Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

App Service with vnet integration unable to send diagnostic log to private storage account via private endpoint #2682

Open
my40789 opened this issue Dec 1, 2022 · 2 comments
Open

App Service with vnet integration unable to send diagnostic log to private storage account via private endpoint #2682

my40789 opened this issue Dec 1, 2022 · 2 comments
Labels
Needs: Triage 🔎

Comments

@my40789
Copy link

my40789 commented Dec 1, 2022

The issue only happened when App Service is deployed using ARM.

If I turn on the diagnostic/log setting for Blob properties in storage account, I can see several errors related to OAuthPublicNetworkAccessError, PublicNetworkAccessError and SASPublicNetworkAccessError.

29T06:20:15.1125012Z;CreateContainer;OAuthPublicNetworkAccessError;403;26;25;bearer;appjstestdiag;appjstestdiag;blob;"https://appjstestdiag.blob.core.windows.net:443/insights-logs-appservicehttplogs?restype=container";"/";75e4d115-301e-0074-5dba-03e7c7000000;0;100.110.8.75:57778;2018-03-28;1627;0;130;246;0;;;;;;"Azure-Storage/9.3.2 (.NET CLR 4.0.30319.42000; Win32NT 6.2.9200.0)";;"5a837b96-31ee-424a-a6f6-270c67baa2f4";"6a699883-0683-45de-8405-7a9d9bcc58c7";"76ba52a4-68b4-4726-be5f-088f71f41355";"11c174dc-1945-4a9a-a36b-c79a0f246b9b";"https://storage.azure.com/";"https://sts.windows.net/76ba52a4-68b4-4726-be5f-088f71f41355/";;;
2.0;2022-11-29T06:20:15.1869270Z;CreateContainer;PublicNetworkAccessError;403;4;4;authenticated;appjstestdiag;appjstestdiag;blob;"https://appjstestdiag.blob.core.windows.net:443/insights-logs-appservicehttplogs?restype=container";"/";83634c38-f01e-0030-7dba-03f0c9000000;0;100.110.8.75:57783;2018-03-28;432;0;130;246;0;;;;;;"Azure-Storage/9.3.2 (.NET CLR 4.0.30319.42000; Win32NT 6.2.9200.0)";;"21d61513-ca7a-4069-8d9f-f50b5f78e4a9";;;;;;;;
2.0;2022-11-29T06:20:15.3589281Z;CreateContainer;SASPublicNetworkAccessError;403;13;13;sas;;appjstestdiag;blob;"https://appjstestdiag.blob.core.windows.net:443/insights-logs-appservicehttplogs?sv=2015-04-05&ss=bq&srt=sco&sp=rwdlac&se=2022-11-29T14%3A15%3A15.0000000Z&sep=b&sig=XXXXX&api-version=2018-03-28&restype=container";"/";3e0be7f8-b01e-0077-1aba-0314a7000000;0;100.110.8.75:57791;2018-03-28;461;0;130;246;0;;;;;;"Azure-Storage/9.3.2 (.NET CLR 4.0.30319.42000; Win32NT 6.2.9200.0)";;"84d96c19-9f7b-4c53-9b50-a989896adbbd";;;;;;;;
@ghost ghost added the Needs: Triage 🔎 label Dec 1, 2022
@my40789 my40789 changed the title App Service unable to send diagnostic log to private storage account via private endpoint App Service with vnet integration unable to send diagnostic log to private storage account via private endpoint Dec 1, 2022
@SuperChenSSS
Copy link

Hi Team,

This is one of my clients who is utilizing the ARM template to use private endpoint to connect from function app to his blob storage and enable diagnostic logs.

Once enabled, we found that although settings have been turned on, the function app wasn't actually using private endpoint, instead, it continues to leverage public network to connect. If we enable via Azure Portal everything is working as expected.

As a reference to versions, we used the below schemas when it comes to PE and diagnostic settings:
Microsoft.Network/privateEndpoints: 2022-07-01
Microsoft.Insights/diagnosticSettings: 2021-05-01-preview
Schemas: https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#

Diag:

"type": "Microsoft.Insights/diagnosticSettings",
            "apiVersion": "2021-05-01-preview",
            "name": "[variables('diagSettingName')]",
            "scope": "[format('Microsoft.Web/sites/{0}', parameters('appservicename'))]",
            "dependsOn": [
                "[parameters('diagStorageAccountName')]"
            ],
            "properties": {
                "storageAccountId": "[resourceId('Microsoft.Storage/storageAccounts', parameters('diagStorageAccountName'))]",
                "logs": [
                    {
                        "category": "AppServiceHTTPLogs",
                        "enabled": true,
                        "retentionPolicy": {
                            "enabled": true,
                            "days": "[variables('diagSettingRetentionDay')]"
                        }
                    }
                    .........
                ],

PE:

{
            "type": "Microsoft.Network/privateEndpoints",
            "apiVersion": "2022-07-01",
            "name": "[parameters('diagStorageAccountPrivateEndpointName')]",
            "location": "[variables('location')]",
            "dependsOn": [
                "[parameters('diagStorageAccountName')]"
            ],
            "properties": {
                "subnet": {
                    "id": "[variables('subnet')]"
                },
                "privateLinkServiceConnections": [
                    {
                        "name": "[parameters('diagStorageAccountPrivateEndpointName')]",
                        "properties": {
                            "privateLinkServiceId": "[resourceId('Microsoft.Storage/storageAccounts', parameters('diagStorageAccountName'))]",
                            "groupIds": [
                                "blob"
                            ]
                        }
                    }
                ]
            }
        },

Any further info needed please directly contact me or leave comments below, I will check the thread, thanks.

@SuperChenSSS
Copy link

Hi Team,

May I know if any insights about this?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Needs: Triage 🔎
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@my40789 @SuperChenSSS