Can you override service endpoints use of IPv6

Jessica Espada 20 Reputation points
2024-11-13T21:48:00.48+00:00

Hello,

I don't think it is possible since it defeats the purpose of using a service endpoint but, is there a way to override the use of the Azure assigned IPv6 IP when Microsoft.web service endpoint is enabled?

Having Microsoft.web service endpoint enabled causes a 403 error because it switches to an Azure backend assigned IPv6 address. We read you can use a NAT gateway to work around this but it doesn't work. It still uses the IPv6 address and not the NAT gateway. Is there a way to force it to stop using the IPv6 address? For now we have just disabled Microsoft.web.

Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,541 questions
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
8,002 questions
0 comments No comments
{count} votes

Accepted answer
  1. Ganesh Patapati 2,050 Reputation points Microsoft Vendor
    2024-11-14T13:56:18.5066667+00:00

    Hi Jessica Espada,

    Greetings!

    Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

    NOTE: Yes, you are correct, If the Web App is VNET integrated with a subnet that has the Microsoft.Web Service Endpoint enabled, then this behavior is expected. It is by design that when the Microsoft.Web endpoint is enabled, the normal IPv4 outbound IP is no longer used. Instead, any communications will go through special tunneling using IPv6 outbound.

    Refer: https://learn.microsoft.com/en-us/answers/questions/493483/why-is-my-azure-web-app-showing-an-ipv6-outbound-i

    This can indeed cause issues like the 403 error you're experiencing.

    Refer: https://learn.microsoft.com/en-us/troubleshoot/entra/entra-id/ad-dmn-services/azure-ad-ipv6-support

    1. This means that even if you use a NAT gateway, it might not resolve the issue because the service endpoint will still attempt to use the IPv6 address.
    2. Given the limitations and the design of the service endpoints, it might be best to continue with your current approach of disabling the Microsoft.Web service endpoint if it is causing significant issues.

    As this something which is not supported. We encourage customers to create a feedback item for this request on the feedback forum

    feedback forum: https://feedback.azure.com/d365community 


    Hope this clarifies,

    If above is unclear and/or you are unsure about something add a comment below.

    Thanks

    GaneshAccepted answer

    Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.


0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.