Azure app service with private endpoint - throws 403 on kudu

Question

Azure app service with private endpoint - throws 403 on kudu

Soni, Nishant 1

My application is working as expected on Azure app service. The next step was to make it available only while connected to our corporate VPN. This was done by using vnet integration and that's all working as expected. (Windows Setup, ASP.NET APP) Only concern here is that Kudu advanced tools aren't working so I can't actually access my files for live debugging anymore. It throws a 403 error. Please be aware that the application is not publicly available (can only be accessed while on our VPN). So how can I solve this issue with kudu? There's a CI CD pipeline that deploys to my application service.

ajkuma 28,036 Reputation points Microsoft Employee Moderator

2021-02-09T19:15:08.787+00:00

@Soni, Nishant ,

For accessing the Kudu console, or Kudu REST API (deployment with Azure DevOps self-hosted agents for example), you must create two records in your Azure DNS private zone or your custom DNS server. Kindly check this document for more details. If you haven't added the records, kindly see if that works.

Name |Type | Value
mywebapp.privatelink.azurewebsites.net A PrivateEndpointIP
mywebapp.scm.privatelink.azurewebsites.net A PrivateEndpointIP

If the issue still persists, kindly capture a network trace/HAR or client-side HTTP log/review the logs.
P.S. Kindly do not share any PII data on the public forum for your privacy.
Soni, Nishant 1 Reputation point

2021-02-11T11:28:16.047+00:00

Thank you! I have one more question along the same lines.

My pipelines are failing to deploy to a private app service application (with a 403). I am assuming this is because the app is private? how can i solve this?
ajkuma 28,036 Reputation points Microsoft Employee Moderator

2021-02-12T13:07:27.917+00:00

Kindly ensure that the release pipeline is running in the right host. Because the endpoint is private for the SCM too, the DevOps Agent must be in a network with access with the endpoint, so mandatory to use self-hosted Devops Agent.
Just to highlight, you must not change azurewebsites.net record, you need to create only the myapp.privatelink.azurewebsites.net and myapp.scm.privatelink.azurewebsites.net DNS records, as explain in the article, App Service will create the CNAME from public to private. but your app or the SCM must be reached by the public name not the private link one, if not you will have no name to match and no TLS handshake. Private link is for the resolution only.

Kindly check this discussion thread as well.
Soni, Nishant 1 Reputation point

2021-02-12T14:25:54.077+00:00

Thank you, the kudu issue is solved after I setup the DNS records in our internal zone.

About the private agent, can i setup a windows virtual machine on azure in the same network as the appservice and use that as an agent?
ajkuma 28,036 Reputation points Microsoft Employee Moderator

2021-02-16T11:57:42.96+00:00

Apologies for the delay! I'm checking on this internally and will get back to you shortly.
ajkuma 28,036 Reputation points Microsoft Employee Moderator

2021-02-24T20:09:36.437+00:00

@Soni, Nishant ,

To answer your question
"can I setup a Windows VM on Azure in the same network as the App Service and use that as an agent?

-yes, you can setup.

I have also shared your feedback with the content team, to update the doc with a specific topic about how to deploy code with private endpoint, which should cover all these points. But, there is no ETA to share on the document update at this time.

Apologies for the delay! thanks again for your valuable feedback on this.

1 answer

Your answer

ajkuma 28,036 Reputation points Microsoft Employee Moderator

2021-02-09T19:15:08.787+00:00

@Soni, Nishant ,

For accessing the Kudu console, or Kudu REST API (deployment with Azure DevOps self-hosted agents for example), you must create two records in your Azure DNS private zone or your custom DNS server. Kindly check this document for more details. If you haven't added the records, kindly see if that works.

Name |Type | Value
mywebapp.privatelink.azurewebsites.net A PrivateEndpointIP
mywebapp.scm.privatelink.azurewebsites.net A PrivateEndpointIP

If the issue still persists, kindly capture a network trace/HAR or client-side HTTP log/review the logs.
P.S. Kindly do not share any PII data on the public forum for your privacy.
Soni, Nishant 1 Reputation point

2021-02-11T11:28:16.047+00:00

Thank you! I have one more question along the same lines.

My pipelines are failing to deploy to a private app service application (with a 403). I am assuming this is because the app is private? how can i solve this?
ajkuma 28,036 Reputation points Microsoft Employee Moderator

2021-02-12T13:07:27.917+00:00

Kindly ensure that the release pipeline is running in the right host. Because the endpoint is private for the SCM too, the DevOps Agent must be in a network with access with the endpoint, so mandatory to use self-hosted Devops Agent.
Just to highlight, you must not change azurewebsites.net record, you need to create only the myapp.privatelink.azurewebsites.net and myapp.scm.privatelink.azurewebsites.net DNS records, as explain in the article, App Service will create the CNAME from public to private. but your app or the SCM must be reached by the public name not the private link one, if not you will have no name to match and no TLS handshake. Private link is for the resolution only.

Kindly check this discussion thread as well.
Soni, Nishant 1 Reputation point

2021-02-12T14:25:54.077+00:00

Thank you, the kudu issue is solved after I setup the DNS records in our internal zone.

About the private agent, can i setup a windows virtual machine on azure in the same network as the appservice and use that as an agent?
ajkuma 28,036 Reputation points Microsoft Employee Moderator

2021-02-16T11:57:42.96+00:00

Apologies for the delay! I'm checking on this internally and will get back to you shortly.
ajkuma 28,036 Reputation points Microsoft Employee Moderator

2021-02-24T20:09:36.437+00:00

@Soni, Nishant ,

To answer your question
"can I setup a Windows VM on Azure in the same network as the App Service and use that as an agent?

-yes, you can setup.

I have also shared your feedback with the content team, to update the doc with a specific topic about how to deploy code with private endpoint, which should cover all these points. But, there is no ETA to share on the document update at this time.

Apologies for the delay! thanks again for your valuable feedback on this.

Answer 1

Updating the answer from comments: to benefit the community:

"The kudu issue was solved after setting-up the DNS records in the internal zone."

For accessing the Kudu console, or Kudu REST API (deployment with Azure DevOps self-hosted agents for example), you must create two records in your Azure DNS private zone or your custom DNS server. Kindly check this document for more details. If you haven't added the records, kindly see if that works.

Name |Type | Value
mywebapp.privatelink.azurewebsites.net A PrivateEndpointIP
mywebapp.scm.privatelink.azurewebsites.net A PrivateEndpointIP

Ensure that the release pipeline is running in the right host. Because the endpoint is private for the SCM too, the DevOps Agent must be in a network with access with the endpoint, so mandatory to use self-hosted Devops Agent.

Just to highlight, you must not change azurewebsites.net record, you need to create only the myapp.privatelink.azurewebsites.net and myapp.scm.privatelink.azurewebsites.net DNS records, as explain in the article, App Service will create the CNAME from public to private. but your app or the SCM must be reached by the public name not the private link one, if not you will have no name to match and no TLS handshake. Private link is for the resolution only.

Yes. You can setup a Windows VM on Azure in the same network as the App Service and use that as an agent.

I have also shared your feedback with the content team, to update the doc with a specific topic about how to deploy code with private endpoint, which should cover all these points. But, there is no ETA to share on the document update at this time.

private-endpoint#dns: https://learn.microsoft.com/azure/app-service/networking/private-endpoint#dns

Thanks for your time and collaboration!

Share via

Azure app service with private endpoint - throws 403 on kudu

1 answer

Your answer