Question 294904 in Azure Question posted in
The official documentation to get you started can be found here.

Azure – LinkedAuthorizationFailed when adding VNET new resource via ARM template

I am trying to deploy a function app using a ARM template from the azure portal. I am getting this error but not sure what needs to be changed. Any suggestions?

The client has permission to perform action ‘Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action’ on scope ‘/subscriptions//resourcegroups//providers/Microsoft.Web/sites/’, however the linked subscription ‘xxxxxx’ was not found. (Code: LinkedAuthorizationFailed)

{
"contentVersion": "1.0.0.0",
"parameters": {
    "siteName": {
        "defaultValue": "defaultName",
        "type": "String",
        "metadata": {
            "description": "Function app name to create"
        }
    },
    "storageAccountName": {
        "defaultValue": "defaultName",
        "type": "String",
        "metadata": {
            "description": "AzureWebJobsStorage name - a azure storage account that currently exists"
        }
    },
    "environment": {
        "defaultValue": "dev",
        "allowedValues": [
            "dev"
        ],
        "type": "String",
        "metadata": {
            "description": "The environment targeted"
        }
    },
    "location": {
        "defaultValue": "[resourceGroup().location]",
        "type": "String",
        "metadata": {
            "description": "Physical location - can leave Default"
        }
    },
    "serviceAppPlan": {
        "defaultValue": "default",
        "type": "String",
        "metadata": {
            "description": "App service plan name - can leave if environment specified"
        }
    }
},
"resources": [
    {
        "type": "Microsoft.Web/sites",
        "apiVersion": "2022-09-01",
        "name": "[parameters('siteName')]",
        "location": "[parameters('location')]",
        "kind": "functionapp,linux",
        "properties": {
            "serverFarmId": "[parameters('serviceAppPlan')]",
            "virtualNetworkSubnetId": "[format('/subscriptions/{0}/resourceGroups/{1}/providers/Microsoft.Network/virtualNetworks/{2}/subnets/default', subscription().displayName, resourceGroup().name, reference(resourceId('Microsoft.Network/virtualNetworks', format('{0}-myVnet', parameters('environment'))), '2020-11-01'))]",
            "clientAffinityEnabled": false,
            "siteConfig": {
                "linuxFxVersion": "DOTNET|6.0",
                "alwaysOn": true,
                "ftpsState": "Disabled",
                "appSettings": [
                    {
                        "name": "AzureWebJobsStorage",
                        "value": "<storage here>"
                    },
                    {
                        "name": "APPLICATIONINSIGHTS_CONNECTION_STRING",
                        "value": "<app-insights here>"
                    },
                    {
                        "name": "FUNCTIONS_EXTENSION_VERSION",
                        "value": "~4"
                    }
                ],
                "ipSecurityRestrictions": [
                    {
                        "vnetSubnetResourceId": "[format('/subscriptions/{0}/resourceGroups/{1}/providers/Microsoft.Network/virtualNetworks/{2}/subnets/default', subscription().displayName, resourceGroup().name, format('{0}-myVnet', parameters('environment')))]",
                        "action": "Allow",
                        "tag": "Default",
                        "priority": 34,
                        "name": "[format('{0}-myVnet', parameters('environment'))]"
                    },
                ]
            }
        }
    }
]

}

Tags:

2

Answers


  1. Chosen as BEST ANSWER
    0

    Found my issue:

    The documentation for Site.VirtualNetworkSubnetId says it needs to be in this format: /subscriptions/{subscriptionName}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName}

    I was attempting to get the subscriptionName with subscription().displayName. This does not seem to work and produces the error above. Using subscription().subscriptionId instead and passing that in does work.

    I have no idea why, I guess it could be a permission issue or perhaps a bug/documentation issue.


  2. 0

    LinkedAuthorizationFailed when adding VNET new resource via ARM template: –

    The above error is caused due to below factors:

    1. For VNET integration you need to have an appropriate permission to restrict the access of a virtual network to some specific resource. Make sure that you have given Network Contributor role before deployment.

    2. And make sure that you enabled the app setting website_contentovervnet to 1.

    As it enables your function app to scale when you have your storage account restricted to a virtual network.

