Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
Your observation is incorrect.
- A private EndPoint can only provide inbound connectivity from a VNET (or other VNETs peered) to a PaaS Service - In your case, the App Service.
- i.e., Private EndPoint cannot initiate/make an outbound connection, only accept/receive incoming traffic/connection.
- So, having two Private EndPoints of two App Services does not mean they will be able to communicate with each other over private network (VNET).
Instead,
- From your verbatim, "The front end app needs to be able to query and pull data from the private API web app, the way it's coded, it is currently pointed at the API web app services FQDN" - I take that the Front end app requires public access and should make a private connection to the API web app (backend end app).
i.e., Front end app makes an outbound call - You should consider VNET Integration for Front end app and Private EndPoint for Backend end app.
- Here, VNET integration supports outbound call (withing VNET) for Front End and PE supports incoming connection (within VNET) for Backend
The above is for private communication between Front end app and Backend end app in an unidirectional way.
- Should you be fine with both the Apps being public, you may simply whitelist the outbound IPs used by Front end app in the Backend end app's Access restrictions.
- Make sure to set the "Unmatched Rule" to "Deny"
- This way, only Front end app can access the Backend end app publicly.
Hope this helps.
Cheers,
Kapil