Azure Automation Account - PowerShell Script - Invoke web requests against restricted resources - Networking allow rule

Question

Hello,

I have an Automation Account that has a runbook with a PowerShell script.

The PowerShell script invokes web requests against a Web API hosted as an Azure App Service in the same resource group.

Because the Web API has access restriction enabled, requests fail with a 403 status code.

I tried to create an access rule on Web API using service tag "GuestAndHybridManagement" - same 403 response status code.

Creating a Web API access rule with all possible Azure Automation account worker IP’s is not a convenient solution.

Can you suggest me a solution to make successful requests from the PowerShell script of an Azure Automation Account?

Thanks,

Octavian

Answer 1

@Octavian Mocanu , thank you for the question.

Note note that the GuestAndHybridManagement tag is used for Update Management and Change tracking using Azure Automation, and not for runbook worker or runbook execution.

Also, as mentioned in the article here - Runbook execution environment

Enabling the Azure Firewall on Azure Storage, Azure Key Vault, or Azure SQL blocks access from Azure Automation runbooks for those services. Access will be blocked even when the firewall exception to allow trusted Microsoft services is enabled, as Automation isn't a part of the trusted services list. With an enabled firewall, access can only be made by using a Hybrid Runbook Worker and a virtual network service endpoint. .

Based on these details, you may use Hybrid Runbook Worker (where the runbooks would execute, instead of Azure Automation Sandbox) so that you have a limited set of IP addresses which needs to be added to allow list on Azure App Service.

Hope this helps.

If the answer did not help, please add more context/follow-up question for it, and we will help you out. Else, if the answer helped, please click Accept answer so that it can help others in the community looking for help on similar topics.