search

Azure / reliable-web-app-pattern-dotnet

The Reliable Web App Pattern is a set of objectives to help your web application converge on the cloud. This repo contains a reference implementation of a reliable web application for .NET.
https://aka.ms/eap/rwa/dotnet/doc
MIT License
361 stars 115 forks source link

Error while deploying AppConfig Service values #230

Closed KSchlobohm closed 1 year ago

KSchlobohm commented 1 year ago

After adding network security to the app config service we're seeing a new error related to setting values.

{
    "status": "Failed",
    "error": {
        "code": "Forbidden",
        "message": "Access to the requested resource is forbidden.",
        "additionalInfo": [
            {
                "type": "ActivityId",
                "info": {
                    "activityId": "ffffffff-cccc-4444-9999-eeeeeeeeeeee"
                }
            }
        ]
    }
}
KSchlobohm commented 1 year ago

Observations:

  1. At first glance it looks like all of the key vault values failed, this is not actually the case. Only one of the 5 app config service settings succeeded, and it came from key vault.
  2. Examining the order of operations, we see that there is a time based correlation between changing the App Configuration Service setting. The only setting to successfully be set was saved at 12:06:42 PM, the private endpoint (which changes default public network access behavior) was deployed at 12:07:10 PM. Operations occurring after this 12:07 timestamp failed. Creating a possibility that the operations failed because the network was changed.
  3. The simplest process, setting the App:RelecloudApi:BaseUri failed, it has not interaction with other resources. It's just text so when we see that the access is deined error applies to this setting I am led to understand that the access isn't to key vault but the access to App Configuration Service itself. As the permissions for APp Configuration Service are applied by this deployment the resource becomes more accessible, not less. So this surfaces the idea that the 'access' issue is a network issue.
KSchlobohm commented 1 year ago

This error appears to match the error, and behavior, of what would happen if the Azure Resource Provider used the data plane to set a key value in App Configuration Service while the Configuration Service has public-network-access disabled.

PUT /subscriptions/eeeeeeee-8888-3333-9999-cccccccccccc/resourceGroups/temp/providers/Microsoft.AppConfiguration/configurationStores/appcc/keyValues/test?api-version=2022-05-01

{ "properties": {      "value": "hello"   } }

{   "error": {     "code": "Forbidden",     "message": "Access to the requested resource is forbidden.",     "additionalInfo": [       {         "type": "ActivityId",         "info": {           "activityId": "11111111-bbbb-4444-dddd-666666666666"         }       }     ]   } }