I have set up Azure APP Service and connect it through Private Link, I have disabled all public connectivity, while making tests using webhook from ACR I'm always getting "Error 403 - Forbidden The web app you have attempted to reach has blocked your access.
"On Access Restriction I have "Allow ALL" on both scm and non scm host ... but still I'm getting the same result - I have not found any blocking rules in Environment or in App Service plan - where should I look ?
Private link is for the hosted application, not the app service resource. This means your hosted app can talk privately to an azure service like APIM or a storage account directly. But when the app service needs to pull an image from the registry privately, you will have to use an ASE or App Service Environment.
Unfortunately, an ASE will cost almost a 1K per month because you are renting out space in their data center to support isolation for your app services.
I don't always get my head around the way Microsoft implements private endpoints. When you care about network security, you always want to work with private endpoints. However, private endpoints introduce the need for other services like a NAT firewall, VPN access, and more. Not even to mention the expensive App Service Environment (ASE).
In the case of using ACR webhooks combined with private endpoint secured App Services, using a proxy App Service or Azure Function can be a solution. You can deploy this in the same App Service Plan and enable regional vnet integration. This allows the proxy to be publicly visible, while still being able to send a webhook inside the virtual network to the scm site of the other App Service. For security reasons, you should of course work with (managed) identities.
