4

I have configured my app serivce to be part of a subnet within a VNET.

Now i have integrated my app service with a private endpoint within the same VNET.

With the private endpoint integration, i'm now not able to access the app service (i.e. my API) on a public internet, where i'm getting 403 forbidden error. Which is an expected behaviour to restrict the access on the public network

But the issue is, i want to expose this API via APIM (which is internal) configured within a separate subnet in the same VNET, but i'm not not access the API now with the private endpoint IP address. I was hoping that the resources with in the VNET will be able to reach the App service using its private IP address

I also tried to configure a VM in a separate subnet with in the same VNET, but when i ping the API private IP from the VM, i'm getting request timedout.

Current there have not been any rules setup with NSG to restrict the subnets to talk between each other.

Please let me know how to expose the API with private endpoint via APIM which is also configured to be only internal

Madhuraj Vadde
  • 1,099
  • 1
  • 5
  • 13
Aryan M
  • 571
  • 3
  • 12
  • 33
  • 2
    To be more clear, You have one VNET. In that one subnet you have connected to App service and another subnet of same VNET you have one VM. Now from VM, you try to access that web app/web api. right ? – dotnetstep Jul 06 '21 at 03:42
  • @dotnetstep That's correct – Aryan M Jul 06 '21 at 04:48
  • 1
    Why don't you use Application Gateway to route the external request to your APIM. for instance, https://learn.microsoft.com/en-us/azure/architecture/example-scenario/apps/publish-internal-apis-externally – Rajeesh Madambat Jul 06 '21 at 05:35
  • Thank you Rajeesh for your input. The plan to enable all API incoming requests via App Gateway -> APIM -> App service (i.e. API). I still need the API's to be exposed via private end-point for other implementations for my application. For the above implementation, still i would end up with the an issue trying to configure the App service API on APIM, as i'm not able to reach the API using the private IP within the VNET – Aryan M Jul 06 '21 at 06:12
  • As per my knowledge ping is blocked so it is bit problem. Instead of that try with your domain name yourweb.azurewebsites.net. There is some steps for DNS configuration. – dotnetstep Jul 06 '21 at 15:20
  • Please suggest any articles where one has been able to configure the private endpoint app service via APIM – Aryan M Jul 20 '21 at 04:11

1 Answers1

0

You also need to configure private dns zone as now your app's FQDN needs to be resolved to the private IP, instead of a public one.

https://learn.microsoft.com/en-us/azure/private-link/create-private-endpoint-powershell

Update:

Just want to add that app service cannot be accessed via the IP as it is assigned to the app service plan, which can be shared by other app services. The FQDN is required for app service plan to do L7 routing

LarryX
  • 591
  • 2
  • 7