    {
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
  },
  "variables": {
    "vnetw": "xxxx",
    "addressPrefixVnet": "10.17.0.0/20",
    "addressPrefixSubnet": "10.17.4.0/24",
    "nsgName_sb_functionapp": "[concat(variables('vnetw'), 'functionnsg')]",
    "storageAccountName": "[concat(uniquestring(resourceGroup().id), 'sa1a')]",
    "appServicePlanName": "[concat(uniquestring(resourceGroup().id), 'asp1a')]",
    "functionAppName": "[concat(uniquestring(resourceGroup().id), 'asp1a')]"
  },
  "resources": [
    {
      "type": "Microsoft.Network/networkSecurityGroups",
      "apiVersion": "2019-11-01",
      "name": "[variables('nsgName_sb_functionapp')]",
      "location": "[resourceGroup().location]",
      "properties": {
        "securityRules": []
      }
    }, 
    {
      "type": "Microsoft.Network/virtualNetworks",
      "apiVersion": "2019-11-01",
      "name": "[variables('vnetw')]",
      "location": "[resourceGroup().location]",
      "dependsOn": [
        "[resourceId('Microsoft.Network/networkSecurityGroups', variables('nsgName_sb_functionapp'))]"
      ],
      "properties": {
        "addressSpace": {
          "addressPrefixes": [
            "[variables('addressPrefixVnet')]"
          ]
        },
        "subnets": [
          {
            "name": "xxxx",
            "properties": {
              "addressPrefix": "[variables('addressPrefixSubnet')]",
              "networkSecurityGroup": {
                "id": "[resourceId('Microsoft.Network/networkSecurityGroups', variables('nsgName_sb_functionapp'))]"
              },
              "serviceEndpoints": [
                {
                  "service": "Microsoft.Storage",
                  "locations": [
                    "*"
                  ]
                }
              ],
              "delegations": [
                {
                  "name": "delegation",
                  "properties": {
                    "serviceName": "Microsoft.Web/serverFarms"
                  }
                }
              ],
              "privateEndpointNetworkPolicies": "Enabled",
              "privateLinkServiceNetworkPolicies": "Enabled"
            }
          }
        ],
        "enableDdosProtection": false,
        "enableVmProtection": false
      }
    },
    {
      "type": "Microsoft.Storage/storageAccounts",
      "apiVersion": "2019-04-01",
      "name": "[variables('storageAccountName')]",
      "location": "[resourceGroup().location]",
      "kind": "StorageV2",
      "sku": {
        "name": "Standard_GRS",
        "tier": "Standard"
      },
      "properties": {
        "networkAcls": {
          "defaultAction": "Deny",
          "bypass": "AzureServices",
          "supportsHttpsTrafficOnly": true,
          "ipRules": [],
          "encryption": {
            "keySource": "Microsoft.Storage",
            "services": {
              "file": {
                "enabled": true
              },
              "blob": {
                "enabled": true
              }
            }
          },
          "accessTier": "Hot",
          "virtualNetworkRules": [
            {
              "id": "[concat(resourceId('Microsoft.Network/virtualNetworks', variables('vnetw')), '/subnets/subnetnew')]",
              "ignoreMissingVNetServiceEndpoint": false
            }
          ]
        }
      }
    },
    {
      "type": "Microsoft.Web/serverfarms",
      "apiVersion": "2018-02-01",
      "name": "[variables('appServicePlanName')]",
      "location": "[resourceGroup().location]",
      "sku": {
        "name": "EP1",
        "tier": "ElasticPremium",
        "size": "EP1",
        "family": "EP",
        "capacity": 1
      },
      "kind": "elastic",
      "properties": {
        "perSiteScaling": false,
        "maximumElasticWorkerCount": 20,
        "isSpot": false,
        "reserved": false,
        "isXenon": false,
        "hyperV": false,
        "targetWorkerCount": 0,
        "targetWorkerSizeId": 0
      }
    },
    {
      "type": "Microsoft.Web/sites",
      "apiVersion": "2018-11-01",
      "name": "[variables('functionAppName')]",
      "location": "[resourceGroup().location]",
      "dependsOn": [
        "[resourceId('Microsoft.Web/serverfarms', variables('appServicePlanName'))]"
      ],
      "kind": "functionapp",
      "properties": {
        "enabled": true,
        "hostNameSslStates": [
