Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

webapp:Sync Network for Azure App Service connected to VNet #3391

Open
russcam opened this issue Jan 16, 2017 · 20 comments

Comments

Projects
None yet
@russcam
Copy link

commented Jan 16, 2017

PowerShell Version

PSVersion 5.1.14393.693

OS Version

BuildVersion 10.0.14393.693

Description

After connecting an App Service to a VNet using something similar to https://docs.microsoft.com/en-us/azure/app-service-web/app-service-vnet-integration-powershell#resource-manager-virtual-networks, "Sync Network" has to be performed before the Azure App can connect to any attached devices in the VNet. Trying to connect to a device before this has been done yields:

System.Net.Sockets.SocketException: An attempt was made to access a socket in a way forbidden by its access permissions 

"Sync Network" can be done within the Azure Portal:

vnet_integration

Is this exposed in the Azure PowerShell SDK?

@markcowl

This comment has been minimized.

Copy link
Member

commented Jan 17, 2017

@Nking92 Please comment on our support tor this in ARM APIs for WebApps

@russcam

This comment has been minimized.

Copy link
Author

commented Jan 17, 2017

I think I've found the setting in resource explorer for it, under

resource group -> providers -> Microsoft.Web -> serverfarms -> App Service Plan name -> virtualNetworkConnections

[
  {
    "id": null,
    "name": "[redacted]",
    "type": "Microsoft.Web/serverfarms/virtualNetworkConnections",
    "location": "Australia Southeast",
    "tags": null,
    "properties": {
      "vnetResourceId": "/subscriptions/[redacted]/resourceGroups/[redacted]/providers/Microsoft.Network/virtualNetworks/[redacted]",
      "certThumbprint": "[redacted]",
      "certBlob": "[redacted]",
      "routes": null,
      "resyncRequired": false,   <-- is this the setting?
      "dnsServers": null
    }
  }
]

but can't see how it's exposed in PowerShell SDK

@ghost

This comment has been minimized.

Copy link

commented Jan 18, 2017

The sync operation is not directly supported in powershell or API. Rather, it involves several API calls that are currently brokered by the portal to get a package from VNet, pull the certs, set them in app service and also send our generated certs to VNet and make sure they are on what we have. It also does a route sync operation to ensure that the apps are using the proper VNet owned routes for sending traffic over. Since the operations to networking are tenant operations, all this is currently implemented at the portal rather than geo.

@russcam

This comment has been minimized.

Copy link
Author

commented Jan 18, 2017

As it stands, it is not possible to completely automate connecting an App Service to a Virtual Network, a scenario that I would expect is extremely common e.g. a web application connected to an Elasticsearch cluster on the backend, as in this case. Will this be exposed in a future SDK release?

It would be worth also updating the documentation to indicate that a sync network is required after connecting the App Service to an existing VNet; I found out through trial and error 😄

@ghost

This comment has been minimized.

Copy link

commented Jan 18, 2017

right. it's not possible which is painful. No disagreement from me there and it's something I want to fix someday. It's not a high priority right now though so this is where it stands for now. There are some P2S changes coming this year that may help give opportunity though.
The sync network should only be needed to sync routes. It should work fine without that with the standard RFC 1918 traffic headed into the VPN though. Was that not the case for you?

@russcam

This comment has been minimized.

Copy link
Author

commented Jan 18, 2017

The sync network should only be needed to sync routes. It should work fine without that with the standard RFC 1918 traffic headed into the VPN though. Was that not the case for you?

I've found that I've needed to Sync Network every time, with my example script. I can put together a small reproducible example if it would help to rule out PEBKAC?

@ghost

This comment has been minimized.

Copy link

commented Jan 18, 2017

maybe it's a nuance on how you are doing the script. I don't remember the exact reason for why we don't do a route sync at the end of setup. It's been a year since we added the V2 VNet stuff but I will ask and see.

@russcam

This comment has been minimized.

Copy link
Author

commented Jan 19, 2017

@ChrisCompy that would be greatly appreciated. Let me know also if you would like a reproducible example and I'll put one together.

@IoBebe

This comment has been minimized.

Copy link

commented Mar 7, 2017

i'm running into the same issue here. any updates ?

@glen-richards

This comment has been minimized.

Copy link

commented Mar 28, 2017

I've hit the same problem trying to automate an upgrade process for our infrastructure.

@liamdawson

This comment has been minimized.

Copy link

commented Jun 8, 2017

This is incredibly annoying - if I re-run the environment template in CI, an error "Connection attempt failed: The requested address is not valid in its context" returns after every deploy, until I resync manually. Is there any api that can be called? Or even some way I can manually provide my own certificates for the connection? I'm unsure of where the app service gets the private key from.

@akuryan

This comment has been minimized.

Copy link

commented Jun 28, 2017

I am hitting the same issue from ARM template - and, yes, it is incredibly annoying.
In short, I am provisioning web apps in several web app services to be connected to service on VM in VNET. It will not work until I will not resync network.
If it is not possible from ARM - maybe there is a powershell cmdlet which will resync network for me?

@4c74356b41

This comment has been minimized.

Copy link

commented Aug 31, 2017

any updates? how is portal orchestrating something, why cant we do exactly the same calls?

@konste

This comment has been minimized.

Copy link

commented Oct 20, 2017

I was breaking my head over this issue for a couple days by now, but I think I found rather non-obvious workaround which makes the darn thing work without clicking "Sync Network". Check out this link: https://codexample.org/questions/896170/add-a-azure-webapp-to-an-existing-vpn-using-a-point-to-site-connection-rm-powershell.c#acmt-3927376

In short $packageUri = Get-AzureRmVpnClientPackage for unknown reason (probably a bug) returns packageUri in quotes! One extra statement removes the quotes and vnet connectivity works right away.
$packageUri = $packageUri.Substring(1, $packageUri.Length-2);
It helped me and hopefully help you too.

russcam added a commit to elastic/azure-marketplace-examples that referenced this issue Dec 4, 2017

@turowicz

This comment has been minimized.

Copy link

commented Mar 19, 2018

It's been a while since the issue was created, is the problem still there?

@jrudley

This comment has been minimized.

Copy link

commented Jun 11, 2018

Any update on this? I can reproduce this still
Edit:
I opened a case 118061118362368 and there is no eta on a fix for using an arm template

@turowicz

This comment has been minimized.

Copy link

commented Jun 15, 2018

Calling @panchagnula and @Nking92

@panchagnula

This comment has been minimized.

Copy link
Contributor

commented Jun 15, 2018

@turowicz sorry no ETA at this time

@panchagnula panchagnula changed the title Sync Network for Azure App Service connected to VNet webapp:Sync Network for Azure App Service connected to VNet Aug 7, 2018

@willgarcia

This comment has been minimized.

Copy link

commented Aug 21, 2018

@panchagnula @Nking92 @turowicz do you know if there is an automated way (az cli / cmdlet / ARM / other) to disconnect + reconnect the App service vnet (as a temporary workaround)?

@panchagnula

This comment has been minimized.

Copy link
Contributor

commented Aug 21, 2018

@willgarcia we don't have an ETA for first-class command for CLI & Powershell for supporting VNET yet, however please refer to these scripts that might help you for the time-being https://gallery.technet.microsoft.com/scriptcenter/Connect-an-app-in-Azure-ab7527e3
https://docs.microsoft.com/en-us/azure/app-service/web-sites-integrate-with-vnet#powershell-automation

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.