App Service Private Endpoint with Custom Domains gives Error 403 - Forbidden

Question

I'm on the last stage of my journey to try and lock down public access to app. After a bunch of research I decided on using "Private Endpoints" so that only when on work VPN can we access apps. I did manage to get this to work however when I setup custom domains in the VNet it no longer works. I've looked at countless resources and even hit second page of Google a few times...

Basic Setup

I have setup a VM and an out of the box Node App Service in Azure. Both are accessible publicly. I have setup Private endpoints for the appservice and put both on the same VNet. The VM can reach the app nicely, and publicly I can't (yay!)

Here's what I see:

here's my VNet DNS settings

here's the app working on a VM on the VNet.

When it doesn't work

So the above works - but I want to supply my own DNS servers so I can resolve stuff on our internal network which is peered to the VNet. All I do is update the DNS settings to include my custom ones and the Amazon one (just in case)

Now I get a 403 - Forbidden as if I'm accessing it externally:

Several of the tutorials mentioned updating the host file as a test (vs updating internal DNS). I believe I did this like they were showing - but same result

I'm near giving up and using a separate VNet for Inbound/Outbound since I only need the custom DNS on the outbound.

Random Resources

• https://www.youtube.com/watch?v=8Zof54j8qWk&ab_channel=WintellectNOW
• https://learn.microsoft.com/en-us/azure/private-link/create-private-endpoint-portal#create-a-private-endpoint
• https://learn.microsoft.com/en-us/azure/app-service/networking-features#private-endpoint
• https://learn.microsoft.com/en-us/azure/app-service/networking/private-endpoint
• https://learn.microsoft.com/en-us/answers/questions/264747/azure-app-service-with-private-endpoint-throws-403.html
• https://learn.microsoft.com/en-us/answers/questions/11844/403-forbidden-access-is-denied.html
• After azure publish my domain gives 403 error
• Azure App Service Deploy returns (403) Forbidden with IP restriction
• WebApp private endpoint azure vpn
• Azure API Management with custom domain getting HTTP 403 error
• Periodically getting 403 IP Forbidden on App Service with private endpoint

Answer 1

Your internal DNS should forward .azurewebsites.net zone to DNS Forwarder in Azure which then would resolve to private endpoint IP address using default Azure DNS address - 168.63.129.16.

Private Links can only be resolved from Azure (via Virtual Network Link between private DNS zone and virtual network) so without conditional DNS forwarder configured for your internal DNS, it resolves address using public DNS and that's why it doesn't work.

Take a look here at the second example (with own internal DNS server) - https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns#on-premises-workloads-using-a-dns-forwarder