Unable to deploy private endpoint for flex consumption function app in azure using bicep
resource storageAccount 'Microsoft.Storage/storageAccounts@2021-04-01' = {
name: 'vvkstaccforflexfuncapp'
location: 'uksouth'
kind: 'StorageV2'
sku: {
name: 'Standard_LRS'
}
properties: {
accessTier: 'Hot'
minimumTlsVersion: 'TLS1_2'
}
}
resource appInsights 'Microsoft.Insights/components@2020-02-02' = {
name: 'name'
location: 'uksouth'
kind: 'web'
properties: {
Application_Type: 'web'
}
}
resource virtualNetwork 'Microsoft.Network/virtualNetworks@2019-11-01' = {
name: 'vnetforflexfuncapp'
location: 'uksouth'
properties: {
addressSpace: {
addressPrefixes: [
'10.0.0.0/16'
]
}
subnets: [
{
name: 'InboundSubnet'
properties: {
addressPrefix: '10.0.0.0/24'
}
}
{
name: 'OutboundSubnet'
properties: {
addressPrefix: '10.0.1.0/24'
delegations: [
{
name: 'delegation'
properties: {
serviceName: 'Microsoft.App/environments'
}
}
]
}
}
]
}
}
resource flexappserviceplan 'Microsoft.Web/serverfarms@2024-04-01' = {
name: 'vscodeflexappserviceplan'
location: 'uksouth'
sku: {
name: 'FC1'
tier: 'FlexConsumption'
family: 'FC'
capacity: 0
}
kind: 'functionapp'
properties: {
perSiteScaling: false
elasticScaleEnabled: false
maximumElasticWorkerCount: 1
isSpot: false
reserved: true
isXenon: false
hyperV: false
targetWorkerCount: 1
targetWorkerSizeId: 0
zoneRedundant: false
}
}
resource flexfunapp 'Microsoft.Web/sites@2024-04-01' = {
name: 'vscodeflexfunapp02'
location: 'uksouth'
kind: 'functionapp,linux'
properties: {
serverFarmId: flexappserviceplan.id
clientAffinityEnabled: false
siteConfig: {
appSettings: [
{
name: 'AzureWebJobsStorage'
value: storageAccount.properties.primaryEndpoints.blob
}
{
name: 'APPLICATIONINSIGHTS_CONNECTION_STRING'
value: appInsights.properties.ConnectionString
}
]
numberOfWorkers: 1
}
functionAppConfig: {
deployment: {
storage: {
type: 'blobcontainer'
value: '${storageAccount.properties.primaryEndpoints.blob}container'
authentication: {
type: 'SystemAssignedIdentity'
}
}
}
scaleAndConcurrency: {
maximumInstanceCount: 100
instanceMemoryMB: 4096
}
runtime: {
name: 'python'
version: '3.11'
}
}
httpsOnly: true
publicNetworkAccess: 'Disabled'
virtualNetworkSubnetId: virtualNetwork.properties.subnets[1].id
}
}
resource networkSecurityGroup 'Microsoft.Network/networkSecurityGroups@2019-11-01' = {
name: 'privateEndpointNSG'
location: 'uksouth'
properties: {
securityRules: [
{
name: 'AllowAzurePrivateLink'
properties: {
priority: 100
access: 'Allow'
direction: 'Inbound'
protocol: '*'
sourceAddressPrefix: 'AzureActiveDirectory' // Required for Azure Private Link
sourcePortRange: '*'
destinationAddressPrefix: '*'
destinationPortRange: '*'
}
}
{
name: 'AllowAppTraffic'
properties: {
priority: 200
access: 'Allow'
direction: 'Inbound'
protocol: 'Tcp'
sourceAddressPrefix: '10.0.0.0/16'
sourcePortRange: '*'
destinationAddressPrefix: '*'
destinationPortRange: '*'
}
}
]
}
}
resource subnetAssociation 'Microsoft.Network/virtualNetworks/subnets@2021-02-01' = {
parent: virtualNetwork
name: 'InboundSubnet'
properties: {
networkSecurityGroup: {
id: networkSecurityGroup.id
}
}
}
resource dnsZone 'Microsoft.Network/privateDnsZones@2020-06-01' = {
name: 'privatelink.azurewebsites.net' // For Function Apps
location: 'global'
