0

I have configured two App Services (following this tutorial):

  1. Frontend app - all outbound traffic is using a subnet (10.0.0.0/24) on a VNet
  2. Backend app - access restrictions are set to 'block public access' and I assigned a Private Endpoint connection using a second subnet (10.0.1.0/24) on the same virtual network as the frontend.

After this configuration, the 'inbound address' on the backend changed to an IP address within the virtual network (10.0.1.x) instead of a public IP address. Visiting the backend with the URL shows the 403 FORBIDDEN error as I expected.

In the Kudu console I see that the WEBSITE_PRIVATE_IP has an internal IP address within the VNet (10.0.0.x). Executing the following commands in the Kudu Bash shell shows that all configuration looks fine:

nslookup [backend-app].azurewebsites.net returns Address: 10.0.1.x

curl https://[backend-app].azurewebsites.net returns the contents of the backend site.

When I run these commands from another terminal session, nslookup returns the external IP address, and the curl command returns 403 FORBIDDEN.

So far, so good.

However, when the frontend app makes a request to the backend (using Axios package), it still receives a 403 IP FORBIDDEN error. How comes that the Kudu console can make the request, but the frontend app itself is not allowed to do so?

Martijn Oele
  • 21
  • 4

1 Answers1

0

The only thing sticking out to me, based on the information you've provided, is verifying the front-end is calling the correct backend host. Assuming you've already verified that and Route All is enabled, then I would reference Troubleshoot virtual network integration with Azure App Service, specifically, Network troubleshooter so you can collect some traces.

As weird as it may, sounds like your front-end code ignoring Azure Private DNS and the traffic is routing out into the internet rather than going through the VNET.

Ryan Hill
  • 1,821
  • 2
  • 8
  • 21