App Svc with existing Vnet in iprestriction

Emmanuel Gaid 1 Reputation point

i have an azure release pipeline with 3 steps, deploying packages to azure using service connection Resource group level webappRSG and using azurepipeline agents

  • azure powershell cli = allow azure pipeline agent ip in the web app ip restriction
  • azure web deploy = package deployment
  • azure powershell cli = remove agent ip


  • appsvc1 inside resource group webappRSG and vnet1 inside resource group loadbalancerRSG
  • vnet1 is added in appsvc1 ip restriction

the problem is in the first bullet azure pipeline - allow agent ip always failing when a vnet is existing in the ip restriction of the app service. Error Message: Operation returned an invalid status code 'Forbidden'

powershell command im using = Add-AzWebAppAccessRestrictionRule -ResourceGroupName <resourcegroupname> -WebAppName <webappname> -Name <rulename> -Priority <priority> -Action Allow -IpAddress <ip>

it is working when i removed vnet1 in IP restriction, i had to re-add vnet1 back after deployment to allow other endpoint connecting to app service

possible reason

  • i think its because azure pipeline is using a service connection only allowed in the resource group webappRSG and manipulating iprestriction in the appsvc1 doesn't mean it can touch vnet1 from another resource group which pipeline doesn't have an access.

things i did

  • adding service connection going to loadbalancerRSG where vnet1 is located, to allow azure release pipeline and to have decent rights it needs - still no luck

let me know your thoughts guys on how fix this, i dont want to every deployment removing VNET in iprestriction and re-add afterwards is not ideal for long term solution

Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
4,905 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Ryan Hill 18,401 Reputation points Microsoft Employee

    Hi @EmmanuelGaid-5436,

    You can allow Azure DevOps IP ranges into your IP Restrictions. See for the complete list of inbound connections to allow. Another approach is to use the AzureDevOps Service Tags. That should negate the need for you needing step 1.