CloudWatch logs for Windows 2016 AMI - amazon-cloudwatch

I'm using latest Windows 2016 AMI from AWS - Windows_Server-2016-English-Full-Base-2017.01.11
IAM Role assigned to instance contains AdministratorAccess policy for testing purposes.
I've added AWS.EC2.Windows.CloudWatch.json file to C:\Program Files\Amazon\SSM\Plugins\awsCloudWatch directory.
Config file content:
{
"schemaVersion": "1.2",
"description": "Example CloudWatch Logs tasks",
"runtimeConfig": {
"aws:cloudWatch": {
"settings": {
"startType": "Enabled"
},
"properties": {
"IsEnabled": true,
"EngineConfiguration": {
"PollInterval": "00:00:15",
"Components": [
{
"Id": "ApplicationEventLog",
"FullName": "AWS.EC2.Windows.CloudWatch.EventLog.EventLogInputComponent,AWS.EC2.Windows.CloudWatch",
"Parameters": {
"LogName": "Application",
"Levels": "7"
}
},
{
"Id": "SecurityEventLog",
"FullName": "AWS.EC2.Windows.CloudWatch.EventLog.EventLogInputComponent,AWS.EC2.Windows.CloudWatch",
"Parameters": {
"LogName": "Security",
"Levels": "7"
}
},
{
"Id": "MemoryCounter",
"FullName": "AWS.EC2.Windows.CloudWatch.PerformanceCounterComponent.PerformanceCounterInputComponent,AWS.EC2.Windows.CloudWatch",
"Parameters": {
"CategoryName": "Memory",
"CounterName": "Available MBytes",
"InstanceName": "",
"MetricName": "Available Memory",
"Unit": "Megabytes",
"DimensionName": "instance_id",
"DimensionValue": "{instance_id}"
}
},
{
"Id": "CloudWatchLogs",
"FullName": "AWS.EC2.Windows.CloudWatch.CloudWatchLogsOutput,AWS.EC2.Windows.CloudWatch",
"Parameters": {
"AccessKey": "",
"SecretKey": "",
"Region": "eu-west-1",
"LogGroup": "test-2016",
"LogStream": "{instance_id}"
}
},
{
"Id": "CloudWatch",
"FullName": "AWS.EC2.Windows.CloudWatch.CloudWatch.CloudWatchOutputComponent,AWS.EC2.Windows.CloudWatch",
"Parameters": {
"AccessKey": "",
"SecretKey": "",
"Region": "eu-west-1",
"NameSpace": "Windows/Default"
}
}
],
"Flows": {
"Flows": [
"(ApplicationEventLog, SecurityEventLog),CloudWatchLogs",
"(MemoryCounter),CloudWatch"
]
}
}
}
}
}
}
And it doesn't work, both CloudWatch Metrics and Logs are unavailable.
Any ideas how it can be fixed?
Thanks in advance!

