Forum Discussion
Container Apps Environment Deployment Error
Hi all!
So here's the set up. Working on Microsoft Azure, trying to deploy with bicep.
We have two virtual networks, vnet 1 & vnet 2 with a subnet in each. Scenario one, we have the vents peered. One subnet contains a APIM inside the subnet, with a gateway configured onto it. The other subnet, we are trying to deploy a Container Apps Environment with 2 Container Apps. The Container App Environment is set to internal, and the apps are set to 'limited to vnet'. No other ip restrictions applied. One of these Container apps is the 'gateway app' with the image 'mcr.microsoft.com/azure-api-management/gateway:2.0.2' on it. This app has the Token from the apim gateway passed to it as an environment variable, along with the service endpoint. The other container is a generic container app called 'bacon api' that just returns different flavours of bacon when making a request against it. This app is uploaded on the APIM & the apim gateway.
The subnets are both secured by respective NSGs. I can provide the NSG rules if needed, but short story is the rules are correct or at least allow enough so that I can make a request of the gateway api url with bacon api extension, and get returned the bacon flavours. So happy this all works, scenario one is golden and can deploy with bicep.
The next scenario is the same as above except is we are now have introduced a firewall to the setup, in it's own Vnet (vnet 3) with a virtual WAN. On the firewall policy, I have mirrored the NSG rules of the apim subnet nsg & the container subnet nsg. New firewall vnet 3 is peered with both previous vnets 1 & 2, and original vnet 1 & 2 are disconnected with each other. So Vnet 1 can only communicate with vnet 2 via the firewall vnet 3.
When deploying the Container Apps environment now with bicep, it either deploys forever, or returns the message ManagedEnvironmentApiServerConnectionBlocked.
Does anyone have any insight what could be blocking this deployment? I can only assume it is the firewall as scenario 1 works, but even when putting some 'Allow All' rules on the firewall, it still fails. It's the deployment itself (via bicep) which is failing, not even got to the connection between apim and container app yet.
Any help would be appreciated, thank you all!