allow access to azure web app in one subscription to azure web app in another subscription

Avinash Davkhar 20 Reputation points
2025-01-02T12:37:49.63+00:00

I have a web application named 'app-A' that is deployed within subscription 'A'. Additionally, I have another web application called 'app-B' deployed in subscription 'B'.

My objective is to limit access to 'app-A' so that it can only be accessed through 'app-B'.

I would appreciate your assistance in achieving this configuration.

Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
8,177 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Shree Hima Bindu Maganti 1,870 Reputation points Microsoft Vendor
    2025-01-03T16:28:32.5766667+00:00

    Avinash Davkhar
    Welcome to the Microsoft Q&A Platform!
    To allow app-A to be accessed only through app-B, even though they are in different subscriptions, you can use Azure Private Link or service endpoints along with proper configuration of Azure networking and access controls.

    • VNet-A in Subscription A for app-A.
    • VNet-B in Subscription B for app-B.
    • Peer VNet-A and VNet-B to enable secure communication.
    • Create a Private Endpoint for app-A in VNet-A.
    • This allows app-A to be accessed via a private IP.
    • Enable VNet Integration for app-B to route traffic through VNet-B.
    • Route requests from app-B to the private IP of app-A's Private Endpoint.
    • Restrict access to app-A to traffic only from the IP range of VNet-B.
    • Configure Azure AD for both app-A and app-B for additional security.
    • Verify app-B can access app-A.
    • Confirm other sources cannot access app-A.
    • By following these concise steps, you can securely limit access to app-A so it is only accessible through app-B.
      https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview
      If the answer is helpful, please click Accept Answer and kindly upvote it
    0 comments No comments

  2. Silvia Wibowo 4,956 Reputation points Microsoft Employee
    2025-01-05T20:36:25.65+00:00

    Hi @Avinash Davkhar , I understand you want to know the options for restricting access to a web app in Azure App Service.

    There are different categories for access:

    1. Network access
      1. IP-based access restriction rules - to limit public IP addresses to access your App Service's public endpoint.
      2. Access restriction rules based on service endpoint - to limit private IP addresses or CIDR to access your App Service's public endpoint.
      3. Using Private Endpoints for App Service apps - you can disable public access, so all access is using private endpoint (this is what @Shree Hima Bindu Maganti suggested).
    2. Application filtering
      1. HTTP header filtering for site access.
    3. Authentication/authorization
      1. Add app authentication to your web app running on Azure App Service - configure app B's managed identity to have access to app A.

    Each category is independent, you can choose to apply multiple categories to protect your App Service.

    Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.