Related

Create Delivery Plan styling rules using Azure Devops REST Apis

I am trying to create Delivery plan in the Azure Devops project using Azure Devops REST Apis. I have used following method to create the same.
https://learn.microsoft.com/en-us/rest/api/azure/devops/work/plans/create?view=azure-devops-rest-6.0
POST https://dev.azure.com/{organization}/{project}/_apis/work/plans?api-version=6.0
and I am sending following data in the request body properties
{
"properties": {
"teamBacklogMappings": [
{
"teamId": "09d57738-697f-4433-abdd-b80a2bc6337b",
"categoryReferenceName": "Microsoft.RequirementCategory"
},
{
"teamId": "5df45eec-4108-474a-8d93-bc09c0b9037e",
"categoryReferenceName": "Microsoft.RequirementCategory"
},
{
"teamId": "e8ed402b-68e7-4140-96f2-07790a08788b",
"categoryReferenceName": "Microsoft.RequirementCategory"
},
{
"teamId": "14425694-efa5-454e-811c-e9e03d79198f",
"categoryReferenceName": "Microsoft.RequirementCategory"
},
{
"teamId": "b02690e9-1f48-421a-a918-3b23cc9a1b73",
"categoryReferenceName": "Microsoft.RequirementCategory"
}
],
"cardSettings": {
"fields": {
"showId": true,
"showAssignedTo": true,
"assignedToDisplayFormat": "avatarOnly",
"showState": true,
"showTags": true,
"showParent": false,
"showEmptyFields": true,
"showChildRollup": true,
"additionalFields": null,
"coreFields": [
{
"referenceName": "System.AssignedTo",
"displayName": "Assigned To",
"fieldType": "string",
"isIdentity": true
},
{
"referenceName": "System.Id",
"displayName": "ID",
"fieldType": "integer",
"isIdentity": false
},
{
"referenceName": "System.State",
"displayName": "State",
"fieldType": "string",
"isIdentity": false
},
{
"referenceName": "System.Tags",
"displayName": "Tags",
"fieldType": "plainText",
"isIdentity": false
}
]
}
},
"markers": [],
"styleSettings": [
{
"name": "BLOCKER",
"isEnabled": "True",
"filter": "[System.Tags] CONTAINS 'BLOCKER'",
"clauses": [
{
"fieldName": "System.Tags",
"logicalOperator": "AND",
"operator": "CONTAINS",
"value": "BLOCKER"
}
],
"settings": {
"background-color": "#E60017",
"title-color": "#000000"
}
},
{
"name": "New",
"isEnabled": "True",
"filter": "[System.State] = 'New'",
"clauses": [
{
"fieldName": "System.State",
"logicalOperator": "AND",
"operator": "=",
"value": "New"
}
],
"settings": {
"background-color": "#AAAAAA",
"title-color": "#000000"
}
},
{
"name": "Dev Completed",
"isEnabled": "True",
"filter": "[System.State] = 'Development Completed'",
"clauses": [
{
"fieldName": "System.State",
"logicalOperator": "AND",
"operator": "=",
"value": "Development Completed"
}
],
"settings": {
"background-color": "#D7E587",
"title-color": "#000000"
}
},
{
"name": "Deployed to QA",
"isEnabled": "True",
"filter": "[System.State] = 'Deployed to QA (SIT)'",
"clauses": [
{
"fieldName": "System.State",
"logicalOperator": "AND",
"operator": "=",
"value": "Deployed to QA (SIT)"
}
],
"settings": {
"background-color": "#C3D84C",
"title-color": "#000000"
}
},
{
"name": "Deployed to UAT",
"isEnabled": "True",
"filter": "[System.State] = 'Deployed to UAT'",
"clauses": [
{
"fieldName": "System.State",
"logicalOperator": "AND",
"operator": "=",
"value": "Deployed to UAT"
}
],
"settings": {
"background-color": "#60AF49",
"title-color": "#000000"
}
},
{
"name": "Deployed to PROD",
"isEnabled": "True",
"filter": "[System.State] = 'Completed'",
"clauses": [
{
"fieldName": "System.State",
"logicalOperator": "AND",
"operator": "=",
"value": "Completed"
}
],
"settings": {
"background-color": "#00643A",
"title-color": "#000000"
}
}
],
"tagStyleSettings": []
}
}
However Styling rules are not getting created in the project.

Got this done by using Update for the Delivery plan immediately after creating the same. Update it with same properties though you will have to add revision property to the request body.
https://learn.microsoft.com/en-us/rest/api/azure/devops/work/plans/update?view=azure-devops-rest-6.0
https://dev.azure.com/{organization}/{project}/_apis/work/plans/{id}?api-version=6.0

Create Delivery Plan doesn't accept style settings, from the UI you can notice this:
Just get the plan id and the response from the Create API and then use them in the Update API, this is the only way.

NLog webservice target how do I specify json layout in appsettings.json

I can't seem to find an example. I want to Use NLog as a webservice, but when I add it I am seeing HTTP POST with a body of {}. How in appsettings.json do I specify the json layout?
"NLog": {
"targets": {
"allfile":{
"type":"File",
"fileName":"/tmp/nlog-all-${shortdate}.log",
"layout":"${longdate}|${event-properties:item=EventId_Id}|${uppercase:${level}}|${logger}|${message} ${exception:format=tostring}"
},
"dabomb": {
"type": "webservice",
"url": "http://localhost:9990/api/foo/",
"protocol": "JsonPost",
????? WHAT GOES HERE ??????
}
},
"rules": [
{
"logger": "*",
"minLevel": "Debug",
"writeTo": "dabomb"
}
]

You can try this:
"dabomb": {
"type": "webservice",
"url": "http://localhost:9990/api/foo/",
"protocol": "JsonPost",
"parameters": [
{
"Name": "",
"Layout": {
"type": "JsonLayout",
"Attributes": [
{
"name": "level",
"layout": "${level}"
},
{
"name": "message",
"layout": "${message}"
} ]
}
} ]
}
See also: https://github.com/NLog/NLog/wiki/WebService-target

Sample code for WhatsApp interactive template message

Does anyone have a sample code for WhatsApp interactive template message?
I am trying to trigger an API from postman but getting the below error:
{
"meta": {
"api_status": "stable",
"version": "2.37.1"
},
"errors": [
{
"code": 2012,
"title": "Parameter format does not match format in the created template",
"details": "header: Format mismatch, expected Video, received Unknown",
"href": "https://developers.facebook.com/docs/whatsapp/faq#faq_1612022582274564"
}
]
}
Here is what I added in the body:
{
"to": "91NUMBER",
"type": "template",
"template": {
"namespace": "NAMESPACE_ID",
"language": {
"policy": "deterministic",
"code": "en"
},
"name": "TEMPLATE_NAME",
"components": [
{
"type": "header",
"parameters": [
{
"type": "video",
"video": {
"link": "https://res.cloudinary.com/MY_VIDEO_LINK"
}
}
],
"type": "button",
"sub_type": "url",
"index": "0",
"parameters": [
{
"type": "text",
"text": "9rwnB8RbYmPF5t2Mn09x4h"
}
]
}
]
}
}
Any sort of help would be appreciated.
PS: I'm still new to this.

