azureazure-web-app-serviceazure-rm-templateazure-bicepvnet

How do you deploy VNET to an App Service with BICEP?

I want to deploy a BICEP template that configures Outbound traffic for an App Service. When I deploy the BICEP template, there are no errors and it says successful, but it does not add Virtual Network Integration.

$template = 'main.bicep'
$resourceGroup = "my-resource-group"
az deployment group create `
   --resource-group $resourceGroup `
   --template-file $template

main.bicep:

var vnetResourceId = '/subscriptions/{subscription-id}/resourceGroups/my-resource-group/providers/Microsoft.Network/virtualNetworks/{vnet-name}/subnets/default'
var outboundVnetNet = 'doesItEvenMatter'
resource appService 'Microsoft.Web/sites@2024-04-01' = {
  name: 'my-awesome-app-lol'
  location: 'WestUS2'
  properties: {
    serverFarmId: appServicePlanId
    httpsOnly: true
    siteConfig: {
      cors: {
        allowedOrigins: [
          'https://portal.azure.com'
        ]
      }
      ftpsState: 'FtpsOnly'
      netFrameworkVersion: 'v8.0'
      vnetRouteAllEnabled: true
      vnetName: outboundVnetNet
    }
  }
}

resource outboundVnetConfiguration 'Microsoft.Web/sites/virtualNetworkConnections@2023-12-01' = {
  name: outboundVnetNet
  parent: appService
  properties: {
    isSwift: true
    vnetResourceId: vnetResourceId
  }
}

When I manually do it inside the portal, the exported ARM template from the UI adds the following JSON:

{
  "type": "Microsoft.Web/sites/virtualNetworkConnections",
  "apiVersion": "2023-12-01",
  "name": "my-awesome-app-lol/9e717979-f385-412e-b1a5-2fdffd21fa7f_default",
  "location": "West US 2",
  "dependsOn": [
    "[resourceId('Microsoft.Web/sites', 'my-awesome-app-lol')]"
  ],
  "properties": {
    "vnetResourceId": "/subscriptions/{subscription-id}/resourceGroups/my-resource-group/providers/Microsoft.Network/virtualNetworks/{vnet-name}/subnets/default",
    "isSwift": true
  }
}

What am I missing that is preventing the Virtual Network Integration from deploying when I use BICEP?

Solution

  • You only need to specify the virtualNetworkSubnetId property with api-version 2024-04-01.

    Also vnetRouteAllEnabled and virtualNetworkSubnetId are outside the siteConfig object:

    var vnetResourceId = '/subscriptions/{subscription-id}/resourceGroups/my-resource-group/providers/Microsoft.Network/virtualNetworks/{vnet-name}/subnets/default'
resource appService 'Microsoft.Web/sites@2024-04-01' = {
  name: 'my-awesome-app-lol'
  location: 'WestUS2'
  properties: {
    serverFarmId: appServicePlanId
    httpsOnly: true
    siteConfig: {
      cors: {
        allowedOrigins: [
          'https://portal.azure.com'
        ]
      }
      ftpsState: 'FtpsOnly'
      netFrameworkVersion: 'v8.0'      
    }
    vnetRouteAllEnabled: true
    virtualNetworkSubnetId: vnetResourceId
  }
}