"Permissions for service are set to internal but this request was external" for app in same resource group

Question

The Azure API app documentation briefly describe three methods of protecting the API app. One of them is the internal accessibility settings: “Internal - Only other API apps or web apps in the same resource group are allowed to call the API app.”

I have create another Azure API app in the same resource group and hosting plan. But a get a HTTP 403 authorization failure with the following error message when I try to connect to the interal API app from the Web App:
“Permissions for service are set to internal but this request was external.”

Has anyone been able to use the internal settings between API Apps in the same Resource Group?

Answer 1

We will be documenting this soon. in the meantime, what you need to do is the following. You need to install nuget package Microsoft.Azure.AppService.ApiApps.Service. Then, create a delegating handler as follows:

class InternalCredentialHandler : DelegatingHandler
{
    protected override Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
    {
        Runtime.FromAppSettings(request).SignHttpRequest(request);
        return base.SendAsync(request, cancellationToken);
    }
}

Then when you use HttpClient or a generated client to connect to another internal API, simply pass in the delegating handler. For example:

MySampleClient client = new MySampleClient(new DelegatingHandler[] { new InternalCredentialHandler() });

Thanks, Mohit

Edit: the documentation for this is now available at https://azure.microsoft.com/documentation/articles/app-service-api-dotnet-consume-internal/