}
resource dnsZoneLink 'Microsoft.Network/privateDnsZones/virtualNetworkLinks@2020-06-01' = {
parent: dnsZone
name: 'vnetlink'
properties: {
virtualNetwork: {
id: virtualNetwork.id
}
registrationEnabled: true
}
}
resource privateEndpoint 'Microsoft.Network/privateEndpoints@2024-05-01' = {
name: '${flexfunapp.name}-private-endpoint'
location: 'uksouth'
properties: {
subnet: {
id: virtualNetwork.properties.subnets[0].id // Use the InboundSubnet for the private endpoint
}
privateLinkServiceConnections: [
{
name: 'functionAppPrivateLink'
properties: {
privateLinkServiceId: flexfunapp.id
groupIds: [
'web'
]
}
}
]
}
}
PS C:\Windows\System32> New-AzResourceGroupDeployment -Name 'FlexFuncAppDeployment' -TemplateFile 'D:\LearnBicep\PracticeBicep\flexfunctionapp.bicep' -ResourceGroupName 'vivekchak-rg' -Mode Incremental
New-AzResourceGroupDeployment: 1:41:20 PM - The deployment 'FlexFuncAppDeployment' failed with error(s). Showing 3 out of 3 error(s).
Status Message: Call to Microsoft.Web/sites failed. Error message: GroupId is invalid. (Code: BadRequest)
Status Message: Address prefix and ipam pool reference are both empty/null in request payload of resource /subscriptions//resourceGroups/vivekchak-rg/providers/Microsoft.Network/virtualNetworks/vnetforflexfuncapp/subnets/InboundSubnet. Please provide either address prefix or ipam pool reference. (Code: NoAddressPrefixOrPoolProvided)
Status Message: The location property is required for this definition. (Code:LocationRequired)
I'm able to deploy all the resources as given in the bicep except the private endpoint, getting error as shown above.
Unable to figure out the error. please help
Solution
Few things:
- The location property is required for this definition. (Code:LocationRequired): The
dnsZoneLinkresource is missing the location property.
resource dnsZoneLink 'Microsoft.Network/privateDnsZones/virtualNetworkLinks@2020-06-01' = {
parent: dnsZone
location: 'global'
name: 'vnetlink'
properties: {
virtualNetwork: {
id: virtualNetwork.id
}
registrationEnabled: true
}
}
- Call to Microsoft.Web/sites failed. Error message: GroupId is invalid. (Code: BadRequest): The
groupIdsproperty on theprivateEndpointresource has a wrong value. It should besites.
resource privateEndpoint 'Microsoft.Network/privateEndpoints@2024-05-01' = {
name: '${flexfunapp.name}-private-endpoint'
location: 'uksouth'
properties: {
subnet: {
id: virtualNetwork.properties.subnets[0].id // Use the InboundSubnet for the private endpoint
}
privateLinkServiceConnections: [
{
name: 'functionAppPrivateLink'
properties: {
privateLinkServiceId: flexfunapp.id
groupIds: [
'sites'
]
}
}
]
}
}
- Address prefix and ipam pool reference are both empty/null in request payload of resource ...: You should NOT be updating the subnet using the
subnetAssociationresource. It will drop existing properties. Instead, you can specify the NSG when creating the vnet:
resource virtualNetwork 'Microsoft.Network/virtualNetworks@2019-11-01' = {
name: 'thomastest-001-uks-vnet'
location: 'uksouth'
properties: {
addressSpace: {
addressPrefixes: [
'10.0.0.0/16'
]
}
subnets: [
{
name: 'InboundSubnet'
properties: {
addressPrefix: '10.0.0.0/24'
networkSecurityGroup: {
id: networkSecurityGroup.id
}
}
}
...
