Deployment Failure of Private Endpoint via Managed Application or ARM template

Published Monday, October 17, 2022

Purpose:

The purpose of this blog is to share the one of the failure scenarios that users may encounter during the deployment of Private Endpoint via Managed Application or ARM template.

Symptom:

In complete mode (Deployment modes - Azure Resource Manager | Microsoft Learn), the resources in resource group that are not specified in the template will be deleted by Resource Manager. However, during the deployment of Private Endpoint, the Network Interface (NIC) is being generated automatically as a separate resource with random given name so this means that this NIC cannot be defined in the template. As a result, the NIC is not defined in the ARM template will be deleted in the complete mode of deployment, while this action will be blocked because the Private Endpoint is currently referencing this NIC.

As Managed Application uses complete mode for deployment as default, when deploying the Private Endpoint via Managed Application, the deployment would fail in the end. Users may see the similar symptom when deploying standalone Private Endpoint via ARM template using complete mode.

Users could view Activity log to check the details. For example, regarding the deployment of Managed Application, access related managed resource group and the problematic request would be displayed under the "Create Deployment" operation.

1.Click and expand the "Create Deployment" operation.

2.There would be several operations named as "Delete Network Interface" failed with below error.

Network interface /subscriptions/a2d49d28-xxxx-xxxx-xxxx-ada50a035a99/resourceGroups/moshiapp/providers/Microsoft.Network/networkInterfaces/moshitest1pe.nic.3b6f36a1-98e5-4d04-a165-91156eaa9fe2 cannot be deleted because it is currently in use with an private endpoint (/subscriptions/a2d49d28-xxxx-xxxx-xxxx-ada50a035a99/resourceGroups/moshiapp/providers/Microsoft.Network/privateEndpoints/moshitest1

Mitigation Plan:

For Managed Application deployment, users can update the deployment mode from complete mode to incremental mode via REST API.

1.Calling a GET request to retrieve the current configuration setting of the managed application definition in JSON format from response body: Application Definitions - Get - REST API (Azure Managed Applications) | Microsoft Learn.

The below is a sample response which could be modified to update the deployment mode.

{

"properties": {

"notificationPolicy": {

"notificationEndpoints": []

"lockingPolicy": {

"allowedActions": [],

"allowedDataActions": []

"deploymentPolicy": {

"deploymentMode": "Complete"

"authorizations": [],

"isEnabled": true,

"lockLevel": "None",

"managementPolicy": {

"mode": "Managed"

"displayName": "moshinicinuse",

"description": "nic in use",

"artifacts": [

{

"name": "ApplicationResourceTemplate",

"type": "Template",

"uri": "xxx"

{

"name": "CreateUiDefinition",

"type": "Custom",

"uri": "xxx"

{

"name": "MainTemplateParameters",

"type": "Custom",

"uri": "xxx"

}

]

"id": "/subscriptions/xxx/resourceGroups/moshiappDefinitionGroup/providers/Microsoft.Solutions/applicationDefinitions/moshinicinuse",

"name": "moshinicinuse",

"type": "Microsoft.Solutions/applicationDefinitions",

"location": "eastus"

}

2.Modify the configuration setting as below:

Change the deployment mode from "Complete" to "Incremental".
Add the "packageFileUri" element (including the application package URI) under properties.
Remove the "id", "name", and "type" elements.

{

"properties": {

"notificationPolicy": {

"notificationEndpoints": []

"lockingPolicy": {

"allowedActions": [],

"allowedDataActions": []

"deploymentPolicy": {

"deploymentMode": "Incremental"

"packageFileUri": "https://xxx.blob.core.windows.net/test/xxx.zip",

"authorizations": [],

"isEnabled": true,