Impossible to have CI/CD with GitHub Actions on Azure Web App which has Private Endpoint

cloudfanatic 161 Reputation points
2021-11-18T15:59:57.05+00:00

Hi,

I have created a GitHub Action pipeline for CI/CD for my Azure AppService which was working fine until I didn't add the Private Endpoint. Once I integrate the App Service with the VNet and added a Private Endpoint to it, my deploy job on GitHub action failed. I was using the publish profile of the web app to deploy to it but since it became private the publish url was not valid. I followed the documentation and in my private DNS zone I have these two records. mywebapp.privatelink.azurewebsites.net and mywebapp.scm.privatelink.azurewebsites.net, now since I have the the Private Endpoint I understand that the Application is only accessible from inside the VNet.

My question is, is there a way I can use my GitHub CI/CD pipeline while still having Private Endpoint for the App Service.
Is there any way I can only make public the scm?
Is there a way I can do CI/CD?

Thanks

Azure App Services
Azure App Services
A feature of Azure App Service used to create and deploy scalable, mission-critical web apps.
4,323 questions
Azure Private Link
Azure Private Link
An Azure service that provides private connectivity from a virtual network to Azure platform as a service, customer-owned, or Microsoft partner services.
274 questions
1 vote

Accepted answer
  1. Jason Freeberg 166 Reputation points
    2021-12-01T20:02:00.187+00:00

    hi there, are you using the publish profile to deploy the container? You can check by looking at the action YAML. If it has the "publish-profile" property, then you are using a publish profile to authenticate and deploy the container.

    - name: 'Run Azure webapp deploy action using publish profile credentials'
          uses: azure/webapps-deploy@v2
          with:
            app-name: node-rn
            publish-profile: ${{ secrets.azureWebAppPublishProfile }}
    

    The publish profile won't work with private endpoints because it tries to authenticate to the SCM site on the webapp. When you have Private Endpoints, that URL is no longer accessible to the public internet.

    You can instead use a Service Principal to authenticate and deploy your container. When using Service Principal, the request will go through ARM and update the container name and tag on the web app, instead of going through the SCM site. Here is an example of a workflow using a Service Principal to deploy a container to App Service: https://github.com/azure/webapps-deploy#sample-workflow-to-build-and-deploy-a-nodejs-app-to-containerized-webapp-using-azure-service-principal. Here are instructions on how to create the SP: https://github.com/Azure/login#configure-deployment-credentials


0 additional answers

Sort by: Most helpful