Share via

Internal Server Error - When deploying an Azure Firewall Policy with no changes

André van der Goes 1 Reputation point
2022-06-16T08:01:53.443+00:00

Since last week when trying to deploy an Azure Firewall Policy rules we get the following error:

Internal Server Error: The response for resource had empty or invalid content

This only happens if there are no changes between the template being deployed and the current configuration of the policy. So an initial deployment will succeed, but every subsequent deployment (of the same template) fails, unless you either change a value (like the rule name) in the template or in the policy directly. After this, the deployment succeeds one time.

I have tested this over two separate tenants and three subscriptions and it will consistently behave like described.

For testing I created a simple bicep, containing only a policy and one rule: 

param location string = resourceGroup().location  
  
var netRuleCollection = [  
  {  
    //Access from private agents to all  
    ruleCollectionType: 'FirewallPolicyFilterRuleCollection'  
    name: 'private-agents-to-sql'  
    priority: 1020  
    action: {  
      type: 'Allow'  
    }  
    rules: [  
      {  
        ruleType: 'NetworkRule'  
        name: 'mssql'  
        ipProtocols: [  
          'TCP'  
        ]  
        sourceAddresses: [  
         '10.10.1.0/24'  
        ]  
        destinationAddresses: [  
          '10.10.2.0/24'  
        ]  
        destinationPorts: [  
          '1433'  
        ]  
      }  
    ]  
  }  
]  
  
resource afp 'Microsoft.Network/firewallPolicies@2021-08-01' = {  
  name: 'my-afp-01'  
  location: location  
  properties: {  
    basePolicy: null  
    threatIntelMode: 'Off'  
    threatIntelWhitelist: {}  
    dnsSettings: {}  
    transportSecurity: null  
    sku: {  
      tier: 'Standard'  
    }  
  }  
}  
  
resource nw_policy 'Microsoft.Network/firewallPolicies/ruleCollectionGroups@2021-08-01' =  {  
  name: '${afp.name}/MyRuleCollection'  
  properties: {  
    priority: 1100  
    ruleCollections: netRuleCollection  
  }  
}

Another way to reproduce this is to take an existing firewall policy and export it to template from the portal. This template will also fail to deploy unless you first make a change (to the policy or the template).

Azure Firewall Manager
Azure Firewall Manager
An Azure service that provides central network security policy and route management for globally distributed, software-defined perimeters.
85 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. André van der Goes 1 Reputation point
    2022-06-20T06:40:28.343+00:00

    We also had raised a ticket with MS Support. Sadly no reply to this as of yet.

    But on a brighter note: It appears the underlying issue has been fixed, when testing today behavior seems to back to normal and deployments no longer fail when there is no change in the configuration.

    0 comments
  2. Luis Rodriguez 6,191 Reputation points Microsoft Employee
    2022-06-20T09:49:38.2+00:00

    Hello @André van der Goes

    Welcome to Microsoft Q&A Platform,

    There's an internal bug that's related to this issue, which is being fixed globally.

    I hope this helps!

    ----------

    Please don’t forget to "Accept the answer" and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    0 comments