Deploy with pipelines to endpoint of private link

nishikata-h 21

Hello everyone.
I'm currently using two App Services to build a frontend and backend configuration system.

Communication from frontend to backend will be performed for private endpoint by creating a private link with backend.

Deploying to App Serivce was automated using Pipelines, but after creating a private endpoint on the backend, it now fails.

Since access to the backend is no longer possible from the Internet, I can guess that private communication is restricted to private, but I do not know how to deploy to this private endpoint.

If anyone knows about it, I would like to borrow your wisdom.

Alternatively, the "mvn azure-webapp: deploy" command from your local PC will succeed, so if you know how to execute this command in the pipeline, you can let me know.

Ryan O'Dell 6 Reputation points

2022-05-19T10:36:09.907+00:00

After all the searching and testing, the simple solution is to create a 'stage' deployment slot on your Azure resource, this will by default have 0% traffic and a public IP address.

In DevOps (or similar CD) you can then specify the 'stage' slot for the deployment, this will work.
After the deployment succeeds, you then add a powershell cli and use the following az cli command to switch active slots, this actually just swaps the application files, it doesn't swap the IP's.

az webapp deployment slot swap -g "resource group" -n "resource name" --slot stage --target-slot production

You can swap out the static values (i.e. "resource group", "resource name" for environment variables, either $variable or $env:variable depending on your OS).

It's that simple, I wish the documentation and internet would make it this easy to find!
Yini Wang 5 Reputation points

2023-03-16T09:33:02.02+00:00

i think this approach with staging deployment slot is safer than the accepted answer. In our project the agent is shared with different teams and if all the azure cloud ip addresses are allowed to communicate with our app service endpoint, it is not safe.
Baptiste VIALA 0 Reputation points

2023-10-04T02:35:46.3433333+00:00

This solution doesn't make sense for me, because then it's your staging slot that has public access enabled, and is accessible from the internet with its own domain name.

The proper way is to set up self-hosted deployment agents in the same VNET, so they can access the private App Service.

It is fairly easy to set up with a VMSS:
https://learn.microsoft.com/en-us/azure/devops/pipelines/agents/scale-set-agents?view=azure-devops

Accepted answer

brtrach-MSFT 15,256 Reputation points Microsoft Employee

2020-09-17T06:07:05.58+00:00

@nishikata-h Please take a look at the below document, which calls out the need to add the necessary IP ranges that need to be added in the NSG of the network subnet that your private endpoint is in to allow the traffic from Azure DevOps.

Please let us know if this resolves the issue. Otherwise we can continue assiting you. We look forward to your reply.

https://learn.microsoft.com/en-us/azure/devops/pipelines/agents/hosted?view=azure-devops&tabs=yaml#networking)
JSON file that contains the IP addresses, which is updated weekly. (https://www.microsoft.com/en-us/download/details.aspx?id=56519)
Please sign in to rate this answer.
Accounts 1 Reputation point

2021-07-10T12:23:04.32+00:00

Here Private endpoint for webapp is in East US and Devops Project is in Central US. do we need to allow Inbound Rules for Source IP and Destination will be any in NSG of private endpoint ? Or need to allow Outbound rules for This source

Sebastián D. Gauna 20 Reputation points

2023-08-04T10:06:14.8333333+00:00

This behaviour is really unacceptable, no wonder anyway comming from a Microsoft Service...
Not only you have to add tons of IPs to the configuration but also your private endpoint now is not so private since you are allowing traffic from IPs which are not only used by you. Absolutely nonsense.
Sign in to comment

2 additional answers

nishikata-h 21 Reputation points

2020-09-23T07:07:10.847+00:00

thanks brtrachMSFT-0711

I did my best to solve it.

I had to overcome some problems to solve this problem.
Please sign in to rate this answer.
shkumesh 1 Reputation point

2022-02-01T06:02:49.17+00:00

Hi ,

How did you resolve this? We are having the same problem?
Sign in to comment
Alessandro Surace 11 Reputation points

2021-02-17T14:28:36.66+00:00

Another solution would be to create a VPN or xpress route between azure and your data center and run a self hosted agent pool in such network.
In this case the DevOps pipeline should be configured to use such agent pool and the private endpoint should be reachable.
BR
Please sign in to rate this answer.
Sofia Noorbasha 1 Reputation point

2021-06-21T02:19:52.34+00:00

Hi Team,

Here i have doubt, i have created PLE subnet thn PLE i need to create or directly i need to configured agent pool.

Colud u pls provides any steps hoe to proceed or share any reference document, it will be helpful.

Thank you
Sign in to comment