Reputation: 4212
Azure App Service Restrictions - allow app service A for app service B
Azure app service A needs to call Azure app service B using System.Net.WebClient class.
Access to app service B is restricted to company's IP range only, through
Azure > app service > Networking > Access Restrictions
Tried adding <public ip of app service A>/32 to B's allow list but that did not work - System.Net.WebClient.DownloadData threw a 403 Forbidden exception.
What else can I try?
Upvotes: 2
Views: 3477
Answers (3)
Reputation: 146
I faced the same problem and found a solution.
- Use NAT Gateway to fix the outbound IP address on Service A
https://learn.microsoft.com/en-us/azure/app-service/networking/nat-gateway-integration
- Route all trafic and regional virtual network integration are also needed on Service A (explained in the link above)
- Allow access the NAT gateway on Service B by specifying the IP address of the NAT gateway
This method can also disable public access to Service B.
Pivate endpoints can also be used in this scenario, but it disables the SCM(Kudu) either which is used for deployments from Azure Pipelines etc.
Upvotes: 0
Reputation: 106
I understand what you are trying to achieve and I will suggest you utilize the Azure traffic manager.
Azure Traffic Manager is a DNS-based traffic load balancer. This service allows you to distribute traffic to your public-facing applications across the global Azure regions. Traffic Manager also provides your public endpoints with high availability and quick responsiveness.
Traffic Manager uses DNS to direct the client requests to the appropriate service endpoint based on a traffic-routing method. The traffic manager also provides health monitoring for every endpoint. The endpoint can be any Internet-facing service hosted inside or outside of Azure. Traffic Manager provides a range of traffic-routing methods and endpoint monitoring options to suit different application needs and automatic failover models. Traffic Manager is resilient to failure, including the failure of an entire Azure region.
Please visit the link below for more information https://learn.microsoft.com/en-us/azure/traffic-manager/traffic-manager-overview
Upvotes: 0
Reputation: 28234
It looks like it's impossible to restrict the Public IP address in Access Restrictions of the app service B since both app services in the same app service plan.
Azure App Service is a multi-tenant service, except for App Service Environments. Apps that are not in an App Service environment (not in the Isolated tier) share network infrastructure with other apps. If you restrict the inbound or possible outbound Public IP address of web app service, it looks like restrict the access from itself. Even this, per my understanding, it should be limit the private IP address of the instance in the web app service over the Azure backbone network. However, We could not know the private IP address of each app service.
You can use Azure service plan with isolated price tier but its high cost. So I suggest recreating the web app service A in a different service plan with a different region. Then restrict the possible outbound IP addresses in web app service A.
Additionally, you can get a further understanding of the Azure app service plan in this blog.
Upvotes: 1
Related Questions
- Azure App Service access restrictions with service tag not working
- Azure App Services: How to restrict everything but one IP address
- Azure web app access restrictions between Apps
- What Rbac action/permission would allow Azure App Service Network Access Restrictions
- How to restrict access to an App Service using a setting inside the Azure Portal
- How do I restrict the clients that can access my Azure App Service?
- How to restrict IP addresses with an Azure App Service / Web App
- Azure - restrict access to app service only
- How to limit services to be used from same website
- Control access to web apps on Azure