What is the minimum access needed in Networking > Access Restrictions > Advanced Tool Site to allow the Azure Portal access to manage WebJobs? Getting an error unless I allow all traffic which has security implications

Question

What is the minimum access needed in Networking > Access Restrictions > Advanced Tool Site to allow the Azure Portal access to manage WebJobs? Getting an error unless I allow all traffic which has security implications

Robert Shattock 16

What is the minimum access needed in Azure Portal > Networking > Access Restrictions > Advanced Tool Site to allow the Azure Portal access to manage WebJobs?

User's image

I'm getting an error "The scm site for your app is blocked. In order to use webjobs you must allow traffic to the advanced tool site." unless I allow all traffic which has security implications (I want to deny all traffic except required)

The error message when you don't allow all access has a link https://learn.microsoft.com/en-us/azure/app-service/app-service-ip-restrictions?tabs=azurecli#manage-access-restriction-rules-in-the-portal to a generic page on access restrictions but nothing specific to this issue.

I want to know specifically how to allow webjobs to be managed (view logs & run) in the Azure Portal without allowing all traffic access to the SCM site. Is there a service tag? I tried Deny All except 0.0.0.0/0 but that didn't work. Also tried allowing the service tag AzurePortal and AzureCloud ... none of those worked.

User's image

My WebJobs still run ok, I just can't manage them via the portal unless I allow all access to the advanced tool site.

Look forward to some insights to what I thought would be a common issue.

Is it just not standard to try and restrict access to the SCM site and potentially any configuration secrets? (yes, should be using Azure Key Vault etc but I'm not currently).

Grmacjon-MSFT 19,151 Reputation points Moderator

2023-10-12T23:09:05.07+00:00

Hi@Robert Shattock , we are sorry to hear you're facing this issue. We saw that you also posted this question on Stack Overflow which has a proposed solution. Please let us know if you're still facing this issue.
Robert Shattock 16 Reputation points

2023-10-12T23:30:54.81+00:00

Yes, I'm still facing the issue. The proposed solution on Stack Overflow did not answer the question.
Robert Shattock 16 Reputation points

2023-10-12T23:33:17.24+00:00

@Grmacjon-MSFT no, the Stack Overflow answer was not useful unfortunately, I'm still facing the issue.
DirkLaan-5672 1 Reputation point

2023-10-18T13:31:31+00:00

Any update in this ?
We encounter the same issue here
Grmacjon-MSFT 19,151 Reputation points Moderator

2023-10-19T04:22:54.2433333+00:00

@Robert Shattock thanks for the update. I will share your scenario with the product team internally to see if there is a workaround and will get back to you soon.
Robert Shattock 16 Reputation points

2023-10-24T00:01:26.62+00:00

@Grmacjon-MSFT any luck after discussing with the product team? Dirk385 seems to be having a similar issue.
Grmacjon-MSFT 19,151 Reputation points Moderator

2023-11-02T04:30:03.0866667+00:00

Hey @Robert Shattock thanks for your patience. It looks like this issue requires deeper investigation. Could you please send us an email to AzCommunity[at]Microsoft[dot]com with the below details, so that we can enable a one-time-free support for you to work closely on this issue?

Email subject: <Attn - Grace >

Thread URL: <Microsoft Q&A Thread>

Subscription ID: <your Azure subscription id>

Please let me know here once the email is sent along with above requested details.

Thanks,

Grace
Robert Shattock 16 Reputation points

2023-11-02T04:40:52.9333333+00:00

@Grmacjon-MSFT I've emailed you as requested, look forward to getting this resolved.
Robert Shattock 16 Reputation points

2023-11-02T23:50:23.2833333+00:00

@Grmacjon-MSFT you can see I've added my own answer to this question (I don't have access to accept it as the answer). Before I had a chance to submit the ticket I reviewed the portal and saw that Microsoft have updated its functionality, addressing the issue I had raised. So obviously others had the same issue as myself and actions were taken to address it. Thanks for following up.

