1

I am running my backend API's in azure app service. Trying to secure my API's that can only be access from certain resources. When Access the API it gives Error 403 - Forbidden

I have done:
.Created a VNET and attach Nsg with it
.Add all IP's in a rule of NSG (all app service outbound ip's and system local/public ip's)
.Attach VNET with app service
.App service Access restriction is off

1)When I remove Nsg from VNET app service is browse successfully
2)When I app all outbound ip's and system local/public ip it also browse successfully

How app service can be accessed from specified ip's using VNET and Nsg while app service Access restriction is set to be off?

Tahami Rizwan
  • 41
  • 4
  • If you keep App service access restriction to off, Your web app will be available in the Internet and anyone can browse it. In order to restrict your Web app with specific IP, You need to enable App service restriction by enabling V-NET integration with your Vnet and allowing the specific IP. Example- If you have an SQL Server running inside a VM using private IP, You can integrate the VM's Vnet with App service for your web app to fetch data from SQL Server deployed in VM with Private IP. – SiddheshDesai Jun 05 '23 at 06:29
  • Refer this Document on Access restriction -https://learn.microsoft.com/en-us/azure/app-service/app-service-ip-restrictions?tabs=azurecli – SiddheshDesai Jun 05 '23 at 06:29
  • We have more than 31 ip's and we have add in our every app service access restriction. When we have to update it's so time consuming to update in each and every app service access restriction We have added same ip's in Nsg that is integrated with that same VNET subnet. but it is not working .. Can we do this access restriction through Nsg in VNET ? How that could be possible?> – Tahami Rizwan Jun 05 '23 at 07:54
  • For access restriction to work, You need to add a dedicated Subnet to the Vnet that you are integrating with, One option is to associate your Vnet integrated subnet with NSG like below -https://i.imgur.com/n5PYC28.png and use same subnet during Vnet integration of your app service- https://i.imgur.com/SVfpSlk.png Make sure the subnet is not used by any other service or delegated it needs to be empty – SiddheshDesai Jun 05 '23 at 08:37
  • yes I have implemented the same steps as you say subnet is delegated only to app service and Nsg is associate with this subnet but this not working I added the inbound rule in nsg and this nsg attached with vnet so it should be work but unexpectedly it's not working just tell me which i should add in destination of inbound rule? below pictures are attached for your clear image https://imgur.com/a/hlWALdj – Nauman Kyani Jun 05 '23 at 09:49
  • yes @SiddheshDesai I have implemented that same steps as you said but still it doesn't work even I allowed all the required ip's Nsg rule but app service is giving 403 forbidden when access from both allowed/not allowed ip's – Tahami Rizwan Jun 05 '23 at 11:28
  • The NSG rules inside Vnet is not reflected in Vnet integration, Only the private Ips or private IP used by azure resource is allowed by Vnet integration. I think, Your scenario is not possible.. Unless you keep one dedicated VM with Private IP and then only allow Vnet integration with that Vm so Web app can access the Private IP of the VM, And then have NSG rules for the VM. And have all your settings configured with that VM – SiddheshDesai Jun 05 '23 at 14:25
  • Can I know if there's any resource deployed in your test vnet? – SiddheshDesai Jun 05 '23 at 14:31
  • yes we have app service and storage in same VNET – Tahami Rizwan Jun 06 '23 at 04:28

0 Answers0