Securing app services with Vnet integration & private endpoint not working

Arvind Dige 0 Reputation points
2024-02-23T11:56:25.1933333+00:00

Hi Team, we have followed below Azure microsoft document to secure the communication between Frontend and backend web app. https://learn.microsoft.com/en-us/azure/app-service/tutorial-secure-ntier-app We are using Premium P2V2 app service plan for the same, and on single app service plan we are running both frontend and backend applications. But when we disable public access from inbound traffic rule in backend web app, it throws 403 error code which is as expected but the traffic from frontend to backend will not route. I have tried to check whether private ip assigned to backend app will get resolved through nslookup and tcpping command and both will work from ssh session of frontend app. Kindly assist me to resolve this scenario, all our resources in Australia East region.

Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
7,676 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Ryan Hill 28,011 Reputation points Microsoft Employee
    2024-02-23T21:52:38.38+00:00

    Hi @Arvind Dige

    I'm going to refer you to Integrate your app with an Azure virtual network - Azure App Service | Microsoft Learn Routing app settings. From what you've stated, it sounds like you enabled access restrictions from the internet but haven't configured vnet routing between your front end and backend. On the Access Restrictions blade, make sure an additional rule was added that allows traffic from the subnet vnet that your frontend app service is configured to.Screenshot of the Access Restrictions page in the Azure portal, showing the list of access restriction rules defined for the selected app.

    You could also use the Network/Connectivity troubleshooter and/or Collect a Network Trace under the Diagnose and solve problems blade to further investigate any configuration errors. Personally, even though nslookup worked from ssh, I would update your frontend app to use the private IP and see if the traffic is flowing to rule out DNS and routing. If that works, then you know you have a configuration issue somewhere. Another thing to check, for sanity's sake, is for any identity providers on the Authentication blade of the backend app service. That could also result in a 403.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.