Change 'Ingress traffic' setting for Azure Container Application through Bicep deployment
I am trying to connect to an Azure Container App (not an Azure Container Instance!) which is deployed using the following Bicep deployment scripts:
vnet
resource vnet 'Microsoft.Network/virtualNetworks@2021-08-01' = {
name: vnetName
location: location
properties: {
addressSpace: {
addressPrefixes: [
vnetAddressPrefix
]
}
subnets: [
{
name: subnetName
properties: {
privateEndpointNetworkPolicies: 'Enabled'
addressPrefix: vnetAddressPrefix
}
}
]
}
}
appEnv
resource appEnv 'Microsoft.App/managedEnvironments@2022-10-01' = {
name: containerAppEnvName
location: location
properties: {
vnetConfiguration: {
infrastructureSubnetId: vnet.properties.subnets[0].id
internal: false
}
zoneRedundant: false
}
}
containerApp
resource containerApp 'Microsoft.App/containerApps@2022-10-01' = {
name: containerAppName
location: location
properties: {
environmentId: appEnv.id
configuration: {
secrets: [
{
name: 'password'
value: '...'
}
]
registries: [
{
server: '...'
username: '...'
passwordSecretRef: 'password'
}
]
ingress: {
external: true
targetPort: 7687
exposedPort: 7687
transport: 'tcp'
}
}
template: {
containers: [
{
image: '...'
name: 'neo4j'
env: []
resources: {
cpu: 2
memory: '4Gi'
}
}
]
scale: {
minReplicas: 1
maxReplicas: 1
}
}
}
dependsOn: [
vnet
]
}
This all succeeds: all resources are successfully created in the Azure Portal. However, if I try to connect to the Azure Container App, I get a generic ServiceUnavailable error:
[error] session error - ServiceUnavailable: Neo4jError: WebSocket connection failure. ...
When I look up the Container App in the Azure Portal and select the Ingress blade, I see this:
I'd like to try and select the option Accept traffic from anywhere1 (the red arrow in the screenshot), but that cannot be selected. In the Bicep documentation, I cannot find a parameter internalOnly for a Container App Environment (changing internal: ... in vnetConfiguration does not work).
Question: how can I change the Bicep deployment script(s) so that Accept traffic from anywhere is selected?
1 we're in a POC-like phase, so security is not top-priority for now.
I was able to successfully set up a container app with public TCP ingress. The setting responsible for Accept traffic from anywhere is on the container environment (vnetConfiguration.internal must be false). However I needed to delete and recreate the environment after changing this to false to actually get the desired change.
This was my bicep template:
resource logAnalytics 'Microsoft.OperationalInsights/workspaces@2020-10-01' = {
name: logname
location: location
properties: {
sku: {
name: 'PerGB2018'
}
}
}
resource vnet 'Microsoft.Network/virtualNetworks@2021-08-01' = {
name: vnetname
location: location
properties: {
addressSpace: {
addressPrefixes: [
'10.10.0.0/16'
]
}
subnets: [
{
name: 'helloworld'
properties: {
privateEndpointNetworkPolicies: 'Enabled'
addressPrefix: '10.10.0.0/16'
}
}
]
}
}
resource containerAppEnv 'Microsoft.App/managedEnvironments@2022-03-01' = {
name: containerappenv
location: location
properties: {
appLogsConfiguration: {
destination: 'log-analytics'
logAnalyticsConfiguration: {
customerId: logAnalytics.properties.customerId
sharedKey: logAnalytics.listKeys().primarySharedKey
}
}
vnetConfiguration: {
infrastructureSubnetId: vnet.properties.subnets[0].id
internal: false
}
}
}
resource containerApp 'Microsoft.App/containerApps@2022-10-01' = {
name: containerappname
location: location
properties: {
managedEnvironmentId: containerAppEnv.id
configuration: {
ingress: {
external: true
targetPort: targetPort
exposedPort: 3000
transport: 'tcp'
allowInsecure: false
traffic: [
{
latestRevision: true
weight: 100
}
]
}
registries: [
{
server: registry
identity: identity
}
]
}
template: {
revisionSuffix: 'secondrevision'
containers: [
{
name: ...
image: containerImage
resources: {
cpu: json(cpuCore)
memory: '${memorySize}Gi'
}
}
]
scale: {
minReplicas: minReplicas
maxReplicas: maxReplicas
}
}
}
}