Share via

Static Web App with Private Endpoint - getting 403 Forbidden

Ashwin Sonale 0 Reputation points
2025-06-10T03:06:59.9766667+00:00

Hi,

I am currently managing a static web application that features a custom domain (validated) with a private endpoint. This private endpoint has been configured with a valid custom DNS zone and a private link. However, I am experiencing a 403 Forbidden error when attempting to access the site via the private endpoint, whereas public access functions without issue. Could you provide insights into what might be the underlying cause of this problem?

Azure Static Web Apps
Azure Static Web Apps
An Azure service that provides streamlined full-stack web app development.
1,174 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Pradeep M 9,765 Reputation points Microsoft External Staff Volunteer Moderator
    2025-06-10T04:38:40.9933333+00:00

    Hi Ashwin Sonale,

    Thank you for reaching out to Microsoft Q & A forum.     

    The 403 Forbidden error you're seeing when accessing the Static Web App through the private endpoint is typically related to network or DNS configuration issues. Since the app works publicly, the app itself is healthy; this is likely specific to private access. 

    Please check the following: 

    1.DNS Resolution: Ensure the custom domain resolves the private endpoint IP from within your virtual network. 

    2.Host Header: The request must use the custom domain name, not the IP address, as the Static Web App validates the Host header. 

    3.Access Restrictions: Confirm that there are no access restrictions in place blocking traffic from the private network. 

    4.Private DNS Zone: Make sure the private DNS zone is correctly linked to your virtual network and includes the appropriate A record for the private endpoint. 

    If you have found the answer provided to be helpful, please click on the "Accept answer/Upvote" button so that it is useful for other members in the Microsoft Q&A community.

    0 comments
  2. TP 124.9K Reputation points Volunteer Moderator
    2025-06-10T04:53:29.4233333+00:00

    Hi Ashwin,

    When you successfully create Private Endpoint for your Static Web App (SWA), the public endpoint will return 403 Forbidden, regardless of if you use custom domain or auto-generated domain (*.azurestaticapps.net).

    Based on your description, the opposite of correct behavior is occurring. Please confirm that if you attempt to access your SWA from the VNet where the private endpoint is that it is in fact resolving to the private IP.

    For example, from a VM on the VNet, please do an nslookup of your custom domain and verify that it returns the private IP address of the private endpoint nic. Conversely, when you attempt to access the site publicly, please confirm via nslookup/dig/similar that it is resolving to a public IP address.

    Yet another way you can confirm things is to open Developer Tools in your web browser, browse to your SWA, and examine Network tab to verify what ie shows for remote IP address when you receive 403 Forbidden page.

    If something is unclear and/or you have questions please add a comment.

    Please click Accept Answer and upvote if the above was helpful.

    Thanks.

    -TP

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.