Change 'Ingress traffic' setting for Azure Container Application through Bicep deployment
I am trying to connect to an Azure Container App (not an Azure Container Instance!) which is deployed using the following Bicep deployment scripts:
vnet
resource vnet 'Microsoft.Network/virtualNetworks@2021-08-01' = {
name: vnetName
location: location
properties: {
addressSpace: {
addressPrefixes: [
vnetAddressPrefix
]
}
subnets: [
{
name: subnetName
properties: {
privateEndpointNetworkPolicies: 'Enabled'
addressPrefix: vnetAddressPrefix
}
}
]
}
}
appEnv
resource appEnv 'Microsoft.App/managedEnvironments@2022-10-01' = {
name: containerAppEnvName
location: location
properties: {
vnetConfiguration: {
infrastructureSubnetId: vnet.properties.subnets[0].id
internal: false
}
zoneRedundant: false
}
}
containerApp
resource containerApp 'Microsoft.App/containerApps@2022-10-01' = {
name: containerAppName
location: location
properties: {
environmentId: appEnv.id
configuration: {
secrets: [
{
name: 'password'
value: '...'
}
]
registries: [
{
server: '...'
username: '...'
passwordSecretRef: 'password'
}
]
ingress: {
external: true
targetPort: 7687
exposedPort: 7687
transport: 'tcp'
}
}
template: {
containers: [
{
image: '...'
name: 'neo4j'
env: []
resources: {
cpu: 2
memory: '4Gi'
}
}
]
scale: {
minReplicas: 1
maxReplicas: 1
}
}
}
dependsOn: [
vnet
]
}
This all succeeds: all resources are successfully created in the Azure Portal. However, if I try to connect to the Azure Container App, I get a generic ServiceUnavailable error:
[error] session error - ServiceUnavailable: Neo4jError: WebSocket connection failure. ...
When I look up the Container App in the Azure Portal and select the Ingress blade, I see this:
I'd like to try and select the option Accept traffic from anywhere1 (the red arrow in the screenshot), but that cannot be selected. In the Bicep documentation, I cannot find a parameter internalOnly for a Container App Environment (changing internal: ... in vnetConfiguration does not work).
Question: how can I change the Bicep deployment script(s) so that Accept traffic from anywhere is selected?
1 we're in a POC-like phase, so security is not top-priority for now.
I was able to successfully set up a container app with public TCP ingress. The setting responsible for Accept traffic from anywhere is on the container environment (vnetConfiguration.internal must be false). However I needed to delete and recreate the environment after changing this to false to actually get the desired change.
This was my bicep template:
resource logAnalytics 'Microsoft.OperationalInsights/workspaces@2020-10-01' = {
name: logname
location: location
properties: {
sku: {
name: 'PerGB2018'
}
}
}
resource vnet 'Microsoft.Network/virtualNetworks@2021-08-01' = {
name: vnetname
location: location
properties: {
addressSpace: {
addressPrefixes: [
'10.10.0.0/16'
]
}
subnets: [
{
name: 'helloworld'
properties: {
privateEndpointNetworkPolicies: 'Enabled'
addressPrefix: '10.10.0.0/16'
}
}
]
}
}
resource containerAppEnv 'Microsoft.App/managedEnvironments@2022-03-01' = {
name: containerappenv
location: location
properties: {
appLogsConfiguration: {
destination: 'log-analytics'
logAnalyticsConfiguration: {
customerId: logAnalytics.properties.customerId
sharedKey: logAnalytics.listKeys().primarySharedKey
}
}
vnetConfiguration: {
infrastructureSubnetId: vnet.properties.subnets[0].id
internal: false
}
}
}
resource containerApp 'Microsoft.App/containerApps@2022-10-01' = {
name: containerappname
location: location
properties: {
managedEnvironmentId: containerAppEnv.id
configuration: {
ingress: {
external: true
targetPort: targetPort
exposedPort: 3000
transport: 'tcp'
allowInsecure: false
traffic: [
{
latestRevision: true
weight: 100
}
]
}
registries: [
{
server: registry
identity: identity
}
]
}
template: {
revisionSuffix: 'secondrevision'
containers: [
{
name: ...
image: containerImage
resources: {
cpu: json(cpuCore)
memory: '${memorySize}Gi'
}
}
]
scale: {
minReplicas: minReplicas
maxReplicas: maxReplicas
}
}
}
}
- Azure C# Cosmos DB: Property "id" is missing when it's actually present
- Azure Permission - needed for creating resource group - RBAC
- Unable to locate executable file: 'bash'. Please verify either the file path exists
- Can the Azure Service Bus be delayed before retrying a message?
- azure documentdb create document duplicates Id property
- JWT validation failure error in azure apim
- Azure App Service and Application Insights where is performance test?
- Is it possible to have a non-interactive code that logs in to Azure and creates users in Microsoft Entra ID?
- Change Default Service Version of Microsoft Azure Blob - PHP
- Microsoft Graph: How to filter users by domain name
- Azure App Service Plan CPU Spikes to 100%
- Unable to Authenticate to DevOps API with Angual MSAL
- Azure Databricks: Not able to parameterize keys option of dlt.apply_changes
- ASP.NET Core 3.1 Azure AD Authentication throws OptionsValidationException
- Attaching a private static ip address to Azure Container Instance
- Azure Synapse severless SQL pool - query execution fails
- How to login via Service Principal having Federated Credentials rather than Client Secrets
- Where can I find the resource id of an Azure function app in the Azure portal?
- How to forward access-control-allow-origin header from a Web App to a Front Door?
- Basic SQL commands in Terraform
- Linux Azure Webjob in nodejs referring to node.exe
- Running Azure functions locally gives "No runtime" error after .NET7 upgrade
- Azure DataSync tables not showing up
- Azure ML: Unable to find workspace
- unable to start 'Docker for windows' on Azure Win 10 VM
- How to enable virtualization in Azure VM
- Configuring AppSettings with ASP.Net Core on Azure Web App for Containers: Whither Colons?
- how to get v2 type token using msal python
- The mock in my pester test keeps calling Connect-AzAccount
- HttpResponseError in Azure Ai search