Troubleshooting Azure Spring Apps in virtual networks
Note
Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams.
This article applies to: ✔️ Basic/Standard ✔️ Enterprise
This article helps you solve various problems that can arise when using Azure Spring Apps in virtual networks.
I encountered a problem with creating an Azure Spring Apps service instance
To create an instance of Azure Spring Apps, you must have sufficient permission to deploy the instance to the virtual network. The Azure Spring Apps service instance must itself grant Azure Spring Apps service permission to the virtual network. For more information, see the Grant service permission to the virtual network section of Deploy Azure Spring Apps in a virtual network.
If you use the Azure portal to set up the Azure Spring Apps service instance, the Azure portal validates the permissions.
To set up the Azure Spring Apps service instance by using the Azure CLI, verify the following requirements:
- The subscription is active.
- The location supports Azure Spring Apps.
- The resource group for the instance is already created.
- The resource name conforms to the naming rule. It must contain only lowercase letters, numbers, and hyphens. The first character must be a letter. The last character must be a letter or number. The value must contain from 2 to 32 characters.
To set up the Azure Spring Apps service instance by using the Resource Manager template, refer to Understand the structure and syntax of Azure Resource Manager templates.
Common creation issues
| Error message | How to fix |
|---|---|
Resources created by Azure Spring Apps were disallowed by policy. |
Network resources are created when deploying Azure Spring Apps in your own virtual network. Be sure to check whether you have Azure Policy defined to block that creation. The error message lists the resources that weren't created. |
Required traffic is not allowlisted. |
Be sure to check Customer responsibilities for running Azure Spring Apps in a virtual network to ensure that the required traffic is allowlisted. |
My application can't be registered or it can't get settings from the config server
The applications running inside the Azure Spring Apps user cluster need to access the Eureka Server and the Config Server in the system runtime cluster via the <service-instance-name>.svc.private.azuremicroservices.io domain.
This problem occurs if your virtual network is configured with custom DNS settings. In this case, the private DNS zone used by Azure Spring Apps is ineffective. Add the Azure DNS IP 168.63.129.16 as the upstream DNS server in the custom DNS server.
If your custom DNS server can't add the Azure DNS IP 168.63.129.16 as the upstream DNS server, then add the DNS record *.svc.private.azuremicroservices.io to the IP of your application. For more information, see the Find the IP for your application section of Access an app in Azure Spring Apps in a virtual network.
I can't access my application's endpoint or test endpoint in a virtual network
If your virtual network is configured with custom DNS settings, be sure to add Azure DNS IP 168.63.129.16 as the upstream DNS server in the custom DNS server, if you haven't already. Then, proceed with the following instructions.
If your virtual network isn't configured with custom DNS settings, or if your virtual network is configured with custom DNS settings and you've already added Azure DNS IP 168.63.129.16 as the upstream DNS server in the custom DNS server, then complete the following steps:
Create a new private DNS zone
private.azuremicroservices.io.Link the private DNS zone to the virtual network.
Add the following two DNS records:
*.private.azuremicroservices.io-> the IP of your application.*.test.private.azuremicroservices.io-> the IP of your application.
For more information, see Access your application in a private network
I can't access my application's public endpoint from public network
Azure Spring Apps supports exposing applications to the internet by using public endpoints. For more information, see Expose applications on Azure Spring Apps to the internet from a public network.
If you're using a user defined route feature, some features aren't supported because of asymmetric routing. For unsupported features, see the following list:
- Use the public network to access the application through the public endpoint.
- Use the public network to access the log stream.
- Use the public network to access the app console.
For more information, see Control egress traffic for an Azure Spring Apps instance.
Similar limitations also apply to Azure Spring Apps when egress traffics are routed to a firewall. The problem occurs because both situations introduce asymmetric routing into the cluster. Packets arrive on the endpoint's public IP address but return to the firewall via the private IP address. So, the firewall must block such traffic. For more information, see the Bring your own route table section of Deploy Azure Spring Apps in a virtual network.
If you're routing egress traffics to a firewall but also need to expose the application to internet, use the expose applications to the internet with TLS Termination feature. For more information, see Expose applications to the internet with TLS Termination at Application Gateway.
Other issues
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for