Share via

ACA Environment VNet Deployment Timeout (West US 3) - DNS Failure for westus3.data.mcr.microsoft.com?

Robert Dudus 0 Reputation points
2025-04-23T18:01:58.72+00:00

Hi Community,

I'm experiencing persistent deployment timeouts (often 1-2+ hours) when trying to provision a VNet-integrated (internal) Azure Container Apps Environment in the West US 3 region.

We are deploying via Bicep/ARM templates. The target infrastructure subnet meets the minimum size requirements (/23) for a non-zone-redundant environment and has no service delegations prior to deployment.

After extensive troubleshooting, including deploying a test VM into a separate subnet within the same VNet and applying the exact same Network Security Group (NSG) used by the ACA infrastructure subnet, we've narrowed down the issue.

Key Finding:

Connectivity tests run from the test VM (using Azure's default DNS resolver 168.63.129.16) show that DNS resolution consistently fails specifically for the regional Microsoft Container Registry data endpoint: westus3.data.mcr.microsoft.com.

  • DNS resolution for other public endpoints (like management.azure.com, login.microsoftonline.com, mcr.microsoft.com) works correctly from the same VM.
  • DNS resolution for our Private Endpoints via Private DNS Zones also works correctly.
  • TCP connectivity tests pass for all endpoints except those where DNS resolution fails.
  • The NSG associated with the subnet allows outbound traffic according to ACA documentation (including TCP/443 to Service Tags MicrosoftContainerRegistry, AzureResourceManager, AzureActiveDirectory, AzureMonitor, and UDP/TCP 53 to Azure DNS).
  • Crucially, the DNS failure for westus3.data.mcr.microsoft.com persists even when we temporarily added an NSG rule to allow ALL outbound traffic (protocol: *, destination: Internet). This strongly suggests the issue is not the NSG configuration itself.

Question:

Has anyone else experienced similar ACA Environment deployment timeouts in West US 3 (or potentially other regions) recently? Specifically, has anyone encountered issues resolving regional MCR data endpoints like [region].data.mcr.microsoft.com from within a VNet using Azure DNS?

We suspect a potential Azure DNS issue specific to this endpoint/region/VNet context and are planning to open a support ticket, but wanted to check with the community as well.

Thanks for any insights!

Azure Container Apps
Azure Container Apps
An Azure service that provides a general-purpose, serverless container platform.
633 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Shireesha Eeraboina 2,825 Reputation points Microsoft External Staff Moderator
    2025-04-24T04:17:12+00:00

    Hi Robert Dudus,

    Thank you for your patience and for sharing your feedback on the Q&A community platform. I’m glad to hear that you were able to resolve your issue, and I appreciate you sharing your solution! Your contribution is valuable and can help others in the community facing similar challenges.

    As per the Microsoft Q&A community policy, "The question author cannot accept their own answer. They can only accept answers by others"

    I’m reposting your solution here so you can mark it as accepted if it resolves your query:

    "A deployment issue that might have been temporary. They added the following to their template, which may have helped fix it:

    
workloadProfiles: [
  {
    name: 'Consumption'
    workloadProfileType: 'Consumption'
  }
]

    After this change, the deployment started working correctly".

    Thank you again for your time and patience throughout this issue.  

    Please don’t forget to Accept Answer and Yes for "was this answer helpful" wherever the information provided helps you, this can be beneficial to other community members.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.