Website on Azure App Container service throwing 403 Forbidden error

Question

Website on Azure App Container service throwing 403 Forbidden error

Mani Agarwal 0

Hi Team,

I am deploying my micro service application using the Azure App service (Container Service). I have 1 frontend and 3 backend. I have followed these steps also mentioned here in this link: https://learn.microsoft.com/en-us/answers/questions/2107806/how-to-make-backend-appservice-accept-the-traffic

I am still getting the same error.

I have integrated the Vnet in frontend.

Created Private Endpoint in private subnet for backend app service

Allow access restrictions rule in backend app too.

Created NSG and attached it to.

For backend, Vnet integration it says: Virtual network integration:Not supported

Created Authentication (is it mandatory ?)

Still getting the same error. Also, some of the doc links are not found.

Could you please help me with this.

Thanks,

Mani

Mani Agarwal 0 Reputation points

2025-03-18T10:32:18.7566667+00:00

I am using the plan P1v3 and it is still showing the Virtual Network Integration Not supported
Laxman Reddy Revuri 5,405 Reputation points Microsoft External Staff Moderator

2025-03-19T05:07:41.7466667+00:00
Hi @Mani Agarwal
Your Azure App Service (P1v3 plan) still shows "Virtual network integration: Not supported." This typically happens because VNet Integration is only supported for outbound traffic and has limitations based on the App Service type and region.
While P1v3 (Premium V3) supports VNet integration, it may not be available in all regions.

Run this Azure CLI command to check supported features
appservice plan show --name <YOUR_APP_SERVICE_PLAN> --resource-group <YOUR_RESOURCE_GROUP> --query "sku"
If it's still not supported, consider using Private Endpoints instead of VNet Integration.

VNet Integration is not needed if your app is inside an App Service Environment (ASE).

If your App Service is inside an ASE with internal load balancing, it already has network access.

Since VNet integration is not supported, try creating a Private Endpoint:

Go to your backend App Service → Networking → Private Endpoint.

Click + Add and choose your VNet and Subnet.

Ensure your frontend can resolve the private IP.

Check If Your Backend Is Still Public

If you enabled Private Endpoint, make sure Public Access is disabled in:

App Service → Networking → "Disable public network access."

If it's still using a public outbound IP, that may be causing the issue.
Mani Agarwal 0 Reputation points

2025-03-19T07:48:48.9266667+00:00
Sorry, I am confused with your above answer. Please help me in understand.

I have frontend

I have 3 backends and one of them is not supporting the Virtual Network Integration.

All of them are running on containers. The one which is showing the Virtual Network Integration not supported is running on docker-compose.

So, when I am hitting the backend api from frontend it is throwing 403 error. The steps above you mentioned in your 1st reply, I have tried all of them and I can see from Kudu console that I am able to curl and nslookup. But from browser it is throwing an error.

Till now my understanding was that we need private endpoints and vnet integration. But now that you are saying this is not the case. Also, if completely Disabled the public access how my frontend would be connecting with the backend. How to request will flow, just via private endpoints. But private endpoints only send outbound. So, it doesn't receive the request.

If I block all the public access, how it will do the image pull from Azure container registry?

Is there a way I can get on call with Azure Support to help me with fixing my system. If I don't resolve this. I have to move to some other cloud provider. My boss is after me to get this fix asap.
Dasari Kamali 425 Reputation points Microsoft External Staff Moderator

2025-03-20T06:01:01.56+00:00

Hi @Mani Agarwal

Check if the backend's Private Endpoint is resolving correctly using nslookup <backendAppService>.azurewebsites.net. Also, ensure frontend outbound IPs are allowed in backend access restrictions.
Mani Agarwal 0 Reputation points

2025-03-21T07:25:33.6666667+00:00

yup done that. still the same issue.
Mani Agarwal 0 Reputation points

2025-03-21T07:26:33.3366667+00:00

@Dasari kamali Please help me understand this part
Dasari Kamali 425 Reputation points Microsoft External Staff Moderator

