ManagedApp deploy of AzureFiles PrivateEndpoint fails, direct deploy of same ARM Template succeeds

Question

I have a working ARM template which can be deployed directly with "az deployment group create". Among other things, it creates AzureFiles shares and a private endpoint for use with AzureFiles. It runs to completion within a couple of minutes.

The exact same template, bundled with a simple CreateUiDefinition.json to provide the required parameters, and used in the definition of a ManagedApp, fails to complete. The RelatedEvents for the ManagedApp deployment show repeated attempts to "Delete Network Interface" for the private endpoint. This fails because the interface is in use. It's not clear why the interface needs to be deleted, the template doesn't ask for it to be deleted, only to be created. The RelatedEvents for the direct deploy of the ARM template do not include this deletion. The Managed App deploy fails after 75 minutes.

Specific error message which is repeated:-

Network interface /subscriptions/xxx/resourceGroups/mrg-DUGClusterManagedApp-20220120144358/providers/Microsoft.Network/networkInterfaces/dugcluster-privateendpoint.nic.0427d5bc-b9a9-4abc-9bbd-9a87efd69174 cannot be deleted because it is currently in use with an private endpoint (/subscriptions/xxx/resourceGroups/mrg-DUGClusterManagedApp-20220120144358/providers/Microsoft.Network/privateEndpoints/dugcluster-privateendpoint).

There is a clear difference in the security principals doing the work - for the direct deploy, everything is performed as my personal user, but for the managed app deploy, the Appliance Resource Provider performs most tasks and "Azure Traffic Manager and DNS" performs the ones relating to the Network Interface. The errors don't appear to be permissions related though.

Questions...

1) Why would a ManagedApp deploy need to do something different with the private endpoint network interface, i.e. delete it, than the direct template deploy, which just creates it and continues?

2) Are there settings on the private endpoint or subnet or vnet that could prevent this behaviour?

Attachments are the CSV dumps from the RelatedEvents link on each respective deploy.

167072-queryresult-templatedeployprivateendpointsuccess.txt167004-queryresult-managedappprivateendpointfail.txt

Answer 1

@Tim James - Thanks for reaching out to us and again thanks for patiently working with support while they worked on resolving your issue.

Resurfacing the resolution here, so it can be beneficial to the community who might be facing the similar issue.

• By discussing with network team, they confirmed that the Network resource provider will automatically create a Network Interface (NIC) as part of the Private Endpoint (PE) creation behind the scenes and this NIC will link to the PE.
• From Azure Resource Management (ARM) template perspective, if the deployment mode is Complete Mode, any resources that are not defined in the template will be removed: deployment-modes.
• With the design of Complete Mode, we have document to list resource types that will be deleted in complete mode or not: deployment-complete-mode-deletion.
• And the network interface is marked as Yes so it will be deleted in this mode.
• However, in the actual deployment, the NIC is linked to the PE, so the deletion finally failed as a result. Therefore, we may need to use Incremental Mode when deploying the PE. From Managed Application perspective, you could choose the deployment mode during the creation of application definition.

Hope this helps.

------------------------------------------------------------------

If the above response was helpful, please feel free to "Accept as Answer" and "Upvote" the same so it can be beneficial to the community.