Azure: Failed to add delegation to the existing subnet - azure

I'm trying to include in an app service an existing VNET but I have this issue:
Failed to add delegation to the existing subnet.:
Delegations of subnet /subscriptions
Cannot be changed from [] to [Microsoft.Web/serverfarms] because it is being used by the resource
Azure Limitation ? How many resources can be used by one VNET ?

The limit is that you have to use an unused subnet for your app service integration When you add VNet (preview) in the networking configuration of app service. Please check if you have any VM resources in that subnet. If it is, you could create an empty subnet for the VNet integration. Read more details here.

Related

Why Azure app service VNET integration failing with new subnet?

I'm trying to connect my app service plan in to VNET. But always failed. I have red threads and everywhere saying App service plan should be Standard or higher.
My App service Plan is S1.
It's just an empty app.
I'm creating new subnet (not select existing one) when configuring VNET.
I have run the trouble-shooter and no issue found with connectivity
Can someone help on this?
There are some limitations with using regional virtual network integration:
Refer MsDoc
If you have already one VNet associated with an app service plan, it would be better if you create a new app service plan and then configure the VNet. I found the same fix here by #Asish Punnose.
"App service plan, VNet as well as App" should be in the same region.
The integration subnet can only use one App Service plan
After considering all the above limitations, I was able to configure VNet successfully.
By adding a new subnet, enabling inbound & outbound traffic addresses with a new virtual network as well as new app service plan I could create an app with standard s1 plan.
Added subnets under VNet integration:
Configured VNet with an app service plan without any error:
Issue was my VNET and App service in different subscription .
But in same region. move app service in to other subscription which contains VNET. Problem solved.
Seems to be VNET integration not working between Resorces in multipole subscriptions .Cheers

Connecting AKS and Web App with VNet integration

I'm trying to connect my Web App to the AKS LoadBalancer through the VNet integration instead of a public load balancer.
The problem here is to integrate VNet into the web app, the VNet needs to have a subnet delegated to Microsoft.Web/serverFarms. On the other hand, AKS cannot be assigned with a subnet that has a delegation.
I have found this that seemingly has done the exact same thing but it seems to be old as I cannot reproduce the same result. Either I get
VNET aks-subnet is missing a delegation to Microsoft.Web/serverFarms. Please add the delegation and try again. or aks-subnet cannot be used as it's a delegated subnet
I have tried to add two subnets one with delegation to managedClusters and use that for my AKS but the same ... cannot be used as it's a delegated subnet happens.
sidenote: I'm using the bicep script to deploy.
VNET Integration requires a dedicated subnet for the App Service that is going to be integrated. This means the subnet cannot be used for any other purpose, i.E. hosting AKS or VMs.
The App Service can then reach services in other subnets on the same VNET or in peered VNETs.
Subnet Size Requirements are a minimum of /27 and Microsoft recommends /26 for production grade environments.
It is sometimes a little tricky to troubleshoot issues with VNET integration, some good hints are documented here.

Unable to delete subnet and virtual network in azure

I am just practicing the azure. And I created a virtual network and subnets.
Now I am not able to delete the subnet. I have disconnected all connected devices from the virtual network.
Here is the error getting while deleting subnet
Please help me to clean up the subnet and virtual network.
Thanks
Additional details
All resources in my account
And here is the subnets tab and error getting while deletion:
Subnet configuration:
As the error shows the subnet PrivateSubnet should be in use. And you can see it's delegated to the service Microsoft.Web/serverfarms. So you need to remove the delegated service first. Do it follow the steps here. When the delegated service list is empty, then you can delete the subnet as you want.
Update:
According to my experience, your subnet is in use network/PrivateSubnet/AppLink, it means there is a Web App integrate with your subnet at least. And I didn't see the Web App in your resource group. So I guess there someone else uses your subnet and his Web App still exists. You need to check it yourself.