]
}
}
- You are creating a classic app insight resource which was retired last year (see documentation). You should create a workspace-based app insights:
resource logAnalyticsWorkspace 'Microsoft.OperationalInsights/workspaces@2022-10-01' = {
name: 'thomastest-001-uks-log'
location: 'uksouth'
properties: {
sku: {
name: 'PerGB2018'
}
}
}
resource appInsights 'Microsoft.Insights/components@2020-02-02' = {
name: 'thomastest-001-uks-appi'
location: 'uksouth'
kind: 'web'
properties: {
Application_Type: 'web'
WorkspaceResourceId: logAnalyticsWorkspace.id
}
}
Full bicep sample:
resource storageAccount 'Microsoft.Storage/storageAccounts@2021-04-01' = {
name: 'thomastest001uksst'
location: 'uksouth'
kind: 'StorageV2'
sku: {
name: 'Standard_LRS'
}
properties: {
accessTier: 'Hot'
minimumTlsVersion: 'TLS1_2'
}
}
resource logAnalyticsWorkspace 'Microsoft.OperationalInsights/workspaces@2022-10-01' = {
name: 'thomastest-001-uks-log'
location: 'uksouth'
properties: {
sku: {
name: 'PerGB2018'
}
}
}
resource appInsights 'Microsoft.Insights/components@2020-02-02' = {
name: 'thomastest-001-uks-appi'
location: 'uksouth'
kind: 'web'
properties: {
Application_Type: 'web'
WorkspaceResourceId: logAnalyticsWorkspace.id
}
}
resource networkSecurityGroup 'Microsoft.Network/networkSecurityGroups@2019-11-01' = {
name: 'thomastest-001-uks-nsg'
location: 'uksouth'
properties: {
securityRules: [
{
name: 'AllowAzurePrivateLink'
properties: {
priority: 100
access: 'Allow'
direction: 'Inbound'
protocol: '*'
sourceAddressPrefix: 'AzureActiveDirectory' // Required for Azure Private Link
sourcePortRange: '*'
destinationAddressPrefix: '*'
destinationPortRange: '*'
}
}
{
name: 'AllowAppTraffic'
properties: {
priority: 200
access: 'Allow'
direction: 'Inbound'
protocol: 'Tcp'
sourceAddressPrefix: '10.0.0.0/16'
sourcePortRange: '*'
destinationAddressPrefix: '*'
destinationPortRange: '*'
}
}
]
}
}
resource virtualNetwork 'Microsoft.Network/virtualNetworks@2019-11-01' = {
name: 'thomastest-001-uks-vnet'
location: 'uksouth'
properties: {
addressSpace: {
addressPrefixes: [
'10.0.0.0/16'
]
}
subnets: [
{
name: 'InboundSubnet'
properties: {
addressPrefix: '10.0.0.0/24'
networkSecurityGroup: {
id: networkSecurityGroup.id
}
}
}
{
name: 'OutboundSubnet'
properties: {
addressPrefix: '10.0.1.0/24'
delegations: [
{
name: 'delegation'
properties: {
serviceName: 'Microsoft.App/environments'
}
}
]
}
}
]
}
}
resource flexappserviceplan 'Microsoft.Web/serverfarms@2024-04-01' = {
name: 'thomastest-001-uks-asp'
location: 'uksouth'
sku: {
name: 'FC1'
tier: 'FlexConsumption'
family: 'FC'
capacity: 0
}
kind: 'functionapp'
properties: {
reserved: true // linux
}
}
resource flexfunapp 'Microsoft.Web/sites@2024-04-01' = {
name: 'thomastest-001-uks-flex'
location: 'uksouth'
kind: 'functionapp,linux'
properties: {
serverFarmId: flexappserviceplan.id
clientAffinityEnabled: false
siteConfig: {
appSettings: [
{
name: 'AzureWebJobsStorage'
value: storageAccount.properties.primaryEndpoints.blob
}
{
name: 'APPLICATIONINSIGHTS_CONNECTION_STRING'
value: appInsights.properties.ConnectionString
}
]
numberOfWorkers: 1
}
functionAppConfig: {
deployment: {
storage: {
type: 'blobcontainer'
value: '${storageAccount.properties.primaryEndpoints.blob}container'
