Reason:Azure Error: RequestDisallowedByPolicy Message: Resource 'avisestorage#####' was disallowed by policy. Policy identifiers: '[{"policyAssignment":{"name":"##### Storage accounts should restrict network access","id":"/subscriptions/#####/providers/Microsoft.Authorization/policyAssignments/"},"policyDefinition":{"name":"Storage accounts should restrict network access","id":"/providers/Microsoft.Authorization/policyDefinitions/","version":"1.1.1"}},{"policyAssignment":{"name":"<Policy-Name> Policy Initiative","id":"/providers/Microsoft.Management/managementGroups/managed-services/providers/Microsoft.Authorization/policyAssignments/"},"policyDefinition":{"name":"Storage account public access should be disallowed","id":"/providers/Microsoft.Authorization/policyDefinitions/","version":"3.1.1"},"policySetDefinition":{"name":"Alstom CAF Policy Initiative","id":"/providers/Microsoft.Management/managementGroups/managed-services/providers/Microsoft.Authorization/policySetDefinitions/","version":"1.0.0"}}]'. Target: avisestorage#####

To resolve this issue, the organization must align its Azure environment with VMware Avi Load Balancer operational requirements for Azure Cloud deployment. This requires collaboration with the Azure Support and Customer's Azure Infrastructure Team to either modify the policies or configure the environment to comply with the existing policies.

The recommended solution involves creating a new, compliant storage account and a private endpoint within the same virtual network (VNet) where the Service Engines will be deployed. This approach ensures that the storage account used for SE images adheres to the public access restrictions.

Steps to Take:

1. Engage Azure Team: Coordinate with the Azure administrators to understand the specific policies in place and discuss a compliant solution.

2. Create a New Storage Account: Manually create an Azure Storage Account with public access explicitly disabled and configured to only allow access from specific, pre-approved networks (e.g., the VNet where SEs are deployed).

3. Create a Private Endpoint: For secure communication, establish a private endpoint for the new storage account within the same VNet. This allows Avi Cloud Connector to securely upload the SE images without violating the public access policy.

The RequestDisallowedByPolicy error is a security feature of Azure that prevents the creation of resources that do not comply with the organization's governance rules.

This error is not a bug in the Avi Load Balancer but a result of a policy conflict.

The solution involves a one-time setup of a compliant storage account that can be used by the Avi Cloud Connector for all future Service Engine deployments.

For detailed instructions on creating storage accounts and private endpoints, refer to the following Microsoft documentation:

• Create a Private Endpoint for an Azure Storage Account

• Configure Azure Storage Firewalls and Virtual Networks