Azure Image Builder Temp Storage Account

Christian Kullmann 26 Reputation points
2022-06-22T08:20:09.357+00:00

Hello,

i am currently evaluating Azure Image Builder as a possible alternative for Packer within our Enterprise environment.
As we do have policies in place that prevent the creation of storage accounts with Public Access, the usage of AIB is at the moment according to the MS Turorials not possible.

Is this still true or do i need just a new flag which lets me use an existing storage account?
Or do we need to evaluate the possibilities of using specific subscriptions that would allow the creation of a storage account with public IP?

Thank you in advance and kind regards
Christian

Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
7,188 questions
0 comments
Accepted answer
  1. vipullag-MSFT 24,441 Reputation points
    2022-06-27T05:07:53.24+00:00

    @Christian Kullmann

    Apologies in delayed response on this.

    AIB creates a temporary storage account in the temporary resource group (IT_) to store the log file. This is no way to override the current settings for this Storage Account. The Storage Account is private, however it is not able to have the storage account firewall enabled.

    The previous response I have given is accurate for already existing storage accounts where you may store files necessary for the build, such as install files and scripts. The temporary storage account for the log files is separate and still required.

    1 person found this answer helpful.
    0 comments

3 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. vipullag-MSFT 24,441 Reputation points
    2022-06-22T11:22:13.943+00:00

    @Christian Kullmann

    Welcome to Microsoft Q&A Platform, thanks for posting your query here.

    You can deploy Azure Image Builder image with specified vnet, this will lead the storage account created by the AIB service to use a private IP address instead.
    Communication from AIB service to the build VM would use azure private link instead.
    Please refer to this article.

    213806-image.png

    Hope that helps.
    If the suggested response helped you resolve your issue, please 'Accept as answer', so that it can help others in the community looking for help on similar topics.

    0 comments
  2. Christian Kullmann 26 Reputation points
    2022-06-22T12:53:54.673+00:00

    @vipullag-MSFT

    Thank you for the quick answer. I tried the approach, but AIB still tries to create a storage account that uses a public access - maybe to change it to private later? 

    (ValidationFailed) Validation failed: Code="RequestDisallowedByPolicy" Message="Resource '7uxj7bn5sq9s1iq7h4mdpafv' was disallowed by policy. Policy identifiers: '[{\"policyAssignment\":{\"name\":\"Public network access onStorage accounts should be disabled\",\"id\":\"/providers/Microsoft.Management/managementGroups/ES/providers/Microsoft.Authorization/policyAssignments/Deny-PE-Storage\"},\"policyDefinition\":{\"name\":\"Public network access onStorage accounts should be disabled\",\"id\":\"/providers/Microsoft.Management/managementGroups/ES/providers/Microsoft.Authorization/policyDefinitions/Deny-PE-Storage\"}}]'." Target="7uxj7bn5sq9s1iq7h4mdpafv" AdditionalInfo=[{"info":{"evaluationDetails":{"evaluatedExpressions":[{"expression":"type","expressionKind":"Field","expressionValue":"Microsoft.Storage/storageAccounts","operator":"Equals","path":"type","result":"True","targetValue":"Microsoft.Storage/storageAccounts"},{"expression":"Microsoft.Storage/storageAccounts/networkAcls.defaultAction","expressionKind":"Field","operator":"NotEquals","path":"properties.networkAcls.defaultAction","result":"True","targetValue":"Deny"}]},"policyAssignmentDisplayName":"Public network access onStorage accounts should be disabled","policyAssignmentId":"/providers/Microsoft.Management/managementGroups/ES/providers/Microsoft.Authorization/policyAssignments/Deny-PE-Storage","policyAssignmentName":"Deny-PE-Storage","policyAssignmentScope":"/providers/Microsoft.Management/managementGroups/ES","policyDefinitionDisplayName":"Public network access onStorage accounts should be disabled","policyDefinitionEffect":"Deny","policyDefinitionId":"/providers/Microsoft.Management/managementGroups/ES/providers/Microsoft.Authorization/policyDefinitions/Deny-PE-Storage","policyDefinitionName":"Deny-PE-Storage"},"type":"PolicyViolation"}]  
Code: ValidationFailed

    Sorry for the wall of text but that is the error message

    0 comments
  3. Steve Turnbull 16 Reputation points
    2022-10-25T10:04:04.403+00:00

    Did you ever manage to get this resolved? We have the same issue where it is failing due to the policy public access should be disabled for PaaS. We do specify VNets during the build in the script but that doesn't help.

    What is the workaround? a completely new subscription just for AIB to create policy exceptions?