Azure Container Instances
An Azure service that provides customers with a serverless container experience.
751 questions
Issue with creating a container instance for Twingate connector
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(150.4, 57.00000000000001%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECG%3C/text%3E%3C/svg%3E)
Charlee Gordon
0
Reputation points
I am using Pulumi to manage my resources and am unable to create my twingate connectors. The first error was a 401 unauthorized, stating that the Azure Container Instance Service did not have permission to access the scope. I gave it explicit access.
Now I am getting an unknown 500 error when it is trying to write/create the instance.
The activity monitor does not provide any useful information
Azure Container Instances
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(12.8, 39%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELM%3C/text%3E%3C/svg%3E)
Loknathsatyasaivarma Mahali 1,615 Reputation points Microsoft External Staff2025-03-19T22:48:40.27+00:00 Hello Charlee Gordon,
Could you please confirm on the below and provide the necessary details to investigate the issue further
- What specific steps did you take to give explicit access to the Azure Container Instance Service in order to resolve the 401 unauthorized error?
- Can you provide more details about the configuration and setup you used when trying to write/create the instance that is now resulting in the unknown 500 error?
- Could you please share the documentation you referenced while setting up the connection?
-
Charlee Gordon 0 Reputation points
2025-03-20T14:37:28.68+00:00 Hello Loknathsatyasaivarma Mahali
I went into my resource group and navigated to IAM. I added the role assignment of "Contributor" and "Azure Container INstance Contributor Role" to "Azure Container Instance Service", the service principal.
The configuration and set up is managed by pulumi using the following
using System; using System.Collections.Generic; using System.Linq; using Core.Text; using Pulumi; using Pulumi.AzureNative.ContainerInstance; using Pulumi.AzureNative.ContainerInstance.Inputs; using Pulumi.AzureNative.Network; using Pulumi.AzureNative.Network.Inputs; using Pulumi.AzureNative.Resources; using TwingateLabs.Twingate; using TwingateLabs.Twingate.Inputs; namespace Shared.Resources; public record TwingateNetworkResourceArgs : IComponentResourceTag { public string DisplayName { get; init; } = null!; public ResourceGroup ResourceGroup { get; init; } = null!; public VirtualNetwork VirtualNetwork { get; init; } = null!; public string TenantUrl { get; set; } = null!; public Subnet Subnet { get; init; } = null!; public IEnumerable<TwingateNetworkResource>? Resources { get; init; } public int NumberOfConnectors { get; init; } = 0; public InputMap<string>? Tags { get; init; } } public class TwingateNetwork : ComponentResource { private readonly TwingateRemoteNetwork _network; private readonly TwingateNetworkResourceArgs _resourceArgs; private static readonly List<TwingateNetworkResource> DefaultEmptyList = new(); public TwingateNetwork( string networkName, TwingateNetworkResourceArgs resourceArgs, ComponentResourceOptions? options = null) : base($"agrinhealth:networking:{nameof(TwingateNetwork)}", networkName) { _resourceArgs = resourceArgs; _network = new TwingateRemoteNetwork( networkName, new TwingateRemoteNetworkArgs() { Name = _resourceArgs.DisplayName, }, new CustomResourceOptions { Parent = this }); if (_resourceArgs.NumberOfConnectors > 0) { AddConnectors(networkName, _resourceArgs.NumberOfConnectors); } var twingateNetworkResources = _resourceArgs.Resources?.ToList() ?? DefaultEmptyList; if (!twingateNetworkResources.Any()) return; foreach (var resource in twingateNetworkResources) { var twingateResource = new TwingateResource( $"{networkName}-res-{resource.Name.ToKebabCase()}", new TwingateResourceArgs { Name = resource.Label, Address = resource.Address, RemoteNetworkId = _network.Id, Protocols = resource.Protocols ?? TwingateResourceProtocolsArgs.Empty, Access = new TwingateResourceAccessArgs { GroupIds = resource.GroupIds } }, new CustomResourceOptions { Parent = this }); } } protected void AddConnectors(string name, int totalInstances = 1) { for (var i = 0; i < totalInstances; i++) { var increment = (i + 1).ToString().PadLeft(4, '0'); var connectorName = $"{name}-connector-{increment}"; var connector = new TwingateConnector( connectorName, new TwingateConnectorArgs { Name = $"", RemoteNetworkId = _network.Id }, new CustomResourceOptions { Parent = this }); var connectorTokens = new TwingateConnectorTokens( $"{name}-connector-token-{increment}", new TwingateConnectorTokensArgs { ConnectorId = connector.Id }, new CustomResourceOptions { Parent = this }); AddContainerInstance(connectorName, connectorTokens.AccessToken, connectorTokens.RefreshToken); } } private