Use the below code maybe it works
{
"to": "91NUMBER",
"type": "template",
"template": {
"namespace": "NAMESPACE_ID",
"language": {
"policy": "deterministic",
"code": "en"
},
"name": "TEMPLATE_NAME",
"components": [
{
"type": "header",
"parameters": [
{
"type": "video",
"video": {
"link": "https://res.cloudinary.com/MY_VIDEO_LINK"
}
}
]
},
{
"type": "button",
"sub_type": "url",
"index": "0",
"parameters": [
{
"type": "text",
"text": "9rwnB8RbYmPF5t2Mn09x4h"
}
]
}
]
}
}

SQL Server creation failing on Azure due to policies in place

We are in the process of creating SQL Server using ARM Template but since there are policies in place we are unable to get SQL Server created following are the 2 policy exceptions:
##[error]Resource 'xxxxx' was disallowed by policy. Error Type: PolicyViolation, Policy Definition Name : SQL Server should use a virtual network service endpoint (NPD), Policy Assignment Name : NPD1a8a9dc8-aef3-421a-93. Error Type: PolicyViolation, Policy Definition Name : Auditing on SQL server should be enabled (NPD), Policy Assignment Name : NPD7885d0ef-a3de-44a3-9a.
Following is the ARM Template we are using and I am not sure why its failing as now we have VNet rules and auditing also enabled as part of the SQL Server creation:
{
"$schema": http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#,
"contentVersion": "1.0.0.0",
"parameters": {
"serverName": {
"type": "string",
"metadata": {
"description": "The name of the new database server to create."
}
},
"location": {
"type": "string",
"metadata": {
"description": "The location of the database server."
}
},
"serverVersion": {
"type": "string",
"defaultValue" : "12.0"
},
"administratorLogin": {
"type": "string",
"metadata": {
"description": "The account name to use for the database server administrator."
}
},
"administratorLoginPassword": {
"type": "securestring",
"metadata": {
"description": "The password to use for the database server administrator."
}
},
"storageAccountName": {
"type": "string",
"metadata": {
"description": "The name of the new storage account to create."
}
},
"emailAddresses": {
"type": "string",
"defaultValue": "",
"metadata": {
"description": "Email address for alerts."
}
},
"privateEndpointName": {
"type": "string"
},
"vnetName": {
"type": "string"
},
"vnetRg": {
"type": "string",
"metadata": {
"description": "Resource Group Name of VNet"
}
},
"subnet1Name": {
"type": "string"
},
"storageType": {
"type": "string",
"defaultValue": "Standard_GRS",
"allowedValues": [
"Standard_LRS",
"Standard_ZRS",
"Standard_GRS",
"Standard_RAGRS",
"Premium_LRS"
]
},
"BUSINESS-OWNER": {
"type": "string"
},
"COST-CENTER": {
"type": "int"
},
"LIFECYCLE": {
"type": "string"
},
"APPLICATION": {
"type": "string"
},
"PROJECT-CODE": {
"type": "string"
},
"TECHNICAL-OWNER": {
"type": "string"
},
"GL-CODE": {
"type": "string"
}
},
"resources": [
{
"name": "[parameters('serverName')]",
"type": "Microsoft.Sql/servers",
"location": "[parameters('location')]",
"apiVersion": "2014-04-01-preview",
"properties": {
"administratorLogin": "[parameters('administratorLogin')]",
"administratorLoginPassword": "[parameters('administratorLoginPassword')]",
"version": "[parameters('serverVersion')]",
"minimalTlsVersion": "1.2",
"publicNetworkAccess": "Disabled"
},
"tags": {
"BUSINESS-OWNER": "[parameters('BUSINESS-OWNER')]",
"COST-CENTER": "[parameters('COST-CENTER')]",
"LIFECYCLE": "[parameters('LIFECYCLE')]",
"APPLICATION": "[parameters('APPLICATION')]",
"PROJECT-CODE": "[parameters('PROJECT-CODE')]",
"TECHNICAL-OWNER": "[parameters('TECHNICAL-OWNER')]",
"GL-CODE": "[parameters('GL-CODE')]"
},
"resources": [
{
"name": "sergiodb1",
"type": "databases",
"location": "[parameters('location')]",
"tags": {
"BUSINESS-OWNER": "[parameters('BUSINESS-OWNER')]",
"COST-CENTER": "[parameters('COST-CENTER')]",
"LIFECYCLE": "[parameters('LIFECYCLE')]",
"APPLICATION": "[parameters('APPLICATION')]",
"PROJECT-CODE": "[parameters('PROJECT-CODE')]",
"TECHNICAL-OWNER": "[parameters('TECHNICAL-OWNER')]",
"GL-CODE": "[parameters('GL-CODE')]"
},
"apiVersion": "2015-05-01-preview",
"dependsOn": [
