Share via

How to access an app service present in VNet, from another app service available publicly

Satyam Chauhan 607 Reputation points
2023-03-28T10:12:36.01+00:00

Hi,

We have a backend API running on an azure app service, and that app service is in a Virtual Network. To make this API accessible only from the VNet, in the inbound of the backend app service we have enabled access only to the traffic coming from the VNet.

Similarly, there is another app service (NOT inside VNet) having the frontend, which needs to connect with the backend appservice. So, in the outbound of this app service we have done the VNet integration. But, the frontend app service is not able to connect with the backend apps service. Receiving Error - 403 IP forbidden.

Please let me know, how to resolve this.

Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,775 questions
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
8,971 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. ajkuma 28,036 Reputation points Microsoft Employee Moderator
    2023-03-29T19:37:59.92+00:00

    @Satyam Chauhan , Just checking if you had got a chance to see the previous response by siwibowo.

    Based on the issue description, I understand you have integrated your frontend App Service with the VNet. To connect to the backend app service, you need to ensure that the outbound traffic from the frontend App Service is allowed to the VNet.

    If you have don’t already, you may use Network Security Groups (NSGs) to block outbound traffic with an NSG that's placed on your integration subnet. You may also place a route table on the integration subnet to send outbound traffic where you want.

    Additionally, you may check if the private endpoint is configured correctly for the backend app service. If you have enabled private endpoints to your app, ensure that public network access is disabled to ensure isolation.

     

    If the issue persists, kindly check the logs of the backend App Service to see if there are any specific errors to fetch additional info.
    --Troubleshooting

    Please check this doc, if you’re looking a similar architecture: Web app private connectivity to Azure SQL Database

    0 comments
  2. Silvia Wibowo 6,046 Reputation points Microsoft Employee Volunteer Moderator
    2023-03-30T20:55:04.9266667+00:00

    If I understand correctly from your comment:

    • Back-end App Service: not hosted in an app service environment, not configured private endpoint. Using VNet based access restriction.
    • Front-end App Service: VNet integration.

    Result: Front-end App Service cannot reach Back-end App Service.

    Your Back-end App Service is using public endpoint, which means your Front-end App Service needs to use Public IP address (its own or NAT Gateway) to reach Back-end App Service.

    You have 2 options:

    1. If you want Front-end App Service to reach Back-end App Service using private IP address, you need to create Service Endpoint or Private Endpoint for Back-end App Service. With Service Endpoint, your Back-end App Service is still using public endpoint but it recognizes private IP address from VNet. With Private Endpoint, you can disable public endpoint and connection is only allowed from private endpoint.
    2. If you want Front-end App Service to reach Back-end App Service using public IP address, you need to allow public IP addresses of Front-end App Service (used for outbound) in access restriction of Back-end App Service. You don't need VNet integration for Front-end App Service.
    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.