void AddContainerInstance(string name, Input<string> accessToken, Input<string> refreshToken) { const string imageName = "twingate/connector:1"; var isolatedTags = new InputMap<string>(); if (_resourceArgs.Tags is not null) { isolatedTags.Add(_resourceArgs.Tags); } isolatedTags.Add("Purpose", "TwingateConnector"); var networkProfile = new NetworkProfile( $"{name}-networkprofile", new NetworkProfileArgs { ContainerNetworkInterfaceConfigurations = new ContainerNetworkInterfaceConfigurationArgs { IpConfigurations = new[] { new IPConfigurationProfileArgs { Name = "ipConfig", Subnet = new Pulumi.AzureNative.Network.Inputs.SubnetArgs { Id = _resourceArgs.Subnet.Id } } }, Name = "eth1" }, NetworkProfileName = $"{name}-networkprofile", ResourceGroupName = _resourceArgs.ResourceGroup.Name }, new CustomResourceOptions { Parent = this }); var containerGroup = new ContainerGroup(name, new ContainerGroupArgs { ResourceGroupName = _resourceArgs.ResourceGroup.Name, OsType = "Linux", Containers = { new ContainerArgs() { Name = name.ToKebabCase(), Image = imageName, Ports = { new ContainerPortArgs() { Port = 80 } }, Resources = new ResourceRequirementsArgs { Requests = new ResourceRequestsArgs { Cpu = 1.0, MemoryInGB = 1.0, } }, EnvironmentVariables = { new EnvironmentVariableArgs { Name = "TENANT_URL", Value = _resourceArgs.TenantUrl }, new EnvironmentVariableArgs { Name = "ACCESS_TOKEN", Value = accessToken }, new EnvironmentVariableArgs { Name = "REFRESH_TOKEN", Value = refreshToken }, new EnvironmentVariableArgs { Name = "TWINGATE_TIMESTAMP_FORMAT", Value = "2" } } } }, SubnetIds = new[] { new ContainerGroupSubnetIdArgs{ Id = networkProfile.Id, Name = networkProfile.Name } }, IpAddress = new IpAddressArgs { Ports = { new PortArgs { Port = 80, Protocol = "Tcp" } }, Type = "Private" }, RestartPolicy = "always", Tags = _resourceArgs?.Tags! }, new CustomResourceOptions { Parent = this, DependsOn = _network }); } }Between the 401 error and the 500 error, nothing has changed in the code, the code was provided to me and I am currently searching for the documentation.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(54.400000000000006, 73%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
anashetty 3,155 Reputation points Microsoft External Staff2025-03-21T11:08:45.0666667+00:00 Hi Charlee Gordon,
Thanks for getting back with detailed information. Please try below troubleshooting steps:
Check Container Group Events: Go to the Azure portal → Resource Group → Container Instance → Diagnose and solve problems and if Log Analytics are enabled check logs under Azure monitor.
Check Resource Limits: Azure Container Instances have certain limits on resources like CPU, memory, and the number of containers per group. See that your resource requests (CPU and memory) are within the allowed limits. For your reference: Azure Container Instances quotas and limits
Check the detailed logs from the Azure Container Instance:
az container logs --resource-group <resource-group-name> --name <container-instance-name>Run the Pulumi command with debugging enabled to get more context on the 500 error:
pulumi up --logtostderr -v=9If you have any further queries, let me know. If the information is helpful, please click on Upvote.
-
Charlee Gordon 0 Reputation points
2025-03-24T13:02:58.8+00:00 az container logs --resource-group <resource-group-name> --name <container-instance-name> does not work as the code is breaking upon creation of the instance. The instances I am trying to create do not exist due to the 500 error.
pulumi up --logtostderr -v=9
42032 eventsink.go:62] eventSink::Debug(<{%reset%}>Registering resource monitor end: t=azure-native:web:WebAppApplicationSettingsSlot, name=mySlotSettings, custom=True, remote=False<{%reset%}>)I0324 08:53:38.374139 42032 eventsink.go:59] Fields to assign: ["id","properties","type","name","urn","kind"]
I0324 08:53:38.375239 42032 eventsink.go:62] eventSink::Debug(<{%reset%}>Fields to assign: ["id","properties","type","name","urn","kind"]<{%reset%}>)
I0324 08:56:42.256538 42032 provider_plugin.go:1883] provider received rpc error
Unknown:Status=500 Code="InternalServerError" Message="Encountered an internal server error. The tracking activity id is 'd55fc0d5-b09a-4d81-8225-35da05fde4ac', correlation id is 'bb00fb9b-c7b5-4910-87cf-e0ec86841c99'."I0324 08:56:42.257840 42032 provider_plugin.go:1887] rpc error kind
Unknownmay not be recoverableI0324 08:56:42.258406 42032 provider_plugin.go:1052] Provider[azure-native, 0xc003a6e980].Create(urn:pulumi:prd::myProject-main::myNetwork:networking:TwingateNetwork$azure-native:containerinstance:ContainerGroup::myConnector) failed: Status=500 Code="InternalServerError" Message="Encountered an internal server error. The tracking activity id is 'd55fc0d5-b09a-4d81-8225-35da05fde4ac', correlation id is 'bb00fb9b-c7b5-4910-87cf-e0ec86841c99'."
