Share via

Always get an InternalServerError when I create a firewall to protect my vnet.

Stephanie Valentine 0 Reputation points
2025-03-31T20:36:16.5366667+00:00

I have a fairly simple virtual network. Web subnet (three web apps), and a private endpoints subnet (MySql, two Redis instances, blob storage account), plus the autogenerated ones: default, AzureFirewallSubnet, and AzureFirewallManagementSubnet (all empty). The web subnet allows all outbound connections but only accepts inbound connections from FrontDoor. The private endpoints subnet restricts all inbound or outbound connections except from within the vnet. Simple.

I need to protect this virtual network with a firewall, but whenever I try (and I have tried many times) to create a firewall, I get an InternalServerError and a "Failed" provisioning state.

I've read all the troubleshooting documents/recommendations.

My blob storage account is configured to only allow access from within the vnet and does not have a private DNS zone.

I do not have any route tables (yet) to confuse things.

I have two healthy public IP addresses that can be used for the firewall and the firewall's management (though I still don't really understand what that's for).

I'm new to this, so please be kind to me. How can I fix this? The firewall is necessary to make the Microsoft Defender recommendation (that I need a firewall to protect my vnet) go away.

Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
742 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. G Sree Vidya 750 Reputation points Microsoft External Staff
    2025-04-01T01:13:25.4566667+00:00

    Hello Stephanie Valentine

    I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to "Accept " the answer.

    Issue: Always get an InternalServerError when I create a firewall to protect my vnet.

    Solution: Turns out my keyvault was connected to the firewall subnet somehow, and the subnet was randomly delegated to Microsoft.Web/serverfarms.

    How that happened, I have no idea. But removing those connections allowed me to create a firewall that succeeds and works as intended.

    If you have any other questions or are still running into more issues, please let me know in the comments.

    Thank you again for your time and patience throughout this issue.

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.User's image

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.