2025-03-24T05:20:26.66+00:00

Check NSG rules on the backend subnet to allow traffic from the frontend. Also, verify that the Private DNS Zone (privatelink.azurewebsites.net) is linked to the VNet. Try accessing the backend via its private IP.
Dasari Kamali 425 Reputation points Microsoft External Staff Moderator

2025-03-24T05:22:59.11+00:00

Since the backend is using a Private Endpoint, the frontend must be integrated with the same VNet or use a Private Link Service to access it. Private Endpoints only allow inbound traffic, so the frontend needs VNet integration to reach the backend. Also, for ACR image pulls, enable a Private Endpoint for ACR or allow outbound public access for *.azurecr.io.
Mani Agarwal 0 Reputation points

2025-03-24T10:57:33.5+00:00

@Dasari Kamali , So, I did try the above resolutions given and still it is giving me the 403 error when I put my backend in private (public access all disabled) and ACR is in public.

I followed this link Tutorial: Create a secure N-tier web app - Azure App Service | Microsoft Learn

I will be sharing the script with you in sometime with list of all cli commands which I have used to create.

Sharing the bash script which I have used for it.secure-ntier-azure-setup.txt

Please check if I have missed any step to create the networking.
Dasari Kamali 425 Reputation points Microsoft External Staff Moderator

2025-03-26T03:57:37.78+00:00

Since you still get a 403 error with private backend access, check App Service Authentication settings, if enabled, configure it to allow frontend requests. Also, verify NSG rules and WEBSITE_VNET_ROUTE_ALL=1 in backend App Service settings. Can you share your script, and I will review it for missing steps.
Mani Agarwal 0 Reputation points

2025-03-27T05:08:24.57+00:00

@Dasari Kamali

Here is the script which I am using:

re-azure-secure-ntier-setup.txt

This is a bash script, but I was not able to upload the file with .sh extension.

I am using it to create the networking.

Also, I am able to hit the endpoint from frontend kudo ssh
But on browser it is giving 403 error.
Dasari Kamali 425 Reputation points Microsoft External Staff Moderator

2025-03-27T10:20:54.54+00:00

Since the backend API is accessible via Kudu SSH but returns 403 in the browser, check CORS settings in the backend App Service. Also, verify that API_URL in frontend settings points to the private endpoint (not public). If issues persist, enable App Service logs and check WEBSITE_AUTH_ENABLED settings.
Mani Agarwal 0 Reputation points

2025-03-27T13:02:12.72+00:00

@Dasari Kamali
I have checked the CORS setings in the backend code and it is marked as "*". Even in App services we have added the CORS, but still getting the same error.

Also, i dont understand why I have this "cpc7ctd7fmgeetc4" random value in trulo-fe-prod-cpc7ctd7fmgeetc4.eastus-01.azurewebsites.net private endpoint
Mani Agarwal 0 Reputation points

2025-03-31T07:07:12.35+00:00

@Dasari kamali Anu update for me.

@Laxman Reddy Revuri

Did you check the script I have shared above?
Dasari Kamali 425 Reputation points Microsoft External Staff Moderator

2025-04-01T05:48:01.94+00:00

If CORS is set correctly, check WEBSITE_AUTH_ENABLED in backend App Service settings and disable authentication for testing. Also, verify that the frontend calls the backend using the correct private URL. The random value in the private endpoint name is expected due to Azure's internal DNS resolution. You can try accessing the backend API directly from the browser using curl or Postman to confirm if authentication is causing the issue.
Dasari Kamali 425 Reputation points Microsoft External Staff Moderator

2025-04-03T11:43:42.7033333+00:00

Hi @Mani Agarwal ,
Just following up to see if you had a chance to review my previous message.
Mani Agarwal 0 Reputation points

2025-04-09T10:31:31.51+00:00
Hi @Laxman Reddy Revuri and @Dasari Kamali

We have already checked the points you mentioned, but the issue persists.