          {
            "name": "[concat(variables('functionAppName'), '.azurewebsites.net')]",
            "sslState": "Disabled",
            "hostType": "Standard"
          },
          {
            "name": "[concat(variables('functionAppName'), '.scm.azurewebsites.net')]",
            "sslState": "Disabled",
            "hostType": "Repository"
          }
        ],
        "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', variables('appServicePlanName'))]",
        "reserved": false,
        "isXenon": false,
        "hyperV": false,
        "scmSiteAlsoStopped": false,
        "clientAffinityEnabled": true,
        "clientCertEnabled": false,
        "hostNamesDisabled": false,
        "containerSize": 1536,
        "dailyMemoryTimeQuota": 0,
        "httpsOnly": true,
        "redundancyMode": "None",
        "siteConfig": {
          "appSettings": [
            {
              "name": "FUNCTIONS_EXTENSION_VERSION",
              "value": "~1"
            },
            {
              "name": "WEBSITE_CONTENTAZUREFILECONNECTIONSTRING",
              "value": ""
            },
            {
              "name": "WEBSITE_CONTENTSHARE",
              "value": "[variables('functionAppName')]"
            },
            {
              "name": "WEBSITE_DNS_SERVER",
              "value": ""
            },
            {
              "name": "WEBSITE_VNET_ROUTE_ALL",
              "value": "1"
            },
            {
               "name": "WEBSITE_CONTENTOVERVNET",
               "value": "1"
            }
          ]
        }
      },
      "resources": [
        {
          "type": "networkConfig",
          "apiVersion": "2018-11-01",
          "name": "virtualNetwork",
          "location": "[resourceGroup().location]",
          "dependsOn": [
            "[resourceId('Microsoft.Web/sites', variables('functionAppName'))]"
          ],
          "properties": {
            "subnetResourceId": "[concat(resourceId('Microsoft.Network/virtualNetworks', variables('vnetw')), '/subnets/subnetnew')]",
            "swiftSupported": true
          }
        }
      ]
    },
    {
      "type": "Microsoft.Web/sites/config",
      "apiVersion": "2018-11-01",
      "name": "[concat(variables('functionAppName'), '/web')]",
      "location": "[resourceGroup().location]",
      "dependsOn": [
        "[resourceId('Microsoft.Web/sites', variables('functionAppName'))]"
      ],
      "properties": {
        "numberOfWorkers": 1,
        "defaultDocuments": [
          "index.html",
          "iisstart.htm"
        ],
        "netFrameworkVersion": "v4.0",
        "phpVersion": "5.6",
        "requestTracingEnabled": false,
        "remoteDebuggingEnabled": false,
        "remoteDebuggingVersion": "VS2019",
        "httpLoggingEnabled": false,
        "logsDirectorySizeLimit": 35,
        "detailedErrorLoggingEnabled": false,
        "publishingUsername": "[concat('$', variables('functionAppName'))]",
        "scmType": "VSTSRM",
        "use32BitWorkerProcess": true,
        "webSocketsEnabled": false,
        "alwaysOn": false,
        "managedPipelineMode": "Integrated",
        "virtualApplications": [
          {
            "virtualPath": "/",
            "physicalPath": "site\wwwroot",
            "preloadEnabled": true
          }
        ],
        "loadBalancing": "LeastRequests",
        "experiments": {
          "rampUpRules": [
          ]
        },
        "autoHealEnabled": false,
        "cors": {
          "allowedOrigins": [],
          "supportCredentials": false
        },
        "localMySqlEnabled": false,
        "ipSecurityRestrictions": [
          {
                        "vnetSubnetResourceId": "<VNETResourceID>",
                        "action": "Allow",
                        "tag": "Default",
                        "priority": 34,
                        "name": "[concat('{0}-myVnet', parameters('vnetw'))]"
                    }
        ],
        "scmIpSecurityRestrictions": [],
        "scmIpSecurityRestrictionsUseMain": false,
        "http20Enabled": false,
        "minTlsVersion": "1.2",
        "ftpsState": "AllAllowed",
        "reservedInstanceCount": 1
      }
    }
  ]
}

    enter image description here

    enter image description here

    Refer SO by @Stringfellow for the relevant information.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search