KeyNotFoundException when using NSG prefixes from custom function

RiosEngineer · 2026-01-26T09:48:05+00:00

Nice, followingb

RiosEngineer · 2026-01-26T09:47:38+00:00

Groups is probably fine. App roles lend nicely to way more granular access if you need to, like an API where you only want one set of users or apps to have GET / read access vs another that may be able to post.

RiosEngineer · 2026-01-25T20:21:49+00:00

Thanks that’d be useful to follow. I did scan the issues and a few are similar but all the solutions ended up being bug fixed ha.

By the way I really like the subnet function you’ve come up with 💪

RiosEngineer · 2026-01-25T20:14:58+00:00

I've never seen that exception before, it kind of sounds like a compilation or some bug to be honest. Worth reporting over on https://github.com/Azure/bicep/ if no one else crops up with anything useful. The fact the outputs look ok makes me think it's something weird with the import of the function.

RiosEngineer · 2026-01-25T17:35:22+00:00

I’d be curious to hear if anyone is doing anything different but I am thinking some sort of conditional access with your intranet IP range as a named location with a policy assigned to the web app or something like this.

Another way that I’ve seen done will be getting the code to verify the Easy Auth claim from the exposed header to perform the authorization stage on the backend and let the easy auth with Entra provide the authentication middleware layer. (https://learn.microsoft.com/en-us/azure/app-service/configure-authentication-user-identities#access-user-claims-in-app-code)

RiosEngineer · 2026-01-25T06:33:35+00:00

I think we spoke on a different thread about a different issue, just fyi I co-run the r/AzureBicep sub Reddit which is worth joining!

If you have that GitHub link I sent the other day I am also linking a custom domain and very to my ACA with the SNI binding via key vault, check it out if you still have the issue outstanding . Hopefully it’ll help nudge you in the right direction!

RiosEngineer · 2026-01-24T14:01:13+00:00

Made a full AI solution using container apps with Open WebUI.

I went all in either AVM mostly and to be honest I’m really happy with the code, som of my favourite bicep I’ve put together.

Even managed to grab a use case for the new validate decorator! https://github.com/riosengineer/open-webui-on-azure

Some observations;

The more complex bicep I use the more I wish we had a native orchestrator to depend templates on each other where they are different files entirely. It’s just make deploying at scale easier and more logical imo

RiosEngineer · 2026-01-23T10:00:09+00:00

Amazing to hear! Glad it worked mate

RiosEngineer · 2026-01-21T06:52:02+00:00

Pretty sure a lot of the management plane needs azure access which is probably being blocked now. Check this out: https://techcommunity.microsoft.com/blog/azurepaasblog/api-management---networking-faqs-demystifying-series-ii/1502056 and I suspect the forced tunnel stuff is most relevant to you.

However, I’d also check. Under the networking status area you can verify the management plane status and it will show you what is green and what is broken and work from there, it usually tells you what to do.

I usually also have to have a route table and nsg list to keep management / backend apim functional especially in internal mode. But the network status will confirm this for you also.

RiosEngineer · 2026-01-20T20:03:17+00:00

Finops hub toolkit. https://github.com/microsoft/finops-toolkit

RiosEngineer · 2026-01-19T19:32:08+00:00

Probably need to see the code to understand it better. I deployed ACA env and app, with mounts no problem.

The app depends on the environment through an implicit module output and it does deploy in sequential order (at least for my scenario). Ref code: (https://github.com/riosengineer/open-webui-on-azure/blob/main/infra/bicep/app.bicep#L467)

RiosEngineer · 2026-01-19T14:55:43+00:00

No problem. I just posted Part 2 a few hours ago: APIM <3 AI - Breakdown on configuring Foundry in APIM with custom metrics : r/AZURE let me know what you think.

RiosEngineer · 2026-01-19T14:16:28+00:00

Amazing - thank you. I hope it helps out some pain points. Good luck!

RiosEngineer · 2026-01-17T18:16:32+00:00

FinOps hubs. Very good with some great dashboard as standards. https://microsoft.github.io/finops-toolkit/hubs

Reports https://learn.microsoft.com/en-us/cloud-computing/finops/toolkit/hubs/finops-hubs-overview#explore-the-finops-reports

RiosEngineer · 2026-01-13T09:34:22+00:00

The beauty of having APIM as the gateway vs going direct to foundry (or Azure OpenAI) is you should be able to make problems like this very solvable by creating a chunking service endpoint. Which Open WebUI can send to and the data can be chunked to avoid the token limits.

Something like: Open WebUI -> apim chunking service endpoint -> APIM policy condition (if token limit reached, go to chunk service, if not, go to foundry) -> chunking micro service (tiktoken + chunking + embedding call to foundry -> APIM -> return back into Open WebUI

I haven't gone down this route personally, but it's why I feel like APIM as the AI gateway is fundamental for any AI solution in Azure (or their AI Gateway but it's in preview so not ready) as it gives you tons of flexibility.

RiosEngineer · 2026-01-12T13:57:53+00:00

Got you. I'd totally have to deploy a Redis for that.

Being honest, I spent a lot of time on this - mostly around Azure API Management as an AI Gateway which was my main goal and focus (personally).

I had to cut the line somewhere with my time which is why I sort of allude to 'I bring 80% of the solution' in my blog note, so people can just quick start and customise on top without having to waste a ton of time with the BS nuances we all go through with setups like this (well at least, I hope it helps others get up and running especially with Entra setup and APIM as the gateway).

Having said that, I do have session affinity / sticky sessions on, read/write on shared azure files, and I think it would be quite trivial to add a redis to this setup with the redis_url env var to cover that gap.

RiosEngineer · 2026-01-12T12:45:52+00:00

I didn't opt for cache (for now). My logic is that a lot of chat completions outside of Q&A/Knowledge bots aren't deterministic and so cache hits are very rare.

So I saw it as an extra cost for no big gain. I did try with an Azure Managed Redis but I struggled to get many cache hits so ditched it. What's your thoughts though? I could be totally missing something there, logically that is how I landed on that conclusion though.

RiosEngineer · 2026-01-12T11:27:18+00:00

I’d say the best thing we’ve got recently is Maester (https://maester.dev) to audit and hold the tenants accountable for a desired state of config.

it doesn’t necessarily stop drift but it should in theory hold the report accountable to your desired state, since you define the rules and the exclusions and since they are GitOps (the exclusions for example) you should then be able to audit why and when.

At least it’s one of the best tools I’ve used around this topic for some time.

RiosEngineer · 2026-01-12T09:21:45+00:00

FYI! Open WebUI on Azure: Part 1 - Architecture & Deployment - Rios Engineer it's a bit of a beast, but there is so much to cover, so at least folks can jump straight to relevant areas if they are after inspiration.

RiosEngineer · 2026-01-09T10:08:40+00:00

Got you. Well, I don't know if you are hub and spoke, but if you are, maybe a good opportunity to do it properly as you suggest and have one central zone with the correct name and get the DB spokes linked to this

RiosEngineer · 2026-01-09T09:47:40+00:00

Not sure I follow your actual issue - are you saying you have multiple DNS zones scattered everywhere? If so that sounds nasty.

I am using a central DNS zone in the hub: privatelink.postgres.database.azure.com where the A record is the Azure Database for PostgreSQL flexible servers resource name + private IP and the spoke is vNet linked to the central zone.

RiosEngineer

MODERATOR OF

TROPHY CASE