Current Observations:

CORS Error:

Occurs when the frontend app service URL is not added in the backend CORS settings, which is expected.

However, adding the URL doesn't resolve the issue.

403 Forbidden Error:

Occurs after fixing the CORS error by adding the frontend app service's default URL to the backend app service's CORS settings.

Intermittent Behaviour:

Sometimes, both errors (403 and CORS) appear simultaneously.

Other times, they occur separately depending on the configuration.

As per my understanding, these two errors are distinct—CORS is related to cross-origin policies, while 403 Forbidden could point to authentication or access restriction issues.

To make troubleshooting more efficient, I suggest a quick meeting on Google Meet or any platform you're comfortable with. This will allow us to analyse the configurations together and identify any potential misconfigurations or overlooked aspects.

@Dasari Kamali Did you try running the script which I shared.

Is it possible we can connect over call? As messaging to and fro is not resolving the problem. We have already all the suggestions which you have mentioned above
Dasari Kamali 425 Reputation points Microsoft External Staff Moderator

2025-04-11T08:17:38.0933333+00:00

Hi @Anonymous , Is there any possibility you could share your GitHub repository for the frontend and backend code? I will try it from my end.

1 answer

Your answer

Mani Agarwal 0 Reputation points

2025-03-18T10:32:18.7566667+00:00

I am using the plan P1v3 and it is still showing the Virtual Network Integration Not supported
Laxman Reddy Revuri 5,405 Reputation points Microsoft External Staff Moderator

2025-03-19T05:07:41.7466667+00:00

Hi @Mani Agarwal
Your Azure App Service (P1v3 plan) still shows "Virtual network integration: Not supported." This typically happens because VNet Integration is only supported for outbound traffic and has limitations based on the App Service type and region.
While P1v3 (Premium V3) supports VNet integration, it may not be available in all regions.

Run this Azure CLI command to check supported features
appservice plan show --name <YOUR_APP_SERVICE_PLAN> --resource-group <YOUR_RESOURCE_GROUP> --query "sku"
If it's still not supported, consider using Private Endpoints instead of VNet Integration.

VNet Integration is not needed if your app is inside an App Service Environment (ASE).

If your App Service is inside an ASE with internal load balancing, it already has network access.

Since VNet integration is not supported, try creating a Private Endpoint:

Go to your backend App Service → Networking → Private Endpoint.

Click + Add and choose your VNet and Subnet.

Ensure your frontend can resolve the private IP.

Check If Your Backend Is Still Public

If you enabled Private Endpoint, make sure Public Access is disabled in:

App Service → Networking → "Disable public network access."

If it's still using a public outbound IP, that may be causing the issue.
Mani Agarwal 0 Reputation points

2025-03-19T07:48:48.9266667+00:00

Sorry, I am confused with your above answer. Please help me in understand.

I have frontend

I have 3 backends and one of them is not supporting the Virtual Network Integration.

All of them are running on containers. The one which is showing the Virtual Network Integration not supported is running on docker-compose.

So, when I am hitting the backend api from frontend it is throwing 403 error. The steps above you mentioned in your 1st reply, I have tried all of them and I can see from Kudu console that I am able to curl and nslookup. But from browser it is throwing an error.

Till now my understanding was that we need private endpoints and vnet integration. But now that you are saying this is not the case. Also, if completely Disabled the public access how my frontend would be connecting with the backend. How to request will flow, just via private endpoints. But private endpoints only send outbound. So, it doesn't receive the request.

If I block all the public access, how it will do the image pull from Azure container registry?