1 answer

Your answer

Grmacjon-MSFT 19,151 Reputation points Moderator

2023-10-12T23:09:05.07+00:00

Hi@Robert Shattock , we are sorry to hear you're facing this issue. We saw that you also posted this question on Stack Overflow which has a proposed solution. Please let us know if you're still facing this issue.
Robert Shattock 16 Reputation points

2023-10-12T23:30:54.81+00:00

Yes, I'm still facing the issue. The proposed solution on Stack Overflow did not answer the question.
Robert Shattock 16 Reputation points

2023-10-12T23:33:17.24+00:00

@Grmacjon-MSFT no, the Stack Overflow answer was not useful unfortunately, I'm still facing the issue.
DirkLaan-5672 1 Reputation point

2023-10-18T13:31:31+00:00

Any update in this ?
We encounter the same issue here
Grmacjon-MSFT 19,151 Reputation points Moderator

2023-10-19T04:22:54.2433333+00:00

@Robert Shattock thanks for the update. I will share your scenario with the product team internally to see if there is a workaround and will get back to you soon.
Robert Shattock 16 Reputation points

2023-10-24T00:01:26.62+00:00

@Grmacjon-MSFT any luck after discussing with the product team? Dirk385 seems to be having a similar issue.
Grmacjon-MSFT 19,151 Reputation points Moderator

2023-11-02T04:30:03.0866667+00:00

Hey @Robert Shattock thanks for your patience. It looks like this issue requires deeper investigation. Could you please send us an email to AzCommunity[at]Microsoft[dot]com with the below details, so that we can enable a one-time-free support for you to work closely on this issue?

Email subject: <Attn - Grace >

Thread URL: <Microsoft Q&A Thread>

Subscription ID: <your Azure subscription id>

Please let me know here once the email is sent along with above requested details.

Thanks,

Grace
Robert Shattock 16 Reputation points

2023-11-02T04:40:52.9333333+00:00

@Grmacjon-MSFT I've emailed you as requested, look forward to getting this resolved.
Robert Shattock 16 Reputation points

2023-11-02T23:50:23.2833333+00:00

@Grmacjon-MSFT you can see I've added my own answer to this question (I don't have access to accept it as the answer). Before I had a chance to submit the ticket I reviewed the portal and saw that Microsoft have updated its functionality, addressing the issue I had raised. So obviously others had the same issue as myself and actions were taken to address it. Thanks for following up.

Answer 1

@Grmacjon-MSFT @Dirk385

Microsoft have updated the Azure portal functionality since I posted my question to fix their mistake. In WebJobs if you have access restrictions specified for the Advanced Tool Site (SCM) the WebJob page will now have a warning of:

"Traffic to the SCM on your app is blocked. To ensure the success of web job commands, you must either set the default unmatched rule to 'Allow' or add an 'Allow' rule for your IP address in the Advanced Tool Site section of Access restrictions"

User's image

instead of:

"The scm site for your app is blocked. In order to use webjobs you must allow traffic to the advanced tool site."

The Logs/Run/Delete/Add buttons were previously being disabled by the change a month ago but now they are all enabled. If you haven't added an IP access restriction to the IP address your access the browser from then the Run and Delete buttons work fine but Logs doesn't (because it redirects to the SCM site, which since you've blocked access to won't load). "Add" looks like it has worked but never completes in the background.

So it's good to see Microsoft have addressed the mistake - I still think the part about "To ensure the success of web job commands" is misleading and may result in users thinking they need to allow access for the WebJobs to run - the message I think is just referring to the Azure portal invoking commands to the WebJobs, specifically Log and Add.

So to be clear, in answer to "What is the minimum access needed in Networking > Access Restrictions > Advanced Tool Site to allow the Azure Portal access to manage WebJobs?" - the answer is now you don't need to allow any access to the Advanced Tool Site unless you want to view the Logs or Add a new WebJob via the portal - if you want to do those things via the portal the minimum access you'll need is to add an "Allow" rule for your IP address and deny all other traffic. You can check your IP address via a site like: https://whatismyipaddress.com/

Share via

What is the minimum access needed in Networking > Access Restrictions > Advanced Tool Site to allow the Azure Portal access to manage WebJobs? Getting an error unless I allow all traffic which has security implications

1 answer

Your answer