I0324 08:56:42.259031 42032 eventsink.go:86] eventSink::Error(<{%reset%}>Status=500 Code="InternalServerError" Message="Encountered an internal server error. The tracking activity id is 'd55fc0d5-b09a-4d81-8225-35da05fde4ac', correlation id is 'bb00fb9b-c7b5-4910-87cf-e0ec86841c99'."<{%reset%}>)
- │ └─ azure-native:containerinstance:ContainerGroup myConnector ., false)
I0324 08:56:42.260122 42032 snapshot.go:584] SnapshotManager.markOperationComplete(urn:pulumi:prd::myPorject-main::myNetwork:networking:TwingateNetwork$azure-native:containerinstance:ContainerGroup::myConnector)
I0324 08:56:42.794477 42032 step_executor.go:516] StepExecutor worker(13): step create on urn:pulumi:prd::myProject-main::myNetwork:networking:TwingateNetwork$azure-native:containerinstance:ContainerGroup::myConnector failed with an error: Status=500 Code="InternalServerError" Message="Encountered an internal server error. The tracking activity id is 'd55fc0d5-b09a-4d81-8225-35da05fde4ac', correlation id is 'bb00fb9b-c7b5-4910-87cf-e0ec86841c99'."
-
anashetty 3,155 Reputation points Microsoft External Staff
2025-03-25T09:59:28.5533333+00:00 Hi Charlee Gordon,
Thanks for getting back with details. To check if the issue is from Pulumi script or from the Azure side, once deploy a container instance directly using Azure portal, if it is created successfully, we can confirm that the issue is in the Pulumi script.
-
Charlee Gordon 0 Reputation points
2025-03-25T13:27:10.1233333+00:00 It is not the Pulumi script. Using Pulumi and adjusting hte script, I am able to make a public container instance.
I then adjusted and tried to create this instance to a twingate connector and it throws the 500 error on the Write command
-
Arko 2,130 Reputation points Microsoft External Staff2025-03-26T15:05:18.7066667+00:00 this issue only occurs when deploying the Twingate connector with private networking via a subnet and network profile. Public container instances work fine.
You've already assigned the correct roles (
Contributor,ACI Contributor) to the Azure Container Instance service principal. The subnet is valid, in the same region, and doesn't have any delegations.I suspect this may be related to subnet-level permissions or a backend issue with ACI + private networking + custom images.
You're assigning a Network Profile to the
ContainerGroup—but ACI does not supportNetworkProfilefor user-assigned subnet integration. Instead, you should assign the subnet directly viaSubnetIds, without using a Network Profile.You are mixing
SubnetIdswith aNetworkProfile, and this often causes unhelpful internal server errors (500s).Would request you to replace this-
SubnetIds = new[] { new ContainerGroupSubnetIdArgs{ Id = networkProfile.Id, Name = networkProfile.Name } }with
SubnetIds = new[] { new ContainerGroupSubnetIdArgs { Id = _resourceArgs.Subnet.Id } }And remove the creation of
NetworkProfilealtogether. Remove this-var networkProfile = new NetworkProfile(...);Why This Happens?
Ans- Azure Container Instances support VNet injection by directly referencing the subnet in
SubnetIds.NetworkProfileis not used in ACI. Trying to assign aNetworkProfileto aContainerGroupleads to obscure500 Internal Server Errorswithout detailed logs — exactly what you're seeing.You mentioned: "I added the role assignment of Contributor and Azure Container Instance Contributor Role to Azure Container Instance Service"
That’s correct. For extra confidence you can ensure the ACI resource provider is registered in your subscription. Make sure the subnet allows the ACI service to delegate. Go to the subnet in the Azure Portal -> Look for "Subnet delegation" and ensure
Microsoft.ContainerInstance/containerGroupsis enabled. -
Arko 2,130 Reputation points Microsoft External Staff
2025-03-28T08:15:51.1+00:00 Charlee Gordon, Please check my above comments. Hope I was able to clear your doubt. Pulumi being. As you mentioned "I am able to make a public container instance.
I then adjusted and tried to create this instance to a twingate connector and it throws the 500 error" it is evident that there is no issue from the azure container instance side. Pulumi and Twingate connector being a third party solution is beyond our scope of support. However from my end, I tried to suggest some steps above in my previous comment for your ease. Please do let me know if you need any clarity on that. Thanks
Sign in to comment
Sign in to answer