Is there a way I can get on call with Azure Support to help me with fixing my system. If I don't resolve this. I have to move to some other cloud provider. My boss is after me to get this fix asap.
Dasari Kamali 425 Reputation points Microsoft External Staff Moderator

2025-03-20T06:01:01.56+00:00

Hi @Mani Agarwal

Check if the backend's Private Endpoint is resolving correctly using nslookup <backendAppService>.azurewebsites.net. Also, ensure frontend outbound IPs are allowed in backend access restrictions.
Mani Agarwal 0 Reputation points

2025-03-21T07:25:33.6666667+00:00

yup done that. still the same issue.
Mani Agarwal 0 Reputation points

2025-03-21T07:26:33.3366667+00:00

@Dasari kamali Please help me understand this part
Dasari Kamali 425 Reputation points Microsoft External Staff Moderator

2025-03-24T05:20:26.66+00:00

Check NSG rules on the backend subnet to allow traffic from the frontend. Also, verify that the Private DNS Zone (privatelink.azurewebsites.net) is linked to the VNet. Try accessing the backend via its private IP.
Dasari Kamali 425 Reputation points Microsoft External Staff Moderator

2025-03-24T05:22:59.11+00:00

Since the backend is using a Private Endpoint, the frontend must be integrated with the same VNet or use a Private Link Service to access it. Private Endpoints only allow inbound traffic, so the frontend needs VNet integration to reach the backend. Also, for ACR image pulls, enable a Private Endpoint for ACR or allow outbound public access for *.azurecr.io.
Mani Agarwal 0 Reputation points

2025-03-24T10:57:33.5+00:00

@Dasari Kamali , So, I did try the above resolutions given and still it is giving me the 403 error when I put my backend in private (public access all disabled) and ACR is in public.

I followed this link Tutorial: Create a secure N-tier web app - Azure App Service | Microsoft Learn

I will be sharing the script with you in sometime with list of all cli commands which I have used to create.

Sharing the bash script which I have used for it.secure-ntier-azure-setup.txt

Please check if I have missed any step to create the networking.
Dasari Kamali 425 Reputation points Microsoft External Staff Moderator

2025-03-26T03:57:37.78+00:00

Since you still get a 403 error with private backend access, check App Service Authentication settings, if enabled, configure it to allow frontend requests. Also, verify NSG rules and WEBSITE_VNET_ROUTE_ALL=1 in backend App Service settings. Can you share your script, and I will review it for missing steps.
Mani Agarwal 0 Reputation points

2025-03-27T05:08:24.57+00:00

@Dasari Kamali

Here is the script which I am using:

re-azure-secure-ntier-setup.txt

This is a bash script, but I was not able to upload the file with .sh extension.

I am using it to create the networking.

Also, I am able to hit the endpoint from frontend kudo ssh
But on browser it is giving 403 error.
Dasari Kamali 425 Reputation points Microsoft External Staff Moderator

2025-03-27T10:20:54.54+00:00

Since the backend API is accessible via Kudu SSH but returns 403 in the browser, check CORS settings in the backend App Service. Also, verify that API_URL in frontend settings points to the private endpoint (not public). If issues persist, enable App Service logs and check WEBSITE_AUTH_ENABLED settings.
Mani Agarwal 0 Reputation points

2025-03-27T13:02:12.72+00:00

@Dasari Kamali
I have checked the CORS setings in the backend code and it is marked as "*". Even in App services we have added the CORS, but still getting the same error.

Also, i dont understand why I have this "cpc7ctd7fmgeetc4" random value in trulo-fe-prod-cpc7ctd7fmgeetc4.eastus-01.azurewebsites.net private endpoint
Mani Agarwal 0 Reputation points

2025-03-31T07:07:12.35+00:00

@Dasari kamali Anu update for me.

@Laxman Reddy Revuri

Did you check the script I have shared above?
Dasari Kamali 425 Reputation points Microsoft External Staff Moderator

2025-04-01T05:48:01.94+00:00

If CORS is set correctly, check WEBSITE_AUTH_ENABLED in backend App Service settings and disable authentication for testing. Also, verify that the frontend calls the backend using the correct private URL. The random value in the private endpoint name is expected due to Azure's internal DNS resolution. You can try accessing the backend API directly from the browser using curl or Postman to confirm if authentication is causing the issue.
Dasari Kamali 425 Reputation points Microsoft External Staff Moderator

2025-04-03T11:43:42.7033333+00:00

Hi @Mani Agarwal ,
Just following up to see if you had a chance to review my previous message.
Mani Agarwal 0 Reputation points

2025-04-09T10:31:31.51+00:00

Hi @Laxman Reddy Revuri and @Dasari Kamali

We have already checked the points you mentioned, but the issue persists.

