Communicate between App Services having VNet routing
I have two App Services (A & B) that live in separate subscriptions (1 & 2) as they should be logically separated. Both these App Services have separate VNet integrations to communicate with their private resources.
App Service A is a publicly accessible website.
App Service B communicates with App Service X through this VNet integration. App Service X must not be exposed to the public. So on App Service B the VNet routing table includes "Microsoft.Web", which means that traffic to App Services uses the VNet routing.
App Service B also needs to communicate with App Service A. As these App Services are logically separated, they must not have their VNets integrated. The communication between B and A should happen over the public endpoint.
The problem I'm having is that having "Microsoft.Web" in the routing table, App Service B cannot communicate with App Service A. The log table AppServiceIPSecAuditLogs has the following error:
Traffic was received via service tunneling but no private link identifier was provided.
Turning off "Microsoft.Web" in the routing table and B cannot communicate with App Service X.
How can I setup the networking configuration to achieve the separation that I want?