Share via

How to send HTTP request from one App Service to another using its VNet internal address?

Péter Cataño 21 Reputation points
2021-06-30T09:51:58.337+00:00

Dear Community!

How to send HTTP request from one App Service to another using its VNet internal address?
I would like to get help in the following scenario.

I have two App Services:

  • srvc1
  • srvc2

srvc1 must be publicly accessible on the internet

I configured VNet integration for both services to the same VNet/subnbet:

  • mySubnet

srvc1 sends HTTP requests to srvc2 with its 'azurewebsites.net' address.

Assumption:

My assumption was, that if I configure Access Restriction for srvc2 and allow only mySubnet IP range, the case will be solved because the routing will resolve srvc2 VNet address thus the services will communicate on the VNet.

However I got error: HTTP 403 forbidden when sending HTTP request.

What else did I try?

Outbound addresses:

I added an allow rule for srvc1 Outbound Addresses to Access Restriction. The HTTP 403 error persists.

I found the outbound addresses on the Portal > Networking (preview) tab.

Private IP:

I checked the WEBSITE_PRIVATE_IP of srvc2, and try to access it from srvc1 with its WEBSITE_PRIVATE_IP to send HTTP request, I got error: connection refused (ECONNREFUSED)

I know this address would change, just wanted to try if it works.

Thanks for your help in advance,

(this is my very first question so feel free to request any further info)

Kind regards,

Peter

Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
8,960 questions
0 comments
Accepted answer
  1. brtrach-MSFT 17,741 Reputation points Microsoft Employee Moderator
    2021-07-01T05:56:27.49+00:00

    @Péter Cataño I was able to setup a test scenario where my srvc1 was open to the internet and my srvc2 was blocked from the internet without blocking communication between srvc 1 and srvc 2.

    To do so, I set two access restrictions on srvc 2 via the networking blade.

    1. I did a IPv4 block on the CIDR range 0.0.0.0/32, which blocks access to the internet
    2. I did an allow of the virtual network/subnet of the subnet that srvc1 is connected to.

    Can you please try this configuration and let us know the outcome?

    Please note that sometimes it can take a few minutes for the access restrictions to take effect. While not necessary, I personally find restarting the web app to help speed up the sync, which can be a small time saver during testing.

    110871-screenshot-2021-07-01-015031.jpg

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.