Deploy within an environment that strictly disallows public network access

[DuboisABB]

This issue is for a: (mark with an x)

- [ ] bug report -> please search issues before submitting
- [x] feature request
- [ ] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)

Minimal steps to reproduce

Trying to deploy with
azd env set AZURE_USE_PRIVATE_ENDPOINT true
azd env set AZURE_PUBLIC_NETWORK_ACCESS Disabled
azd up

Any log messages given by the failure

Our Azure environment does not allow public network access at all, and the above fails with:

(✓) Done: Resource group: ISWEACEDEV01-RG-01
(✓) Done: App Service plan: plan-xzr2h4erskcqg
(✓) Done: Azure OpenAI: cog-xzr2h4erskcqg
(✓) Done: Virtual Network: vnet-xzr2h4erskcqg
(✓) Done: Document Intelligence: cog-di-xzr2h4erskcqg
(✓) Done: Search service: gptkb-xzr2h4erskcqg
| =| Creating/Updating resources
ERROR: error executing step command 'provision': deployment failed: error deploying infrastructure: deploying to subscription:

Deployment Error Details:
InvalidTemplateDeployment: The template deployment failed because of policy violation. Please see details for more information.
RequestDisallowedByPolicy: Resource 'userstxzr2h4erskcqg' was disallowed by policy. Reasons: 'Public network access must be disabled for PaaS services.'. See error details for policy resource IDs.

TraceID: 0742395aac02059fd2be8eaad2c546fd

Expected/desired behavior

Successful provisionning

OS and Version?

Windows 11

azd version?

azd version 1.9.3 (commit e1624330dcc7dde440ecc1eda06aac40e68aa0a3)

Versions

Forked from 905b62e (2024-06-17)

[mattgotteiner]

Hi @DuboisABB can you please share the full deployment log? I don't know what resource specifically is the one that this deployment has an issue with. Thank you!

[DuboisABB]

Sorry somehow I missed your reply. I finally understood that "Public network access must be disabled for PaaS services" is not a single policy but a whole set of policies. Apparently the config in the bicep files when AZURE_PUBLIC_NETWORK_ACCESS="Disabled" were not strict enough.

The bit that was causing problem was this in storage-account.bicep:

var networkAcls = {
  bypass: bypass
  defaultAction: 'Allow'
}

I changed it to this (I also added a parameter for allowed IP address):

param networkAcls object = {
  bypass: publicNetworkAccess == 'Enabled' ? bypass : 'AzureServices'
  virtualNetworkRules: publicNetworkAccess == 'Enabled' ? [] : []
  ipRules: publicNetworkAccess == 'Enabled' ? [] : (empty(allowedIpAddress) ? [] : [
    {
      value: allowedIpAddress
      action: 'Allow'
    }
  ])
  defaultAction: publicNetworkAccess == 'Enabled' ? 'Allow' : 'Deny'
}

[pamelafox]

I just merged a different approach to private deployment which sets up a P2S VPN gateway that you can use for deployment, which works with the current NetworkACLs. But perhaps we need more flexibility for folks who are deploying a different way - am not sure how to test it myself since I don't have that sort of setup. Will leave this issue open for others to find.