Share via

Unable to access Static Web App through VPN Peering with Virtual Network Gateway

Kenny Wong (HK) 20 Reputation points
2024-05-13T11:08:55.9433333+00:00

I have set up private endpoints for my Azure Static Web App and also Virtual Network Gateway connecting to an on premise network.

User's image

The status show in the Connection page is Connected

User's image

I can access the Static Web App from my jumphost within the same virtual network.

But when I tried to access my Static Web App from within the on premise network, I got 403 forbidden. I don't have an IP whitelist in staticwebappconfig.json

User's image

Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,228 questions
Azure Static Web Apps
Azure Static Web Apps
An Azure service that provides streamlined full-stack web app development.
809 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marcin Policht 15,620 Reputation points MVP
    2024-05-13T12:38:04.7633333+00:00

    Start by checking the name resolution from on-premises. Verify that the name of the web app resolves from the on-premises system you are using to a private IP address, not the public one assigned to the web app.

    Your on-premises DNS servers must be configured specifically to resolve private Azure DNS zones to support connectivity via private endpoints.

    Details at https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns-integration and at https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns

    If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

    hth

    Marcin

    0 comments
  2. SnehaAgrawal-MSFT 19,436 Reputation points
    2024-05-21T13:31:00.81+00:00

    @Kenny Wong (HK) Thanks for reaching here!

    To elaborate here-

    If your app has a private endpoint enabled, the server responds with a 403 status code if the request comes from a public IP address.

    This behavior applies to both the production environment as well as any staging environments. The only way to reach the app is to use the private endpoint deployed within your VNet.

    The default DNS resolution of the static web app still exists and routes to a public IP address. The private endpoint exposes 2 IP Addresses within your VNet, one for the production environment and one for any staging environments.

    To ensure your client is able to reach the app correctly, make sure your client resolves the hostname of the app to the appropriate IP address of the private endpoint.

    This is required for the default hostname as well as any custom domains configured for the static web app. This resolution is done automatically if you select a private DNS zone when creating the private endpoint (see example below) and is the recommended solution.

    If you are connecting from on-prem or do not wish to use a private DNS zone, manually configure the DNS records for your application so that requests are routed to the appropriate IP address of the private endpoint.

    You can find more information on private endpoint DNS resolution here.

    Reference- Configure private endpoint in Azure Static Web Apps

    Hope this helps.

    Please let us know if further query or issue remains.

    0 comments