Error:ManagedEnvResourceDisallowedByPolicy,Message:Fail to create managed environment because creation of required resources was disallowed by policy

Question

While creating Azure Container app with Networking options via Azure ARM automation script I am getting the below error:

Error Details:

{    "id": "/subscriptions/xxxx/resourceGroups/yyyy/providers/Microsoft.App/managedEnvironments/xxxxx",
    "name": "testcontainerappsenv",
    "type": "Microsoft.App/managedEnvironments",
    "location": "westeurope",
    "tags": {},
    "systemData": {
        "createdBy": "test@gmail.com",
        "createdByType": "User",
        "createdAt": "xxxx",
        "lastModifiedBy": "test@gmail.com",
        "lastModifiedByType": "User",
        "lastModifiedAt": "xxxx"
    },
    "properties": {
        "provisioningState": "Failed",
        "vnetConfiguration": {
            "internal": false,            "infrastructureSubnetId": "/subscriptions/xxxx/resourceGroups/yyy/providers/Microsoft.Network/virtualNetworks/testvnt/subnets/aaaa",
            "dockerBridgeCidr": "10.1.0.1/16",
            "platformReservedCidr": "10.0.0.0/16",
            "platformReservedDnsIP": "10.0.0.2"
        },
        "deploymentErrors": "**ErrorCode: ManagedEnvironmentResourceDisallowedByPolicy, Message: Fail to create managed environment because creation of required resources was disallowed by policy, refer to https://go.microsoft.com/fwlink/?linkid=2198255 for more detail.**",
        "defaultDomain": "xxxxxx.westeurope.azurecontainerapps.io",
        "appLogsConfiguration": {
            "destination": "log-analytics",
            "logAnalyticsConfiguration": {
                "customerId": "xxxxxxxxxx"
            }
        }
    }
}

Here goes the policy which is blocking us in this case: https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F783ea2a8-b8fd-46be-896a-9ae79643a0b1

Can anyone help us here by providing their guidance

After troubleshooting for few hours and going deep we found that the policy : https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F783ea2a8-b8fd-46be-896a-9ae79643a0b1 is not allowing us. In order to cross check we did a deployment without Networking and found it got created successfully.

Answer 1

This was not a mandatory/default policy when creating container apps. If the policy "Container apps should disable external network access" is enabled at the tenant or organizational level, so it's not allowing.

Azure Built in Policy for Azure Container Apps and know issues on this tutorial

I reproduced the problem by enabling this policy on the tenant and attempting to create a container app.

Running below ARM templates should not be permitted because traffic from the Container App was made public.

Basic templates from the portal

Template json file

{
    "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "subscriptionId": {
            "type": "string"
        },
        "name": {
            "type": "string"
        },
        "location": {
            "type": "string"
        },
        "environmentId": {
            "type": "string"
        },
        "containers": {
            "type": "array"
        },
        "secrets": {
            "type": "secureObject",
            "defaultValue": {
                "arrayValue": []
            }
        },
        "registries": {
            "type": "array"
        },
        "ingress": {
            "type": "object"
        }
    },
    "resources": [
        {
            "apiVersion": "2022-06-01-preview",
            "name": "[parameters('name')]",
            "type": "Microsoft.App/containerapps",
            "kind": "containerapps",
            "location": "[parameters('location')]",
            "dependsOn": [],
            "properties": {
                "environmentId": "[parameters('environmentId')]",
                "configuration": {
                    "secrets": "[parameters('secrets').arrayValue]",
                    "registries": "[parameters('registries')]",
                    "activeRevisionsMode": "Single",
                    "ingress": "[parameters('ingress')]"
                },
                "template": {
                    "containers": "[parameters('containers')]",
                    "scale": {
                        "minReplicas": 0
                    }
                }
            }
        }
    ]
}

parameters json file

{
    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "subscriptionId": {
            "value": "********************"
        },
        "name": {
            "value": "demoswarnaapp"
        },
        "location": {
            "value": "westeurope"
        },
        "environmentId": {
            "value": "/subscriptions/****************resourceGroups/Compute-Resources/providers/Microsoft.App/managedEnvironments/Testca"
        },
        "containers": {
            "value": [
                {
                    "name": "simple-hello-world-container",
                    "image": "mcr.microsoft.com/azuredocs/containerapps-helloworld:latest",
                    "command": [],
                    "resources": {
                        "cpu": 0.25,
                        "memory": ".5Gi"
                    }
                }
            ]
        },
        "registries": {
            "value": []
        },
        "secrets": {
            "value": {
                "arrayValue": []
            }
        },
        "ingress": {
            "value": {
                "external": true,
                "targetPort": 80
            }
        }
    }
}

Upon disable that policy its allowed and deployed successfully.