"[parameters('serverName')]"
],
"properties": {
"edition": "Basic",
"collation": "SQL_Latin1_General_CP1_CI_AS"
}
},
{
"type": "Microsoft.Sql/servers/virtualNetworkRules",
"apiVersion": "2020-08-01-preview",
"name": "[concat(parameters('serverName'), '/allow-', parameters('subnet1Name'))]",
"dependsOn": [ "[resourceId('Microsoft.Sql/servers', parameters('serverName'))]" ],
"properties": {
"virtualNetworkSubnetId": "[resourceId(parameters('vnetRg'), 'Microsoft.Network/virtualNetworks/subnets', parameters('vnetName'), parameters('subnet1Name'))]",
"ignoreMissingVnetServiceEndpoint": false
}
},
{
"apiVersion": "2014-04-01-preview",
"type": "firewallrules",
"location": "[parameters('location')]",
"name": "AllowAllWindowsAzureIps",
"dependsOn": [
"[concat('Microsoft.Sql/servers/', parameters('serverName'))]"
],
"properties": {
"endIpAddress": "0.0.0.0",
"startIpAddress": "0.0.0.0"
}
},
{
"name": "Default",
"type": "auditingSettings",
"apiVersion": "2017-03-01-preview",
"location": "[parameters('location')]",
"dependsOn": [
"[concat('Microsoft.Sql/servers/', parameters('serverName'))]"
],
"properties": {
"State": "Enabled",
"storageEndpoint": "[concat('https://',parameters('storageAccountName'),'.blob.core.windows.net')]",
"storageAccountAccessKey": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName')), providers('Microsoft.Storage', 'storageAccounts').apiVersions[0]).keys[0].value]",
"retentionDays": 365,
"auditActionsAndGroups": null,
"storageAccountSubscriptionId": "[subscription().subscriptionId]",
"isStorageSecondaryKeyInUse": false,
"isAzureMonitorTargetEnabled": false
}
},
{
"name": "DefaultSAP",
"type": "securityAlertPolicies",
"apiVersion": "2017-03-01-preview",
"dependsOn": [
"[concat('Microsoft.Sql/servers/', parameters('serverName'))]",
"[concat('Microsoft.Sql/servers/', parameters('serverName'), '/auditingSettings/Default')]"
],
"properties": {
"state": "Enabled",
"disabledAlerts": null,
"emailAddresses": "[array(parameters('emailAddresses'))]",
"emailAccountAdmins": true,
"storageEndpoint": "[concat('https://',parameters('storageAccountName'),'.blob.core.windows.net')]",
"storageAccountAccessKey": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName')), providers('Microsoft.Storage', 'storageAccounts').apiVersions[0]).keys[0].value]",
"retentionDays": 365
}
},
{
"name": "VulnerabilityAssessment",
"type": "vulnerabilityAssessments",
"apiVersion": "2018-06-01-preview",
"dependsOn": [
"[concat('Microsoft.Sql/servers/', parameters('serverName'))]",
"[concat('Microsoft.Sql/servers/', parameters('serverName'), '/auditingSettings/Default')]",
"[concat('Microsoft.Sql/servers/', parameters('serverName'), '/securityAlertPolicies/DefaultSAP')]"
],
"properties": {
"storageContainerPath": "[concat('https://',parameters('storageAccountName'),'.blob.core.windows.net','/vulnerability-assessment')]",
"storageAccountAccessKey": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName')), providers('Microsoft.Storage', 'storageAccounts').apiVersions[0]).keys[0].value]",
"recurringScans": {
"isEnabled": true,
"emailSubscriptionAdmins": true,
"emails": []
}
}
}
]
},
{
"type": "Microsoft.Network/privateEndpoints",
"apiVersion": "2020-06-01",
"name": "[parameters('privateEndpointName')]",
"location": "[parameters('location')]",
"dependsOn": [
"[parameters('serverName')]"
],
"properties": {
"subnet": {
"id": "[resourceId(parameters('vnetRg'), 'Microsoft.Network/virtualNetworks/subnets', parameters('vnetName'), parameters('subnet1Name'))]"
},
"privateLinkServiceConnections": [
{
"name": "[parameters('privateEndpointName')]",
"properties": {
"privateLinkServiceId": "[resourceId('Microsoft.Sql/servers',parameters('serverName'))]",
"groupIds": [
"sqlServer"
]
}
}
]
},
"tags": {
"BUSINESS-OWNER": "[parameters('BUSINESS-OWNER')]",
"COST-CENTER": "[parameters('COST-CENTER')]",
"LIFECYCLE": "[parameters('LIFECYCLE')]",
"APPLICATION": "[parameters('APPLICATION')]",
"PROJECT-CODE": "[parameters('PROJECT-CODE')]",
"TECHNICAL-OWNER": "[parameters('TECHNICAL-OWNER')]",
"GL-CODE": "[parameters('GL-CODE')]"
}
}
],
"outputs": {
}
}

