Using Azure App Service Deployment Slots with Private Endpoint

Question

Using Azure App Service Deployment Slots with Private Endpoint

Brian Shipe 36

Seeking some advice on how to solve an issue using Azure App Service Deployment slots and Private Endpoint.

We have deployed an internal Line of Business application in Azure App Service. We want to keep this application completely private and allow connections only to / from the internal on-Premise subnet. The Production Deployment slot is working fine using Site to Site VPN > VNET > Private Endpoint.

The problem is with the Non-Production Deployment slots. We're unable to configure a Private Endpoint for those slots (seems like this is by design?).
Therefore the application in a UAT slot (for example) isn't able to access the internal resources for appropriate validation.

Would love some advice on how to solve this challenge.

Hybrid Connection to internal Resources
A separate App Service Plan for Non-Production Environments
Would ASE solve the issue? (cost prohibitive at the moment)
Allow access to internal resources from WAN and control by Firewall Access Rules (whitelist)

Accepted answer

1 additional answer

Your answer

Answer 1

Ericg-MSFT 86 Microsoft Employee Moderator

Hello, If I well understand your question, your UAT environment must be able to consume internal resources, in that case the solution is VNet integration, nothing to deal with Private Endpoint (this feature is only for consumption of the service). And you can use VNet integration with slots.
Yes today you cannot plug Private Endpoint on slots, but it's just that you cannot consume the web app in slots from the private IP.
If your question is also to have access to UAT from onprem through your S2S VPN, you can use another web app on the same plan instead of slot.

Anand Aili 11 Reputation points

2020-11-25T07:51:39.427+00:00

Hi @Ericg-MSFT ,

we are designing a blue-green deployment using App Services deployment slots, so we use a staging slot for verification/testing, and then we initialise swapping slots. And we are able to do this without an outage.

And on the other hand, we are trying to set up a Private Endpoint to the web app and its successful. But it's applied to only production slots, not staging slots, So we were looking options to setup Private Endpoints for slots as well. After this setup below is the result:
mywebapp.azurewebsites.net?x-ms-routing-name=self --> success
mywebapp.azurewebsites.net?x-ms-routing-name=staging --> 403 Forbidden

Here we found that Private Endpoints are not supported for Slots: https://learn.microsoft.com/en-us/azure/app-service/networking/private-endpoint

can you suggest on this and Is there any plans to enable Private endpoints for slots as well?
SvenGlöckner 446 Reputation points

2023-03-08T14:32:57.6133333+00:00

Hi @Ericg-MSFT

Do I get it correctly, you say private endpoint cannot be used by deployment slot?

I'm not sure if this still true today because I was able to successfully create a private endpoint on a slot and also the connection is possible by using private link.

Answer 2

Timothy George 0

Yeah, probably

Share via

Using Azure App Service Deployment Slots with Private Endpoint

1 additional answer

Your answer