azurenetwork-programmingazure-devopsazure-web-app-serviceazure-bicep

Getting "BadRequest" when trying to deploy web app networking settings using Bicep trmplate


While deploying web app Networking Inbound traffic configuration I want to select the Public Network Access setting as "Select Virtual Networks & IP Addresses" where I will add a private endpoint using another private endpoint module. It allows me to make change in networking manually but bicep gives me 'BadRequest' error when deploying through pipeline.

resource appPlan 'Microsoft.Web/serverfarms@2022-03-01' existing = {
  name: appPlan
}

resource webApp 'Microsoft.Web/sites@2022-03-01' = {
  name: webAppName
  location: location
  tags: tags
  kind: 'app'
  identity: 'SystemAssigned'
  properties: {
    reserved: true
    serverFarmId: serverFarm.id
    httpsOnly: true
    vnetRouteAllEnabled: false
    publicNetworkAccess: 'Enabled'
    virtualNetworkSubnetId: subnetid
    siteConfig: {
      alwaysOn: true
      ftpsState: 'Disabled'
      appSettings: AppSettings
    }
  }
}

// Change public access to enabled with specific access
resource webAppNetworkAccess 'Microsoft.Web/sites/config@2022-03-01' = {
  parent: webApp
  name: 'config'
  properties: {
    publicNetworkAccess: 'Enabled'
    ipSecurityRestrictions: [
      {
        ipAddress: '10.0.0.0/19'
        action: 'Allow'
        tag: 'Default'
        priority: 100
        name: 'subnet1'
      }
      {
        ipAddress: '10.0.0.1/19'
        action: 'Allow'
        tag: 'Default'
        priority: 110
        name: 'Subnet2'
      }
      {
        ipAddress: 'Any'
        action: 'Deny'
        priority: 12345678
        name: 'Deny all'
        description: 'Deny all access'
      }
    ]
  }
}

This is what currently is enter image description here

This is what I want to achieve using bicep enter image description here


Solution

  • Getting "Bad Request" when trying to deploy web app networking settings using Bicep template:

    You need to configure a private endpoint with a specific DNS Zone group and network configuration to achieve the requirement. Use below Bicep code for the clear approach.

    var AddressPrefix = '10.0.0.0/16'
    var privateDnsZone = 'privatelink${environment().suffixes.Hostname}'
    resource appPlan 'Microsoft.Web/serverfarms@2020-06-01' = {
      name: 'AppServicePlanjah'
      location: resourceGroup().location
      properties: {
        reserved: true
      }
      sku: {
        name: 'P1V2'
      }
      kind: 'linux'
    }
    resource webApp 'Microsoft.Web/sites@2022-03-01' = {
      name: 'abrakjam'
      location: resourceGroup().location
      kind: 'app'
      identity: {
        type: 'SystemAssigned'
      }
      properties: {
        reserved: true
        serverFarmId: appPlan.id
        httpsOnly: true
        vnetRouteAllEnabled: false
        publicNetworkAccess: 'Enabled'
        siteConfig: {
          alwaysOn: false
          ftpsState: 'Disabled'
        }
      }
    }
    resource webAppNetworkAccess 'Microsoft.Web/sites/config@2022-03-01' = {
      parent: webApp
      name: 'web'
      properties: {
        publicNetworkAccess: 'Enabled'
        ipSecurityRestrictions: [
          {
            ipAddress: '10.0.0.0/19'
            action: 'Allow'
            tag: 'Default'
            priority: 100
            name: 'AllowSubnet1'
          }
          {
            ipAddress: '10.0.0.1/19'
            action: 'Allow'
            tag: 'Default'
            priority: 110
            name: 'AllowSubnet2'
          }
          {
            ipAddress: 'Any'
            action: 'Deny'
            priority: 200
            name: 'DenyAll'
            description: 'Deny all other access'
          }
        ]
      }
    }
    resource vnet 'Microsoft.Network/virtualNetworks@2021-05-01' = {
      name: 'sdaskjd'
      location: resourceGroup().location
      properties: {
        addressSpace: {
          addressPrefixes: [
            AddressPrefix
          ]
        }
      }
    }
    
    resource subnet 'Microsoft.Network/virtualNetworks/subnets@2021-05-01' = {
      parent: vnet
      name: 'askdjlksjd'
      properties: {
        addressPrefix: '10.0.0.0/24'
        privateEndpointNetworkPolicies: 'Disabled'
      }
    }
    
    resource privateEndpoint 'Microsoft.Network/privateEndpoints@2022-01-01' = {
      name: 'asjd-privateEndpoint'
      location: resourceGroup().location
      properties: {
        subnet: {
          id: subnet.id
        }
        privateLinkServiceConnections: [
          {
            name: 'plsConnection'
            properties: {
              privateLinkServiceId: webApp.id
              groupIds: ['sites'] 
            }
          }
        ]
      }
    }
    
    resource privateDnsZone 'Microsoft.Network/privateDnsZones@2020-06-01' = {
      name: privateDnsZone
      location: 'global'
      properties: {}
      dependsOn: [
        vnet
      ]
    }
    resource dnsZone 'Microsoft.Network/privateEndpoints/privateDnsZoneGroups@2024-01-01' = {
      parent: privateEndpoint
      name: 'sddnsZoneGroup'
      properties: {
        privateDnsZoneConfigs: [
          {
            name: 'default'
            properties: {
              privateDnsZoneId: privateDnsZone.id
            }
          }
        ]
      }
    }
    

    Output:

    enter image description here

    enter image description here

    enter image description here