Resolved: My ARM Template formatting had issues but most important was the REGION for VNet in which the Pvt endpoint was getting created was set to EASTUS2 while the SQL Server was was getting provisioned in EASTUS. After fixing the regions and the ARM template I was able to successfully deploy it. Following is the corrected ARM Template:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters":{
"serverName": {
"type": "string",
"metadata": {
"description": "The name of the new database server to create."
}
},
"location": {
"type": "string",
"metadata": {
"description": "The location of the database server."
}
},
"serverVersion": {
"type": "string",
"defaultValue" : "12.0"
},
"administratorLogin": {
"type": "string",
"metadata": {
"description": "The account name to use for the database server administrator."
}
},
"administratorLoginPassword": {
"type": "securestring",
"metadata": {
"description": "The password to use for the database server administrator."
}
},
"storageAccountName": {
"type": "string",
"metadata": {
"description": "The name of the new storage account to create."
}
},
"emailAddresses": {
"type": "string",
"defaultValue": "",
"metadata": {
"description": "Email address for alerts."
}
},
"privateEndpointName": {
"type": "string"
},
"vnetName": {
"type": "string"
},
"vnetRg": {
"type": "string",
"metadata": {
"description": "Resource Group Name of VNet"
}
},
"subnet1Name": {
"type": "string"
},
"storageType": {
"type": "string",
"defaultValue": "Standard_GRS",
"allowedValues": [
"Standard_LRS",
"Standard_ZRS",
"Standard_GRS",
"Standard_RAGRS",
"Premium_LRS"
]
},
"BUSINESS-OWNER": {
"type": "string"
},
"COST-CENTER": {
"type": "int"
},
"LIFECYCLE": {
"type": "string"
},
"APPLICATION": {
"type": "string"
},
"PROJECT-CODE": {
"type": "string"
},
"TECHNICAL-OWNER": {
"type": "string"
},
"GL-CODE": {
"type": "string"
}
},
"variables": {
"databaseName": "[concat(parameters('serverName'),'/sample-db')]"
},
"resources": [
{
"type": "Microsoft.Sql/servers",
"apiVersion": "2020-02-02-preview",
"name": "[parameters('serverName')]",
"location": "[parameters('location')]",
"tags": {
"displayName": "[parameters('serverName')]",
"BUSINESS-OWNER": "xxx",
"COST-CENTER": "11",
"LIFECYCLE": "xx",
"APPLICATION": "xx",
"PROJECT-CODE": "xx",
"TECHNICAL-OWNER": "xxx",
"GL-CODE": "111"
},
"kind": "v12.0",
"properties": {
"administratorLogin": "[parameters('administratorLogin')]",
"administratorLoginPassword": "[parameters('administratorLoginPassword')]",
"version": "12.0",
"minimalTlsVersion": "1.2",
"publicNetworkAccess": "Disabled"
},
"resources": [
{
"type": "Microsoft.Sql/servers/databases",
"apiVersion": "2020-02-02-preview",
"name": "[variables('databaseName')]",
"location": "[parameters('location')]",
"dependsOn": [
"[resourceId('Microsoft.Sql/servers', parameters('serverName'))]"
],
"tags": {
"displayName": "[variables('databaseName')]",
"BUSINESS-OWNER": "xxx",
"COST-CENTER": "11",
"LIFECYCLE": "xx",
"APPLICATION": "xx",
"PROJECT-CODE": "xx",
"TECHNICAL-OWNER": "xxx",
"GL-CODE": "111"
},
"sku": {
"name": "Basic",
"tier": "Basic",
"capacity": 5
},
"properties": {
"collation": "SQL_Latin1_General_CP1_CI_AS",
"edition": "Basic",
"maxSizeBytes": 104857600,
"requestedServiceObjectiveName": "Basic",
"sampleName": "AdventureWorksLT"
}
},
{
"type": "Microsoft.Network/privateEndpoints",
"apiVersion": "2020-06-01",
"name": "[parameters('privateEndpointName')]",
"location": "[parameters('location')]",
"dependsOn": [
"[resourceId('Microsoft.Sql/servers', parameters('serverName'))]"
],
"tags": {
"BUSINESS-OWNER": "xxx",
"COST-CENTER": "11",
"LIFECYCLE": "xx",
"APPLICATION": "xx",
"PROJECT-CODE": "xx",
"TECHNICAL-OWNER": "xxx",
"GL-CODE": "111"
},
"properties": {
"subnet": {
"id": "[resourceId(parameters('vnetRg'), 'Microsoft.Network/virtualNetworks/subnets', parameters('vnetName'), parameters('subnet1Name'))]"
},
"privateLinkServiceConnections": [
{
"name": "[parameters('privateEndpointName')]",
"properties": {
"privateLinkServiceId": "[resourceId('Microsoft.Sql/servers',parameters('serverName'))]",
"groupIds": [
"sqlServer"
]
}
}
]
}
},
{
"name": "Default",
"type": "auditingSettings",
"apiVersion": "2017-03-01-preview",
"location": "[parameters('location')]",
"dependsOn": ["[resourceId('Microsoft.Sql/servers', parameters('serverName'))]"],
"properties": {
"State": "Enabled",
"storageEndpoint": "[concat('https://',parameters('storageAccountName'),'.blob.core.windows.net')]",
"storageAccountAccessKey": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName')), providers('Microsoft.Storage', 'storageAccounts').apiVersions[0]).keys[0].value]",
"retentionDays": 365,
"auditActionsAndGroups": null,
"storageAccountSubscriptionId": "[subscription().subscriptionId]",
"isStorageSecondaryKeyInUse": false,
"isAzureMonitorTargetEnabled": false
}
},
{
"name": "DefaultSAP",
"type": "securityAlertPolicies",
"apiVersion": "2017-03-01-preview",
"dependsOn": ["[resourceId('Microsoft.Sql/servers', parameters('serverName'))]",
"[concat('Microsoft.Sql/servers/', parameters('serverName'), '/auditingSettings/Default')]"
],
"properties": {
"state": "Enabled",
"disabledAlerts": null,
"emailAddresses": "[array(parameters('emailAddresses'))]",
"emailAccountAdmins": true,
"storageEndpoint": "[concat('https://',parameters('storageAccountName'),'.blob.core.windows.net')]",
"storageAccountAccessKey": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName')), providers('Microsoft.Storage', 'storageAccounts').apiVersions[0]).keys[0].value]",
"retentionDays": 365
}
}
]
}
]
}

