Unable to deploy to a Web app with private endpoint

Joost Meijles 1

I have configured an Azure Web App with a private endpoint and want to deploy to it using Azure DevOps. I have found this possibility using Azure Blob storage and Azure CLI: https://azure.github.io/AppService/2021/03/01/deploying-to-network-secured-sites-2.html

The following Azure CLI webapp deploy command:

az webapp deploy --name $WEBAPP --resource-group $GROUP --type zip --src-url $ZIP_URL --async false
However gives the following Http 403 error: The web app you have attempted to reach has blocked your access.

I am using a service principal to login.

Any clues what I am missing here?

Pratik Somaiya 4,201 Reputation points

2022-03-22T10:28:27.703+00:00

Hello @Joost Meijles : Does the service principal have contributor access on your resource?
SnehaAgrawal-MSFT 18,366 Reputation points

2022-03-22T12:06:45.587+00:00

Thanks for reaching here! Could you please confirm while login using Azure Service Principal with a secret, If you have followed as below:

Simply create an Azure Service Principal and save it as a secret named AZURE_CREDENTIALS in your repository and then update the WEBAPP, CONTAINER, GROUP, and ACCOUNT environment variables with your desired resource names.

Let us know.
Joost Meijles 1 Reputation point

2022-03-22T12:08:58.683+00:00

Yes it has.
Joost Meijles 1 Reputation point

2022-03-22T12:37:02.037+00:00

I have a service principal with Contributor rights on subscription level. Please note that this service principal is working when I disconnect the private endpoint.
Merwin Dsouza 1 Reputation point

2022-09-15T17:14:12.38+00:00

Did you get a solution for your issue? We have similar setup + Application gateway infront and get the same error.

Thanks
Steve Duys 0 Reputation points

2023-03-15T22:08:36.76+00:00

Soo a couple things.. our workaround was to do a full swap from source staging slot to production slot on our app within our staging env. In our case we were updating the startup script and setting, and needed that to persist post deploy. We were good for staging slots as those were out in the open, but our native production slot ends up routing privately because of the private endpoint associated. The SWAP ends up bringing over the startup setting and the file/script. So that was our workaround, was to include a SWAP via az cli as part of the deploy step in our github actions yml-- when developers merge to development branch we deploy to the production slot of our staging service, and had the need to adjust the startup as well. The private endpoint prevented because of the ARM proxy not in play.

During this issue though we did open a Azure case. What came out of it was this article: https://azure.github.io/AppService/2021/03/01/deploying-to-network-secured-sites-2.htmlwhich we're keeping for future ref. But the SWAP was our workaround. Hope that helps somebody.

2 answers

Joel Neukom 1 Reputation point

2022-07-21T14:33:41.12+00:00
Hi

I had the same problem and opened a Microsoft Support ticket. There is a problem with "az webapp deploy --src-url": It actually doesn't go via ARM API, but directly to the scm endpoint of the web-app (which is blocked due to private endpoints).
There is a bug open to fix this: https://github.com/Azure/azure-cli/issues/21168

The solution is now not to use Azure cli command "az webapp deploy", but to call the ARM API directly with something like this:

az rest --method PUT --uri https://management.azure.com/subscriptions/${SUBSCRIPTIONID}/resourceGroups/${RESOURCEGROUP}/providers/Microsoft.Web/sites/${WEBAPP}/extensions/onedeploy?api-version=2022-03-01 --body '{"properties": {"type": "zip", "packageUri": ${ARTIFACTURL} }}'

This call will go via ARM and will not be blocked by your Webapp.
Please sign in to rate this answer.
Aitha, Sravan Kumar 1 Reputation point

2022-11-03T16:34:51.38+00:00

Hello,

We are facing same issue. I tried rest api option as well but it gives me BadRequest error.

Bad Request({"error":{"code":"BadRequest","message":"System.NullReferenceException: Object reference not set to an instance of an object.\r\n at Kudu.Services.Deployment.PushDeploymentController.<OneDeploy>d__14.MoveNext() in C:\Kudu Files\Private\src\master\Kudu.Services\Deployment\PushDeploymentController.cs:line 191"}})

Tried adding additional quotes thinking this could be due to some special characters but that didn't help either.

"packageUri": ${ARTIFACTURL} to "packageUri": "'"${ARTIFACTURL}"'"

Any known issue with rest api as well?

Thank you!
Sign in to comment
Vũ Nguyễn 0 Reputation points

2023-05-29T08:46:57.59+00:00

Create Linux VM (Ubuntu 20.04) in the same VNET as web app and use it as a Azure DevOps self-hosted agent.

https://techcommunity.microsoft.com/t5/apps-on-azure-blog/deploy-app-service-with-private-endpoint-enabled-via-azure/ba-p/3789370
Please sign in to rate this answer.

0 comments No comments
Sign in to comment