We have our Azure AD B2C custom policy that uses a utilities hosted as a Web App locked inside a VNET. We are not yet there in a position to validate, but curious to know whether it would work beforehand? Is it supported that Azure AD B2C custom policy when refers or make a call to an App service inside a VNET, would really work? If not, or yes, in either cases, what must be taken into consideration?

@Rishi Verma • Thank you for reaching out. Unfortunately, if the Web App can only be accessed via routing the request through VNet, you will not be able to call that web app/API via B2C. I assume that the B2C custom policy will make a REST call to the Web App via RESTful technical profile, in case of which the request is directly made via the internet and the API must be publicly accessible. You will have to secure the API by implementing authentication for API. You can then acquire the token via RESTful TP as mentioned in this XML snippet and pass that token in the authorization header to call the API. ----------------------------------------------------------------------------------------------------------- Please " Accept the answer " if the information helped you. This will help us and others in the community as well.

Is it possible to make a call to an azure app service inside a vnet from azure ad b2c ?

Accepted answer

AmanpreetSingh-MSFT 56,306 Reputation points

2022-01-27T09:38:12.013+00:00

@Rishi Verma • Thank you for reaching out.

Unfortunately, if the Web App can only be accessed via routing the request through VNet, you will not be able to call that web app/API via B2C. I assume that the B2C custom policy will make a REST call to the Web App via RESTful technical profile, in case of which the request is directly made via the internet and the API must be publicly accessible. You will have to secure the API by implementing authentication for API. You can then acquire the token via RESTful TP as mentioned in this XML snippet and pass that token in the authorization header to call the API.

-----------------------------------------------------------------------------------------------------------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Please sign in to rate this answer.
Rishi Verma 126 Reputation points

2022-01-28T14:37:43.887+00:00

@AmanpreetSingh-MSFT Thanks for your clarification on this question. I missed to add one note, not sure if it changes anything to what you said- that we have Azure Front door which will route the traffic/calls from B2C--> Frontdoor--> routingrule/Backendpool--> ASE (Inside VNET). And yes currently the custom policy is setup to make a REST call to API and authentication with bearer token. With this app service/api being made available via Frontdoor, would B2C be able to make calls to api/app service?

AmanpreetSingh-MSFT 56,306 Reputation points

2022-01-31T10:00:40.093+00:00

@Rishi Verma • I have not tested it out but It should work with below-mentioned setup:

B2C--> Frontdoor--> routingrule/Backendpool--> Application Gateway -->Backendpool --> ASE (Inside VNET)

You need to add App Gateway as Front Door cannot directly route within a virtual network, as documented here

Can Azure Front Door load balance or route traffic within a virtual network?
Azure Front Door (AFD) requires a public IP or publicly resolvable DNS name to route traffic. So, the answer is no AFD directly cannot route within a virtual network, but using an Application Gateway or Azure Load Balancer in between will solve this scenario.

Rishi Verma 126 Reputation points

2022-01-31T10:45:33.993+00:00

Thanks @AmanpreetSingh-MSFT - Yes we do have an ILB (Application Gateway) after Frontdoor to route traffic inside VNET.
Thanks once again for all the clarifications.
Sign in to comment

Is it possible to make a call to an azure app service inside a vnet from azure ad b2c ?

0 additional answers