Please make sure the subnet you are using on the template has assigned the Microsoft.Sql type name, meaning it is already a Virtual Service endpoint.
The following script can add the type name Microsoft.Sql to your subnet. But the script tries the add only if your subnet lacks the type name.
### 1. LOG into to your Azure account, needed only once per PS session. Assign variables.
$yesno = Read-Host 'Do you need to log into Azure (only one time per powershell.exe session)? [yes/no]'
if ('yes' -eq $yesno) { Connect-AzAccount }
# Assignments to variables used by the later scripts.
# You can EDIT these values, if necessary.
$SubscriptionName = 'yourSubscriptionName'
Select-AzSubscription -SubscriptionName "$SubscriptionName"
$ResourceGroupName = 'yourRGName'
$VNetName = 'yourVNetName'
$SubnetName = 'yourSubnetName'
$SubnetAddressPrefix = 'Obtain this value from the Azure portal.' # Looks roughly like: '10.0.0.0/24'
$ServiceEndpointTypeName_SqlDb = 'Microsoft.Sql' # Do NOT edit. Is official value.
### 2. Search for your virtual network, and then for your subnet.
# Search for the virtual network.
$vnet = $null
$vnet = Get-AzVirtualNetwork -ResourceGroupName $ResourceGroupName -Name $VNetName
if ($vnet -eq $null) {
Write-Host "Caution: No virtual network found by the name '$VNetName'."
return
}
$subnet = $null
for ($nn = 0; $nn -lt $vnet.Subnets.Count; $nn++) {
$subnet = $vnet.Subnets[$nn]
if ($subnet.Name -eq $SubnetName) { break }
$subnet = $null
}
if ($null -eq $subnet) {
Write-Host "Caution: No subnet found by the name '$SubnetName'"
Return
}
### 3. Is your subnet tagged as 'Microsoft.Sql' endpoint server type?
$endpointMsSql = $null
for ($nn = 0; $nn -lt $subnet.ServiceEndpoints.Count; $nn++) {
$endpointMsSql = $subnet.ServiceEndpoints[$nn]
if ($endpointMsSql.Service -eq $ServiceEndpointTypeName_SqlDb) {
$endpointMsSql
break
}
$endpointMsSql = $null
}
if ($null -eq $endpointMsSql) {
Write-Host "Good: Subnet found, and is already tagged as an endpoint of type '$ServiceEndpointTypeName_SqlDb'."
return
} else {
Write-Host "Caution: Subnet found, but not yet tagged as an endpoint of type '$ServiceEndpointTypeName_SqlDb'."
# Ask the user for confirmation.
$yesno = Read-Host 'Do you want the PS script to apply the endpoint type name to your subnet? [yes/no]'
if ('no' -eq $yesno) { return }
}
### 4. Add a Virtual Service endpoint of type name 'Microsoft.Sql', on your subnet.
$setParams = #{
Name = $SubnetName
AddressPrefix = $SubnetAddressPrefix
VirtualNetwork = $vnet
ServiceEndpoint = $ServiceEndpointTypeName_SqlDb
}
$vnet = Set-AzVirtualNetworkSubnetConfig #setParams
# Persist the subnet update.
$vnet = Set-AzVirtualNetwork -VirtualNetwork $vnet
for ($nn = 0; $nn -lt $vnet.Subnets.Count; $nn++) {
$vnet.Subnets[0].ServiceEndpoints # Display.
}

Function App with VNet Integration Failing Deployment When Setting WEBSITE_CONTENTAZUREFILECONNECTIONSTRING to Storage Behind Firewall

