Azure web app service Kudu site is not available and shows 503 error

Question

I have terraform code to deploy a web app. It applies just fine but the created app's SCM Kudu site is not available and shows "Application Error" page, i.e. HTTP 503 error. There is nothing deployed to the service yet. I connect from the VPN that is whitelisted to access either the main site and the SCM site.

How do I troubleshoot the Kudu site if it does not give me any access to it (HTTP 503 error)?

How do I find out the reason for the issue?

Is it the vNet integration what's wrong? Disconnecting the vNet integration on the Azure portal does not help though. Any ideas of how to go about debugging this?

The terraform code is as follows. I included the relevant resources only. Let me know if you need to know other parts also

resource "azurerm_virtual_network" "main" {
  name                = "${local.prefix}-vnet-${local.suffix}"
  location            = azurerm_resource_group.web_app.location
  resource_group_name = azurerm_resource_group.web_app.name
  address_space       = [var.vnet_cidr]
}

resource "azurerm_subnet" "web" {
  name                  = "${local.prefix}-web-snet-${local.suffix}"
  resource_group_name   = azurerm_resource_group.web_app.name
  virtual_network_name  = azurerm_virtual_network.main.name
  address_prefixes      = [var.web_snet_cidr]

  private_endpoint_network_policies_enabled = true

  delegation {
    name = "Microsoft.Web/serverFarms"
    service_delegation {
      name = "Microsoft.Web/serverFarms"
      actions = ["Microsoft.Network/virtualNetworks/subnets/action"]
    }
  }
}

resource "azurerm_service_plan" "web" {
  name                = "${var.org}-web-asp-${local.suffix}"
  resource_group_name = azurerm_resource_group.web_app.name
  location            = azurerm_resource_group.web_app.location
  os_type             = "Linux"
  sku_name            = "S1"
}


resource "azurerm_linux_web_app" "web" {
  name                = "${local.prefix}-web-${local.suffix}"
  resource_group_name = azurerm_resource_group.web_app.name
  location            = azurerm_resource_group.web_app.location
  service_plan_id     = azurerm_service_plan.web.id

  client_affinity_enabled = true

  https_only                = true
  virtual_network_subnet_id = azurerm_subnet.web.id

  storage_account {
    name         = "models"
    share_name   = "models"
    mount_path   = "/mnt/models"
    type         = "AzureFiles"
    account_name = local.sta_info_name
    access_key   = local.sta_info_access_key
  }

  key_vault_reference_identity_id = local.app_identity_id
  identity {
    type = "SystemAssigned, UserAssigned"
    identity_ids = [ local.app_identity_id ]
  }

  site_config {
    ftps_state              = "Disabled"
    http2_enabled           = true
    scm_minimum_tls_version = "1.2"
    vnet_route_all_enabled  = true

    application_stack {
      docker_registry_url      = var.acr_url
      docker_registry_username = var.acr_username
      docker_registry_password = var.acr_password
      docker_image_name        = var.docker_image_name
    }

    ip_restriction {
      action     = "Allow"
      headers    = []
      ip_address = "${var.vpn_address}/32"
      name       = "VPN"
      priority   = 100
    }

    scm_ip_restriction {
      action     = "Allow"
      headers    = []
      ip_address = "${var.vpn_address}/32"
      name       = "VPN"
      priority   = 100
    }
  }

  logs {
    http_logs {
      file_system {
        retention_in_mb   = 35
        retention_in_days = 30
      }
    }
  }

  app_settings = {
    "WEBSITES_ENABLE_APP_SERVICE_STORAGE"      = "false"
    "MICROSOFT_PROVIDER_AUTHENTICATION_SECRET" = azuread_application_password.web.value
  }

  sticky_settings {
    app_setting_names = [
      "MICROSOFT_PROVIDER_AUTHENTICATION_SECRET",
    ]
  }
}

Answer 1

As discussed in the comments', posting the answer/resolution shared by Jan Kowalik - Much appreciate you sharing the solution that worked for you with the community.

Scenario:

• Azure web app service Kudu site is not available and shows a 503 error.

Issue:

• After deploying a web app using Terraform, the created app's SCM Kudu site is inaccessible and displays an "Application Error" page, indicating an HTTP 503 error. Despite being whitelisted and connecting via VPN, there's no access to the main site or the SCM site.

Resolution: @Jan Kowalik resolved the issue.
The application attempts to mount the file share from the storage account, but the necessary share resource hasn't been created.
By addressing this dependency issue and ensuring that the required resources are available prior to deployment, the application should be able to mount the file share correctly.

--
Please click Accept Answer - it will help users to find the answers quickly.

Answer 2

Hi,

I usually get this when my App stack/runtime is a bit off somewhere in the siteConfig.

I'm not sure what your TF vars for the docker part is using, but I would check those values/permissions again (more info here, but I'm sure you're aware: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/linux_web_app#argument-reference)

There are some example templates referenced in these article which look like you're going to need to reference the linux_fx_version with the DOCKER| value for example:

https://stackoverflow.com/questions/67410585/terraform-create-app-service-for-linux-container

Terraform example template from Hashicorp: https://github.com/hashicorp/terraform-provider-azurerm/tree/main/examples/app-service/docker-basic

Troubleshooting

If you go to the App in Azure, on the left scroll to the bottom to support+troubleshooting > resource health > select the 'diagnose & troubleshoot problems' button.

Usually you can browse here under Availability and Performance for further information and errors to help guide you in the right direction.

I hope this helps, if so, please mark as accepted!

Answer 3

I have managed to pin the issue down. The app mounts the storage account file share, but the share resource had not been created yet. I wish there was an error message that would direct me though.