Current Observations:

CORS Error:

Occurs when the frontend app service URL is not added in the backend CORS settings, which is expected.

However, adding the URL doesn't resolve the issue.

403 Forbidden Error:

Occurs after fixing the CORS error by adding the frontend app service's default URL to the backend app service's CORS settings.

Intermittent Behaviour:

Sometimes, both errors (403 and CORS) appear simultaneously.

Other times, they occur separately depending on the configuration.

As per my understanding, these two errors are distinct—CORS is related to cross-origin policies, while 403 Forbidden could point to authentication or access restriction issues.

To make troubleshooting more efficient, I suggest a quick meeting on Google Meet or any platform you're comfortable with. This will allow us to analyse the configurations together and identify any potential misconfigurations or overlooked aspects.

@Dasari Kamali Did you try running the script which I shared.

Is it possible we can connect over call? As messaging to and fro is not resolving the problem. We have already all the suggestions which you have mentioned above
Dasari Kamali 425 Reputation points Microsoft External Staff Moderator

2025-04-11T08:17:38.0933333+00:00

Hi @Anonymous , Is there any possibility you could share your GitHub repository for the frontend and backend code? I will try it from my end.

Answer 1

Hi @Mani Agarwal
A 403 Forbidden error when accessing your Azure App Service could be due to several reasons, especially when dealing with virtual network integration and private endpoints.
1.Make sure your NSG rules permit traffic from the frontend to the backend. Verify the NSG is properly configured and is attached to the subnet your backend app service is stationed at.

2.Check that the private endpoint to your backend app service is properly configured. Check whether the DNS configuration is complete and ensure the private DNS zones are linked to your virtual network.
https://learn.microsoft.com/en-us/azure/app-service/tutorial-networking-isolate-vnet#create-private-endpoints

3.Review the access restrictions for your backend app service. Check that the rules that are configured grant traffic from the frontend app service and any other relevant IP addresses.

4.If the backend app service VNet integration displays “Not supported,” that is an indication the App service plan does not support VNet integration. Confirm that your backend app service is either a Premium or Isolated plan since those plans support VNet integration.
https://learn.microsoft.com/en-us/azure/app-service/networking-features

5.Even though the backend app service does not require authentication, if enabled, make sure the frontend app service is set up correctly to authenticate with the backend service.
Kindly refer below documentations:
Configure virtual network integration in your frontend web app
https://learn.microsoft.com/en-us/azure/cosmos-db/nosql/troubleshoot-forbidden#firewall-blocking-requests

Vishal Kumar 0 Reputation points

2025-04-08T10:30:00.6966667+00:00

Hi @Laxman Reddy Revuri

We have already checked the points you mentioned, but the issue persists.

Current Observations:

CORS Error:

Occurs when the frontend app service URL is not added in the backend CORS settings, which is expected.

However, adding the URL doesn't resolve the issue.

403 Forbidden Error:

Occurs after fixing the CORS error by adding the frontend app service's default URL to the backend app service's CORS settings.

Intermittent Behaviour:

Sometimes, both errors (403 and CORS) appear simultaneously.

Other times, they occur separately depending on the configuration.

As per my understanding, these two errors are distinct—CORS is related to cross-origin policies, while 403 Forbidden could point to authentication or access restriction issues.

To make troubleshooting more efficient, I suggest a quick meeting on Google Meet or any platform you're comfortable with. This will allow us to analyse the configurations together and identify any potential misconfigurations or overlooked aspects.

Share via

Website on Azure App Container service throwing 403 Forbidden error

1 answer

Your answer