The following ARM template deploys: Virtual Network, Network Security Group, Storage Account, App Service Plan, Function App
When the settings for WEBSITE_CONTENTAZUREFILECONNECTIONSTRING and WEBSITE_CONTENTSHARE are omitted (commented out) the deployment succeeds but the function app configuration shows a warning.
When enabling the two settings, the deployment fails with a 403 Forbidden message.
New-AzResourceGroupDeployment : 17:04:05 - The deployment '20201209-170356' failed with error(s). Showing 1 out of 1 error(s).
Status Message: There was a conflict. The remote server returned an error: (403) Forbidden. (Code: BadRequest)
- There was a conflict. The remote server returned an error: (403) Forbidden. (Code:)
- (Code:BadRequest)
- (Code:)
CorrelationId: ec11767b-9f8f-4722-acca-e751e5c1bbe8
I have tried numerous settings on the NSG, adding service tags, allowing IPs associated with the function app. I have also tried allowing IPRules on the storage account firewall. The only setting that worked was to entirely disable the storage account firewall with 'Allow access from all networks', which is not an acceptable setting for the network.
The ARM template to demonstrate the error:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
},
"variables": {
"vnetName": "vnet1a",
"addressPrefixVnet": "10.17.0.0/20",
"addressPrefixSubnet": "10.17.4.0/24",
"nsgName_sb_functionapp": "[concat(variables('vnetName'), '-sb-functionapp-nsg')]",
"storageAccountName": "[concat(uniquestring(resourceGroup().id), 'sa1a')]",
"appServicePlanName": "[concat(uniquestring(resourceGroup().id), 'asp1a')]",
"functionAppName": "[concat(uniquestring(resourceGroup().id), 'asp1a')]"
},
"resources": [
{
"type": "Microsoft.Network/networkSecurityGroups",
"apiVersion": "2019-11-01",
"name": "[variables('nsgName_sb_functionapp')]",
"location": "[resourceGroup().location]",
"tags": {
"Purpose": "Function App"
},
"properties": {
"securityRules": []
}
},
{
"type": "Microsoft.Network/virtualNetworks",
"apiVersion": "2019-11-01",
"name": "[variables('vnetName')]",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Network/networkSecurityGroups', variables('nsgName_sb_functionapp'))]"
],
"tags": {
"Purpose": "Debug Function App and Storage Account Connectivity"
},
"properties": {
"addressSpace": {
"addressPrefixes": [
"[variables('addressPrefixVnet')]"
]
},
"subnets": [
{
"name": "sb-functionapp",
"properties": {
"addressPrefix": "[variables('addressPrefixSubnet')]",
"networkSecurityGroup": {
"id": "[resourceId('Microsoft.Network/networkSecurityGroups', variables('nsgName_sb_functionapp'))]"
},
"serviceEndpoints": [
{
"service": "Microsoft.Storage",
"locations": [
"*"
]
}
],
"delegations": [
{
"name": "delegation",
"properties": {
"serviceName": "Microsoft.Web/serverFarms"
}
}
],
"privateEndpointNetworkPolicies": "Enabled",
"privateLinkServiceNetworkPolicies": "Enabled"
}
}
],
"enableDdosProtection": false,
"enableVmProtection": false
}
},
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2019-04-01",
"name": "[variables('storageAccountName')]",
"location": "[resourceGroup().location]",
"tags": {
"Purpose": "Debug Function App and Storage Account Connectivity"
},
"kind": "StorageV2",
"sku": {
"name": "Standard_GRS",
"tier": "Standard"
},
"properties": {
"networkAcls": {
"defaultAction": "Deny",
"bypass": "AzureServices",
"supportsHttpsTrafficOnly": true,
"ipRules": [],
"encryption": {
"keySource": "Microsoft.Storage",
"services": {
"file": {
"enabled": true
},
"blob": {
"enabled": true
}
}
},
"accessTier": "Hot",
"virtualNetworkRules": [
{
"id": "[concat(resourceId('Microsoft.Network/virtualNetworks', variables('vnetName')), '/subnets/sb-functionapp')]",
"ignoreMissingVNetServiceEndpoint": false
}
]
}
}
},
{
"type": "Microsoft.Web/serverfarms",
"apiVersion": "2018-02-01",
"name": "[variables('appServicePlanName')]",
"location": "[resourceGroup().location]",
"tags": {
"Purpose": "Debug Function App and Storage Account Connectivity"
},
"sku": {
"name": "EP1",
"tier": "ElasticPremium",
"size": "EP1",
"family": "EP",
"capacity": 1
},
"kind": "elastic",
"properties": {
"perSiteScaling": false,
"maximumElasticWorkerCount": 20,
"isSpot": false,
"reserved": false,
"isXenon": false,
"hyperV": false,
"targetWorkerCount": 0,
"targetWorkerSizeId": 0
}
},
{
"type": "Microsoft.Web/sites",
"apiVersion": "2018-11-01",
"name": "[variables('functionAppName')]",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Web/serverfarms', variables('appServicePlanName'))]"
],
"tags": {
"Purpose": "Debug Function App and Storage Account Connectivity"
},
"kind": "functionapp",
"properties": {
