With Private Link enabled - Still I get 403 (Forbidden). Why I am not getting 404 (when accessed from outside) ?

Question

Hi Everyone -

We have an internal application for a large enterprise and we have used App services and enabled Private endpoints. Things looked good as we are able to access from Inside and when accessed from outside we got 403 Forbidden access.

Although we thought this was fine, our security team indicated that with a 403 Forbidden, still one is able to hit from outside (public) although the page is not served. And they are looking for some thing 404 or page not found kind of error if hit from outside.

Any thoughts on how to completely Secure this ?

Or - with 403 Forbidden, is it completely secure ?

We are planning for Azure Front door with Premium and if required App gateway etc. But a direct hit to App service URL is the issue.

Any thoughts ?? Appreciate your help.

Thanks && Regards
-Mathew James

Answer 1

@Mathew James Thanks for the response.

• Basically, this would be the DNS resolution when you try to access the page outside from Public Internet:

• By default, when you enable Private Endpoints to your Web App, you disable all public access.
• The access restrictions configuration of a Web App isn't evaluated for traffic through the Private Endpoint. So even if setup the “Access Restriction” with source 0.0.0.0/0 the webapp throws 403, but it evaluate the traffic even before it hits the Application hosted.

• By setting up access restrictions, you can define a priority-ordered allow/deny list that controls network access to your app.
• When a request is made to your app, the FROM address is evaluated against the rules in your access restriction list. If the FROM address is in a subnet that's configured with service endpoints to Microsoft.Web, the source subnet is compared against the virtual network rules in your access restriction list. If the address isn't allowed access based on the rules in the list, the service replies with an HTTP 403 status code.
• Considering the Public IP address for example 40.122.110.154 is Azure IP address, by default Basic Azure DDOS plan is enabled on all the Public IP’s. But its not available for Paas Services. Hence you cant use the DDOS protection for App Service IP address. https://learn.microsoft.com/en-us/azure/ddos-protection/ddos-faq#can-i-protect-my-paas-resources-using-ddos-protection-
• Or for further security concern, you could have a Frontdoor or App Gateway Infront of this App Service and have a WAF enabled.
• Please visit: Azure DDoS Protection reference architectures | Microsoft Learn.

Answer 2

404 page not found: error comes from the site and not the server. A 404 is an HTTP status code that means you’re able to communicate with the server, but the server can’t find the specific page.

(This is answered by the Application Gateway, whenever you send a request on the Custom Host Header, it does not accept it as there is no listener configured on it, hence it sends 404 not found error.)

403 forbidden: These appear when the user does not have the necessary permissions to access a page, such as a log-in or a digital authentication.

(Accessing the App Service, is that the request goes till the App Service but the Firewall blocks any of the internet traffic, since we have enabled the Private Endpoint connectivity. So, you do not have access via Public IP). The expected answer is 403.