Azure - Container Apps Environment deployment blocked

Rob Wilson 32 Reputation points

Hi all!

So here's the set up. Working on Microsoft Azure, trying to deploy with bicep.

We have two virtual networks, vnet 1 & vnet 2 with a subnet in each. Scenario one, we have the vents peered. One subnet contains a APIM inside the subnet, with a gateway configured onto it. The other subnet, we are trying to deploy a Container Apps Environment with 2 Container Apps. The Container App Environment is set to internal, and the apps are set to 'limited to vnet'. No other ip restrictions applied. One of these Container apps is the 'gateway app' with the image '' on it. This app has the Token from the apim gateway passed to it as an environment variable, along with the service endpoint. The other container is a generic container app called 'bacon api' that just returns different flavours of bacon when making a request against it. This app is uploaded on the APIM & the apim gateway.

The subnets are both secured by respective NSGs. I can provide the NSG rules if needed, but short story is the rules are correct or at least allow enough so that I can make a request of the gateway api url with bacon api extension, and get returned the bacon flavours. So happy this all works, scenario one is golden and can deploy with bicep.

The next scenario is the same as above except is we are now have introduced a firewall to the setup, in it's own Vnet (vnet 3) with a virtual WAN. On the firewall policy, I have mirrored the NSG rules of the apim subnet nsg & the container subnet nsg. New firewall vnet 3 is peered with both previous vnets 1 & 2, and original vnet 1 & 2 are disconnected with each other. So Vnet 1 can only communicate with vnet 2 via the firewall vnet 3.

When deploying the Container Apps environment now with bicep, it either deploys forever, or returns the message ManagedEnvironmentApiServerConnectionBlocked.

Does anyone have any insight what could be blocking this deployment? I can only assume it is the firewall as scenario 1 works, but even when putting some 'Allow All' rules on the firewall, it still fails. It's the deployment itself (via bicep) which is failing, not even got to the connection between apim and container app yet.

Any help would be appreciated, thank you all!

Azure Container Apps
Azure Container Apps
An Azure service that provides a general-purpose, serverless container platform.
129 questions
{count} votes

1 answer

Sort by: Most helpful
  1. MuthuKumaranMurugaachari-MSFT 16,046 Reputation points

    Rob Wilson Thanks for posting your question in Microsoft Q&A. Based on the description, you have added Azure Firewall between VNET1 and VNET2 and assume it is routed through UDR. Is that correct?

    If so, UDR is only supported in a workload profile environment and if you are using Consumption, it is not supported (would return ManagedEnvironmentApiServerConnectionBlocked message in that scenario). Check out Configuring UDR with Azure Firewall doc for application and network rules and you need to add certain FQDN's and service tags in the allowlist.

    User's image

    Also, checkout Control outbound traffic with user defined routes doc for firewall rules (I see you mentioned Allowed All) and verify the outbound traffic.

    I hope this helps and let me know if you have any questions.

    0 comments No comments