1

I'm having 6 App Services on 1 App Service Plan on Azure with private endpoint on each. Every Web app is using VNet integration. On 3 of them I'm experiencing 403 IP Forbidden from time to time. After few minutes it goes back to live with no config changes.

  • There are no IP restrictions set.
  • On Networking -> Private Endpoints connection state is Approved.
  • I can see my App Service in Private DNS zone.

nslookup is returning to me proper addresses, but during the 403 I'm receiving Web App's in-bound IP Address.

Do you know what might be an issue here?

Maciek Psiuk
  • 21
  • 1
  • 6

3 Answers3

1

I've seen problems with, and had tickets with Microsoft for problems with VNet integration in the past. There were some known issues that caused the wrong IP to be applied.

Go to the "Diagnose and solve problems" link on your app service, and enter "vnet" in the search box. Choose "Regional VNet Integration", and look at its output. When we experienced problems, we saw that one of the instances in the service wasn't getting a private IP address in the VNet.

We "resolved" by either restarting the app service, or, scaling the app service to a completely different tier (like from S2 to P1v2), waiting for the scale to complete, testing it (including running the troubleshooter and verifying addresses), then scaling back down to the original tier. The idea here was to get the app service off its current stamp and onto a different one.

WaitingForGuacamole
  • 3,744
  • 1
  • 8
  • 22
  • 1
    Thanks for comment! I've recreated all services with plan and seems to be healthier.., but not full healthy :D still 403 for ~3-10 minutes from time to time; do you mb have link to those tickets at Microsoft? – Maciek Psiuk Feb 24 '21 at 13:41
  • I can't reveal supporting details for those tickets, as they include configuration information specific to our environment. Did the troubleshooter show a problem with one or more of your instances' private IP addresses? As in, one or more looked ok, but there were instances that had no private IP assignment or an erroneous one? If so, I would submit a support request on that basis. – WaitingForGuacamole Feb 24 '21 at 14:20
  • No, actually the troubleshooter didn't not help; it shows private IP all the time. – Maciek Psiuk Feb 25 '21 at 12:53
1

Problem was in the DNS servers infrastructure. We moved DNS server from on-premise to Azure and it solved the problem.

Maciek Psiuk
  • 21
  • 1
  • 6
0

If you require on-prem DNS (VPNs do play up sometimes!), then configuring conditional forwarders for azurewebsites.net (and any others that you will use Private Endpoints for) to forward those requests to your azure DNS over the VPN will solve the issue.

Bill Hodder
  • 1