER|nginx:1.28.0-alpine'
    }
  }
}

Screenshots

Image

picccard avatar Oct 15 '25 14:10 picccard

@picccard The same problem occurs in 3 other policies as well that are in the initiative Enforce recommended guardrails for App Service see below.

The properties vnetRouteAllEnabled, vnetImagePullEnabled, vnetContentShareEnabled have all been renamed and moved to the new outboundVnetRouting element. This applies to both app services and app service slots.

Image

https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-AppServices.html

neok-g avatar Dec 09 '25 15:12 neok-g

@picccard By the way they already implemented OutboundVnetRouting in 2024-11-01. But more than a year later they still not modified these built-in policies(.....)

https://learn.microsoft.com/en-us/azure/templates/microsoft.web/2024-11-01/sites?pivots=deployment-language-bicep#outboundvnetrouting https://learn.microsoft.com/en-us/azure/templates/microsoft.web/change-log/sites

neok-g avatar Dec 09 '25 15:12 neok-g