Periodically getting 403 IP Forbidden on App Service with private endpoint

Question

I'm having 6 App Services on 1 App Service Plan on Azure with private endpoint on each. Every Web app is using VNet integration. On 3 of them I'm experiencing 403 IP Forbidden from time to time. After few minutes it goes back to live with no config changes.

• There are no IP restrictions set.
• On Networking -> Private Endpoints connection state is Approved.
• I can see my App Service in Private DNS zone.

nslookup is returning to me proper addresses, but during the 403 I'm receiving Web App's in-bound IP Address.

Do you know what might be an issue here?

Answer 1

If you require on-prem DNS (VPNs do play up sometimes!), then configuring conditional forwarders for azurewebsites.net (and any others that you will use Private Endpoints for) to forward those requests to your azure DNS over the VPN will solve the issue.

Answer 2

Problem was in the DNS servers infrastructure. We moved DNS server from on-premise to Azure and it solved the problem.

Answer 3

I've seen problems with, and had tickets with Microsoft for problems with VNet integration in the past. There were some known issues that caused the wrong IP to be applied.

Go to the "Diagnose and solve problems" link on your app service, and enter "vnet" in the search box. Choose "Regional VNet Integration", and look at its output. When we experienced problems, we saw that one of the instances in the service wasn't getting a private IP address in the VNet.

We "resolved" by either restarting the app service, or, scaling the app service to a completely different tier (like from S2 to P1v2), waiting for the scale to complete, testing it (including running the troubleshooter and verifying addresses), then scaling back down to the original tier. The idea here was to get the app service off its current stamp and onto a different one.