1

I have an Azure app with two App Services. App Service A calls an API on App Service B.

I want to use Private Link to make sure the traffic between them is private and not going through public IP. So here is what I did:

  1. Created a new VNet

  2. Configured Private Endpoint from the two App Services to the new VNet, with Private DNS Integration

  3. Made sure the Private DNS got created, is linked to the new VNet, and both the services are registered in it.

  4. Made sure both the services are not accessible publicly (I get 403)

  5. For testing: Created a new VM in the VNet, and made sure I can browse from the VM to the services. Works fine. I browsed the services using their original URL: serviceX.azurewebsites.net.

However - when I try to call service B from service A (using the same URL - serviceb.azurewebsites.net), I get 403 (Forbidden).

What am I missing?

How can I make two app services connected with Private Link to the same VNet connect with each other?

ml123
  • 1,059
  • 2
  • 12
  • 27

1 Answers1

2

In this case, probably you need to integrate your app with an Azure virtual network and the integration subnet requires an unused subnet in the same VNet.

From Using Private Endpoints for Azure Web App,

Private Endpoint is only used for incoming flows to your Web App. Outgoing flows will not use this Private Endpoint, but you can inject outgoing flows to your network in a different subnet through the VNet integration feature.

Also, note that

If you route all of your outbound traffic into your VNet, it's subject to the NSGs and UDRs that are applied to your integration subnet. When you route all of your outbound traffic into your VNet, your outbound addresses are still the outbound addresses that are listed in your app properties unless you provide routes to send the traffic elsewhere.

In addition, If you set WEBSITE_VNET_ROUTE_ALL in the app settings to 1, all of your outbound calls are affected and If you wanted to have your app use Azure DNS private zones, you should set WEBSITE_DNS_SERVER with value 168.63.129.16.

Nancy
  • 26,865
  • 3
  • 18
  • 34