Azure Automation Account - PowerShell Script - Invoke web requests against restricted resources - Networking allow rule

Octavian Mocanu 0 Reputation points
2023-07-11T09:16:41.91+00:00

Hello,

I have an Automation Account that has a runbook with a PowerShell script.

The PowerShell script invokes web requests against a Web API hosted as an Azure App Service in the same resource group.

Because the Web API has access restriction enabled, requests fail with a 403 status code.

I tried to create an access rule on Web API using service tag "GuestAndHybridManagement" - same 403 response status code.

Creating a Web API access rule with all possible Azure Automation account worker IP’s is not a convenient solution.

Can you suggest me a solution to make successful requests from the PowerShell script of an Azure Automation Account?

Thanks,

Octavian

Azure Automation
Azure Automation
An Azure service that is used to automate, configure, and install updates across hybrid environments.
1,075 questions
Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,282 questions
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
6,532 questions
{count} votes

1 answer

Sort by: Most helpful
  1. AnuragSingh-MSFT 18,666 Reputation points
    2023-07-18T08:38:24.4666667+00:00

    @Octavian Mocanu , thank you for the question.

    Note note that the GuestAndHybridManagement tag is used for Update Management and Change tracking using Azure Automation, and not for runbook worker or runbook execution.

    Also, as mentioned in the article here - Runbook execution environment

    Enabling the Azure Firewall on Azure Storage, Azure Key Vault, or Azure SQL blocks access from Azure Automation runbooks for those services. Access will be blocked even when the firewall exception to allow trusted Microsoft services is enabled, as Automation isn't a part of the trusted services list. With an enabled firewall, access can only be made by using a Hybrid Runbook Worker and a virtual network service endpoint. .

    Based on these details, you may use Hybrid Runbook Worker (where the runbooks would execute, instead of Azure Automation Sandbox) so that you have a limited set of IP addresses which needs to be added to allow list on Azure App Service.

    Hope this helps.

    If the answer did not help, please add more context/follow-up question for it, and we will help you out. Else, if the answer helped, please click Accept answer so that it can help others in the community looking for help on similar topics.

    0 comments No comments