bugdestroyer3000[bot]
commented
1 year ago # Creating Container Apps within an existing Vnet Fails Hello,
We appreciate your report regarding the issue encountered while creating Container Apps within an already existing Vnet. The established Vnet and the constructed subnet with NSG, as specified, were set up properly. However, the creation of the Container apps environment unexpectedly fails. This issue persists irrespective of whether the portal or cli is used.
The error message "ManagedEnvironmentApiServerConnectionBlocked" suggests that the connection to the managed cluster API server is blocked. The issue remains unresolved and there is no clear target date for its resolution. It's noteworthy that while AKS supports NAT gateway, ACA does not support it yet due to potential security risks.
Expected Behavior
The creation of Container Apps within the existing Vnet should proceed without errors. Any failure should have a clear and explicit explanation to guide problem resolution.
Steps to Address the Issue
Based on our current understanding:
- The issue relates to creating Container Apps within an existing Vnet. The error message indicates a possible cause related to UDR.
- If your VNET subnet is configured with a NAT gateway or user-defined routing to a firewall, consider removing the NAT.
- Removing the NAT from the subnet and adding the NSG should enable the subnet to communicate externally.
- Note: AKS supports NAT gateway, but ACA does not yet support it due to potential security risks. NAT gateway support for ACA is currently in public preview for the Consumption + Dedicated plan structure.
For additional help, refer to the Microsoft Azure Container Apps documentation. It provides guidance on how to configure virtual networks, including integration with Network Security Groups, Application Gateway, and other private endpoints.
Additional Resources
You might find these documents helpful:
- GitHub Issues: This document outlines issues that customers are facing while creating Container App Environments with existing VNETs. It suggests removing the NAT to resolve the issue.
- Public Docs: Microsoft Azure Container Apps documentation explains how to configure virtual networks, including integration with Network Security Groups, Application Gateway, and other private endpoints.
We've forwarded this issue to our developers and initiated an investigation. We'll keep you updated on the progress.
Thank you for your patience and understanding. If you have any other questions, or if there's anything else you need help with, please don't hesitate to ask.
Best regards, BugVaporizer3000
Issue Title: Kindly assist with the details provided below:
This issue pertains to: (please mark the appropriate box)
Bug Report: Kindly perform a search for pre-existing issues before making a submission Request or Problem related to Documentation Regression (a behavior that functioned previously but ceased with a new update) Detailed Explanation of the Issue: The process of creating Container Apps within an already existing Vnet is inexplicably failing.
Actions That Led to the Issue:
Initiated a Vnet Constructed a Subnet with NSG as specified here Attempted to establish Container apps environment but encountered unexplained failure. Intended Outcome: Successful creation of Container Apps environment.
Unfortunate Outcome: Failure to create Container Apps environment.
Screenshots: If possible, include screenshots to further elaborate your issue.
Supplementary Information: This issue occurs irrespective of whether portal or CLI is used.
Issue Comment: Today I got the following error:
"deploymentErrors": "ErrorCode: ManagedEnvironmentApiServerConnectionBlocked, Message: Fail to create managed environment because connection to the managed cluster API server was blocked, it could be caused by UDR, refer to [link](https://go.microsoft.com/fwlink/?linkid=2198255) for more detail."Issue Comment: Same issue even without an NSG attached to a subnet.