authentication: {
type: 'SystemAssignedIdentity'
}
}
}
scaleAndConcurrency: {
maximumInstanceCount: 100
instanceMemoryMB: 4096
}
runtime: {
name: 'python'
version: '3.11'
}
}
httpsOnly: true
publicNetworkAccess: 'Disabled'
virtualNetworkSubnetId: virtualNetwork.properties.subnets[1].id
}
}
resource dnsZone 'Microsoft.Network/privateDnsZones@2020-06-01' = {
name: 'privatelink.azurewebsites.net' // For Function Apps
location: 'global'
}
resource dnsZoneLink 'Microsoft.Network/privateDnsZones/virtualNetworkLinks@2020-06-01' = {
parent: dnsZone
location: 'global'
name: 'vnetlink'
properties: {
virtualNetwork: {
id: virtualNetwork.id
}
registrationEnabled: true
}
}
resource privateEndpoint 'Microsoft.Network/privateEndpoints@2024-05-01' = {
name: '${flexfunapp.name}-private-endpoint'
location: 'uksouth'
properties: {
subnet: {
id: virtualNetwork.properties.subnets[0].id // Use the InboundSubnet for the private endpoint
}
privateLinkServiceConnections: [
{
name: 'functionAppPrivateLink'
properties: {
privateLinkServiceId: flexfunapp.id
groupIds: [
'sites'
]
}
}
]
}
}
- In an Azure App Service, how do I allow DefaultAzureCredential to get bearer token from App Registration (Enterprise Application)?
- Powershell performance degraded when importing Az modules
- How to construct the hashed token signature for Azure Cosmos DB REST API to list users?
- How to make CosmosDB work with an Azure Web App
- AADSTS50011: The redirect URI specified in the request does not match the redirect URIs configured for the app
- Stopping or Disabling a resource group in Azure
- Why I got an error request every 5 minutes in an Azure App Service
- I have try to create event in microsoft outlook calendar but coming error Access token validation failure. Invalid audience
- FQDN on Azure Virtual Machine
- azurerm - Terraform not behaving as expected
- How to get all possible AppServicePlan configurations from an Azure subscription?
- How to register your Azure resource as an Application in Azure Active Directory?
- How to Compare Variables in the Azure Library-Variable Group
- azure ai studio - indexing problem (ai search)
- The template output 'ctrName' is not valid: The language expression property array index '4' is out of bounds
- Microsoft Graph API: Create subscription - Exception: [Status Code: Unauthorized] [Go]
- After Upgrade Azure Function .Net 8 - How to handle Dependecy Injection from Startup.cs?
- How does using a proxy between frontend and backend improve security?
- How to verify JWT id_token produced by MS Azure AD?
- Azure Video Indexer API: "USER_NOT_ALLOWED" Error When Checking Blurring Job Status After Completion of Bluring
- Azure arm64 VM sku with nested virtualization
- Set ouput of GitHub action workflow after using azure/login@v2 step
- Redirect service (302) in Azure, best possible approach?
- Why the redirect uri has no fragment parameters on the first try?
- Trying to get Azure AI to work with Nuxt 3
- How do I pull the last modified file with data flow in Azure Data Factory?
- Pass AzureML job's name to pipeline
- Using the Microsoft Graph API to load files from Sharepoint into Databricks
- Databricks Numeric Type comparsion (Int vs Double)
- Azure Synapse time out - Token expire