While deploying web app Networking Inbound traffic configuration I want to select the Public Network Access setting as "Select Virtual Networks & IP Addresses" where I will add a private endpoint using another private endpoint module. It allows me to make change in networking manually but bicep gives me 'BadRequest' error when deploying through pipeline.
resource appPlan 'Microsoft.Web/serverfarms@2022-03-01' existing = {
name: appPlan
}
resource webApp 'Microsoft.Web/sites@2022-03-01' = {
name: webAppName
location: location
tags: tags
kind: 'app'
identity: 'SystemAssigned'
properties: {
reserved: true
serverFarmId: serverFarm.id
httpsOnly: true
vnetRouteAllEnabled: false
publicNetworkAccess: 'Enabled'
virtualNetworkSubnetId: subnetid
siteConfig: {
alwaysOn: true
ftpsState: 'Disabled'
appSettings: AppSettings
}
}
}
// Change public access to enabled with specific access
resource webAppNetworkAccess 'Microsoft.Web/sites/config@2022-03-01' = {
parent: webApp
name: 'config'
properties: {
publicNetworkAccess: 'Enabled'
ipSecurityRestrictions: [
{
ipAddress: '10.0.0.0/19'
action: 'Allow'
tag: 'Default'
priority: 100
name: 'subnet1'
}
{
ipAddress: '10.0.0.1/19'
action: 'Allow'
tag: 'Default'
priority: 110
name: 'Subnet2'
}
{
ipAddress: 'Any'
action: 'Deny'
priority: 12345678
name: 'Deny all'
description: 'Deny all access'
}
]
}
}
Getting "Bad Request" when trying to deploy web app networking settings using Bicep template:
You need to configure a private endpoint with a specific DNS Zone group and network configuration to achieve the requirement. Use below Bicep code for the clear approach.
var AddressPrefix = '10.0.0.0/16'
var privateDnsZone = 'privatelink${environment().suffixes.Hostname}'
resource appPlan 'Microsoft.Web/serverfarms@2020-06-01' = {
name: 'AppServicePlanjah'
location: resourceGroup().location
properties: {
reserved: true
}
sku: {
name: 'P1V2'
}
kind: 'linux'
}
resource webApp 'Microsoft.Web/sites@2022-03-01' = {
name: 'abrakjam'
location: resourceGroup().location
kind: 'app'
identity: {
type: 'SystemAssigned'
}
properties: {
reserved: true
serverFarmId: appPlan.id
httpsOnly: true
vnetRouteAllEnabled: false
publicNetworkAccess: 'Enabled'
siteConfig: {
alwaysOn: false
ftpsState: 'Disabled'
}
}
}
resource webAppNetworkAccess 'Microsoft.Web/sites/config@2022-03-01' = {
parent: webApp
name: 'web'
properties: {
publicNetworkAccess: 'Enabled'
ipSecurityRestrictions: [
{
ipAddress: '10.0.0.0/19'
action: 'Allow'
tag: 'Default'
priority: 100
name: 'AllowSubnet1'
}
{
ipAddress: '10.0.0.1/19'
action: 'Allow'
tag: 'Default'
priority: 110
name: 'AllowSubnet2'
}
{
ipAddress: 'Any'
action: 'Deny'
priority: 200
name: 'DenyAll'
description: 'Deny all other access'
}
]
}
}
resource vnet 'Microsoft.Network/virtualNetworks@2021-05-01' = {
name: 'sdaskjd'
location: resourceGroup().location
properties: {
addressSpace: {
addressPrefixes: [
AddressPrefix
]
}
}
}
resource subnet 'Microsoft.Network/virtualNetworks/subnets@2021-05-01' = {
parent: vnet
name: 'askdjlksjd'
properties: {
addressPrefix: '10.0.0.0/24'
privateEndpointNetworkPolicies: 'Disabled'
}
}
resource privateEndpoint 'Microsoft.Network/privateEndpoints@2022-01-01' = {
name: 'asjd-privateEndpoint'
location: resourceGroup().location
properties: {
subnet: {
id: subnet.id
}
privateLinkServiceConnections: [
{
name: 'plsConnection'
properties: {
privateLinkServiceId: webApp.id
groupIds: ['sites']
}
}
]
}
}
resource privateDnsZone 'Microsoft.Network/privateDnsZones@2020-06-01' = {
name: privateDnsZone
location: 'global'
properties: {}
dependsOn: [
vnet
]
}
resource dnsZone 'Microsoft.Network/privateEndpoints/privateDnsZoneGroups@2024-01-01' = {
parent: privateEndpoint
name: 'sddnsZoneGroup'
properties: {
privateDnsZoneConfigs: [
{
name: 'default'
properties: {
privateDnsZoneId: privateDnsZone.id
}
}
]
}
}
Output: