Skip to content

Configuration Requirements for ACA Consumption only environments

Jump to bottom
Eben Carek edited this page Sep 27, 2023 · 6 revisions

This article only applies for ACA Consumption Only environments with custom VNET (Bring Your Own VNET). This doesn't apply for Workload Profile based environments.

Introduction

Azure Container Apps Consumption Only environments require the following configuration to fully function and be managed by Azure. In the event any of these requirements are not met, environments will stop working. When it happens for a long time, it will be suspended.

Requirements

  1. AAD application Microsoft Azure Container Apps - Data Plane requires Contributor access to the MC_ resource group corresponding to the ACA Environment. To find the MC_ resource group corresponding to the ACA environment, please search for resource groups with tag = ACA environment name.. See image below for reference.
image

Confirm that the AAD application shows up as Contributor to the Resource Group as shown below.

image

  1. The address range in the subnet used for ACA environment must not overlap with other subnets in the VNET.

  2. The Subnet and User Defined Routes configuration must adhere to the conditions listed in this document. Securing a custom VNET

  3. Azure Policies which block the creation of public IPs are not supported.

  4. Azure Policies which enforce specific tags to be added to resource groups are supported, but those tags must be added to the ACA environment resource so they can be propagated to the MC_ resource group.

  5. Azure Policies which enforce a specific naming scheme for resource groups are not supported for ACA Consumption-only environments.

  6. Placing locks on the MC_ resource group or any resources within the resource group is not supported.

Mitigations

Depending on which violation occurred, you can take the appropriate remediation. For example,

  1. If the MC_ resource group was modified to remove the Microsoft Azure Container Apps - Data Plane, it can be added back by user with Subscription or Resource Group contributor access.
  2. If the User Defined Routes are not compliant with the requirements, please take appropriate action to resolve those. User may also choose to recreate the environment with Workload Profiles which has more advanced networking capabilities and UDR support. Control outbound traffic with user defined routes
  3. If you have a NSG that is not compliant with the requirements, please take appropriate action to resolve those NSG Allow Rules
  4. Disable policies which block the creation of public IP addresses, or add an exemption for the MC_ resource group for the policy.
  5. Update the tags on your ACA environment to include the tags required by your Azure Policies so they can be propagated to the MC_ resource group by the platform. Tags that are added directly to the MC_ resource group may not be persisted.
  6. Disable policies which enforce naming conventions for resource groups, or add an exemption for the MC_ resource group. User may also choose to recreate the environment with Workload Profiles and use the infrastructureResourceGroup property to specify a custom name for the platform-managed resource group.
  7. Remove any locks that you have placed on the MC_ resource group or any resources within the resource group.
Clone this wiki locally