Firewall access from Azure app service to blob storage using Virtual Network

Originally I tried to restrict access from an app service to blob storage using IP addresses, however it turned out that you can only do this using a Virtual Network: Firewall access from Azure app service to blob storage
I want to be able to achieve this without setting up a point-to-site VPN. The steps I have taken to set up a virtual network in Azure are as follows:
Created Network security group "securitygroup-frontend", add custom
inbound rule called Web with Source: Service Tag, Source service tag:
Internet, Source port ranges: *, Destination : Any, Destination port
ranges: 80, 443, Protocol: Any, Action: Allow, Priority: 100
Created Virtual Network with address space 192.168.0.0/23 and subnet called frontend address range 192.168.0.0/26 with network security group: securitygroup-frontend and subnet delegation to Microsoft.Web/serverFarms and service endpoints Microsoft.Storage
Went to app service -> Networking -> Configure VNet integration ->
Add VNet preview and select the subnet you created
Went to Storage -> Firewalls and virtual Networking -> Configure VNet integration -> Select 'Selected networks' and add in the virtual network and subnet just created.
I have had to move Azure diagnostics and logs such as for key vault, service bus and sql azure to its own blob storage as these require blob storage outside of a virtual network and can't be made to work inside. The app service is in the Standard plan. The app service, blob storage and virtual network are all in the same region.
This question and answer does not provide any insights: https://social.msdn.microsoft.com/Forums/azure/en-US/9f4d8aeb-68a6-4ec1-9e11-bee2d1301792/allow-access-to-azure-storage-account-only-from-an-app-service?forum=windowsazurewebsitespreview
The above steps though block off access from the app service to blob storage and any assets within return an error: (403) Forbidden. If I remove the Virtual network from blob storage it works fine. What am I doing wrong?
Yes, you can do this using a VNet but you need to deploy the web app in a VNet with App Service Environments. You can not do this with VNet integration. Integrating Azure services to an Azure virtual network enables private access to the service from virtual machines or compute resources in the virtual network. However, web app service in a regular app service plan is multi-tenant. With ASE, you could deploy it into your VNet.
You could get more details and explanation from this similar thread. According to a comment from silent, you could also consider deploying your web app inside a container which could be deployed in a VNet with some restriction.
Update
Sometimes, the deployment order for networking is important. In your case, you enable service endpoint before VNet integration. I suggest removing NSG restriction in integrated app subnet VNet for a test. Then you could check the following steps.
Firstly, you could deploy new VNet integration with an unused subnet. After the VNet Integration is completed and the web app is restarted, you could enable service endpoint and subnet delegation for this subnet. In the end, you could add the subnet in the firewall of the storage account.
The new version is in Preview and not GA currently. It might be not all functions available. you could also check the following characteristics.
No gateway is required to use the new VNet Integration feature。
You can access resources across ExpressRoute connections without any additional configuration beyond integrating with the ExpressRoute connected VNet.
The app and the VNet must be in the same region.
The new feature requires an unused subnet in your Resource Manager VNet.
Your app must be in an Azure App Service deployment that is capable of scaling up to Premium v2.
Your App Service plan must be a Standard, Premium, or PremiumV2 plan Production workloads are not supported on the new feature while
it is in Preview
The new VNet Integration feature doesn't work for apps in an App Service Environment.
You cannot delete a VNet with an integrated app.
Route tables and global peering are not yet available with the new VNet Integration.
One address is used for each App Service plan instance. Since subnet size cannot be changed after assignment, use a subnet that can
more than cover your maximum scale size. A /27 with 32 addresses is
the recommended size as that would accommodate an App Service plan
that is scaled to 20 instances.
You can consume Service Endpoint secured resources using the new VNet Integration capability. To do so, enable service endpoints on the
subnet used for VNet Integration.

Configure existing VNET while creating Microsoft Azure Container Service (DC/OS)

We have our own VNET configured. I would like to use the same VNET / subnet while creating the ACS service. I am using DC/OS.
Can I configure the VNET / Subnet and NSG through Azure ACS template ?
At this time configuring VNets is not possible. However this is something we will be fixing very soon. First through some open source template, and once fully tested, through the ACS resource provider in ARM.

Resources