7

When I run release pipeline for Azure App service with private endpoint, Below error happens Error: Failed to fetch Kudu App Settings. Error: Ip Forbidden (CODE: 403)

Any suggestion?

user2748366
  • 143
  • 1
  • 1
  • 8
  • Is you computer IP added to the whitelist? Do you have full access to the App service? Is there anybody who has more rights? – J.Wincewicz Nov 15 '20 at 19:02

3 Answers3

6

The reason for this is because as you add a private endpoint to your web app, all Internet traffic to this app is cut off. Since the Azure DevOps Default build/release agents have a public IP, they can't access the web app anymore.

To resolve your issue, in Azure create a VM or a VM Scale Set either in the same VNet as your private endpoint of the web app. Then add this scale set as a new agent pool. Finally make sure that in the release pipeline settings, the release is using this new agent pool.

Christian Vorhemus
  • 2,396
  • 1
  • 17
  • 29
  • Thank you. If the VM has public access to allow Azure Devops to communicate with the VNET to deploy appservice, wouldn't it defeat the purpose of having everything within the vnet private? Also if the access to the VNET is via APIM, should the azure devops call to the VM be routed via APIM? – Punter Vicky Aug 09 '23 at 18:56
2

I think you need to deploy some self-hosted agents.

From Here For the Kudu console, or Kudu REST API (deployment with Azure DevOps self-hosted agents for example), you must create two records in your Azure DNS private zone or your custom DNS server.

Which they are automatically created if using privatelink.azurewebsites.net. But that now means they are local and the appservice is closed off from the internet for the internet, which blocks Microsoft's agents. So there is no line of site which means you need an agent that is hosted to hit it line of site again.

More about self-hosted agents can be found here that talks about line of site etc.

Adam Schildmeyer
  • 21
  • 3
1

Another work around is to deploy via green/blue deployment slots. While the production slot is connected via private endpoint, the second slot can be restricted to the ip address of your repo. After deploying your code to the secondary slot, do a swap.

elasticSol
  • 164
  • 1
  • 18