"enabled": true,
"hostNameSslStates": [
{
"name": "[concat(variables('functionAppName'), '.azurewebsites.net')]",
"sslState": "Disabled",
"hostType": "Standard"
},
{
"name": "[concat(variables('functionAppName'), '.scm.azurewebsites.net')]",
"sslState": "Disabled",
"hostType": "Repository"
}
],
"serverFarmId": "[resourceId('Microsoft.Web/serverfarms', variables('appServicePlanName'))]",
"reserved": false,
"isXenon": false,
"hyperV": false,
"scmSiteAlsoStopped": false,
"clientAffinityEnabled": true,
"clientCertEnabled": false,
"hostNamesDisabled": false,
"containerSize": 1536,
"dailyMemoryTimeQuota": 0,
"httpsOnly": true,
"redundancyMode": "None",
"siteConfig": {
"appSettings": [
{
"name": "FUNCTIONS_EXTENSION_VERSION",
"value": "~1"
},
{
"name": "WEBSITE_CONTENTAZUREFILECONNECTIONSTRING",
"value": "[concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageAccountName'), ';AccountKey=', listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName')), '2019-04-01').keys[0].value)]"
},
{
"name": "WEBSITE_CONTENTSHARE",
"value": "[variables('functionAppName')]"
},
{
"name": "WEBSITE_DNS_SERVER",
"value": "168.63.129.16"
},
{
"name": "WEBSITE_VNET_ROUTE_ALL",
"value": "1"
}
]
}
},
"resources": [
{
"type": "networkConfig",
"apiVersion": "2018-11-01",
"name": "virtualNetwork",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Web/sites', variables('functionAppName'))]"
],
"properties": {
"subnetResourceId": "[concat(resourceId('Microsoft.Network/virtualNetworks', variables('vnetName')), '/subnets/sb-functionapp')]",
"swiftSupported": true
}
}
]
},
{
"type": "Microsoft.Web/sites/config",
"apiVersion": "2018-11-01",
"name": "[concat(variables('functionAppName'), '/web')]",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Web/sites', variables('functionAppName'))]"
],
"tags": {
"Purpose": "Debug Function App and Storage Account Connectivity"
},
"properties": {
"numberOfWorkers": 1,
"defaultDocuments": [
"Default.htm",
"Default.html",
"Default.asp",
"index.htm",
"index.html",
"iisstart.htm",
"default.aspx",
"index.php"
],
"netFrameworkVersion": "v4.0",
"phpVersion": "5.6",
"requestTracingEnabled": false,
"remoteDebuggingEnabled": false,
"remoteDebuggingVersion": "VS2019",
"httpLoggingEnabled": false,
"logsDirectorySizeLimit": 35,
"detailedErrorLoggingEnabled": false,
"publishingUsername": "[concat('$', variables('functionAppName'))]",
"scmType": "VSTSRM",
"use32BitWorkerProcess": true,
"webSocketsEnabled": false,
"alwaysOn": false,
"managedPipelineMode": "Integrated",
"virtualApplications": [
{
"virtualPath": "/",
"physicalPath": "site\\wwwroot",
"preloadEnabled": true
}
],
"loadBalancing": "LeastRequests",
"experiments": {
"rampUpRules": [
]
},
"autoHealEnabled": false,
"cors": {
"allowedOrigins": [],
"supportCredentials": false
},
"localMySqlEnabled": false,
"ipSecurityRestrictions": [],
"scmIpSecurityRestrictions": [
{
"ipAddress": "Any",
"action": "Allow",
"priority": 1,
"name": "Allow all",
"description": "Allow all access"
}
],
"scmIpSecurityRestrictionsUseMain": false,
"http20Enabled": false,
"minTlsVersion": "1.2",
"ftpsState": "AllAllowed",
"reservedInstanceCount": 1
}
}
]
}
Command to deploy to existing resource group:
New-AzResourceGroupDeployment -Name (Get-Date).ToString('yyyyMMdd-HHmmss') -ResourceGroupName 'Test-FunctionApp-Storage-VNet' -TemplateFile .\DebugFunctionApp.json -Verbose
I have seen the question/answer at Function App Deployment Failed - The remote server returned an error: (403) Forbidden but it doesn't solve the problem I see.

The solution is to add another setting named WEBSITE_CONTENTOVERVNET and to set the value to "1".
The updated appSettings section looks like:
"siteConfig": {
"appSettings": [
{
"name": "FUNCTIONS_EXTENSION_VERSION",
"value": "~1"
},
{
"name": "WEBSITE_CONTENTAZUREFILECONNECTIONSTRING",
"value": "[concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageAccountName'), ';AccountKey=', listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName')), '2019-04-01').keys[0].value)]"
},
{
"name": "WEBSITE_CONTENTOVERVNET",
"value": "1"
},
{
"name": "WEBSITE_CONTENTSHARE",
"value": "[variables('functionAppName')]"
},
{
"name": "WEBSITE_DNS_SERVER",
"value": "168.63.129.16"
},
{
"name": "WEBSITE_VNET_ROUTE_ALL",
"value": "1"
}
]
}
The setting is document at https://learn.microsoft.com/en-us/azure/azure-functions/functions-app-settings#website_contentovervnet
For Premium plans only. A value of 1 enables your function app to scale when you have your storage account restricted to a virtual network. You should enable this setting when restricting your storage account to a virtual network.