i have an azure release pipeline with 3 steps, deploying packages to azure using service connection Resource group level webappRSG and using azurepipeline agents
- azure powershell cli = allow azure pipeline agent ip in the web app ip restriction
- azure web deploy = package deployment
- azure powershell cli = remove agent ip
architecture
- appsvc1 inside resource group webappRSG and vnet1 inside resource group loadbalancerRSG
- vnet1 is added in appsvc1 ip restriction
the problem is in the first bullet azure pipeline - allow agent ip always failing when a vnet is existing in the ip restriction of the app service. Error Message: Operation returned an invalid status code 'Forbidden'
powershell command im using = Add-AzWebAppAccessRestrictionRule -ResourceGroupName <resourcegroupname> -WebAppName <webappname> -Name <rulename> -Priority <priority> -Action Allow -IpAddress <ip>
it is working when i removed vnet1 in IP restriction, i had to re-add vnet1 back after deployment to allow other endpoint connecting to app service
possible reason
- i think its because azure pipeline is using a service connection only allowed in the resource group webappRSG and manipulating iprestriction in the appsvc1 doesn't mean it can touch vnet1 from another resource group which pipeline doesn't have an access.
things i did
- adding service connection going to loadbalancerRSG where vnet1 is located, to allow azure release pipeline and to have decent rights it needs - still no luck
let me know your thoughts guys on how fix this, i dont want to every deployment removing VNET in iprestriction and re-add afterwards is not ideal for long term solution