Reputation: 344
Deploy to an Azure Web App with a private endpoint
I have configured an Azure Web App with a private endpoint and want to deploy to it using Azure DevOps. I have found this possibility using Azure Blob storage and Azure CLI: https://azure.github.io/AppService/2021/03/01/deploying-to-network-secured-sites-2.html
The following Azure CLI webapp deploy command:
az webapp deploy --name $WEBAPP --resource-group $GROUP --type zip --src-url $ZIP_URL --async false
However gives the following Http 403 error: The web app you have attempted to reach has blocked your access.
I am using a service principal to login.
Any clues what I am missing here?
Upvotes: 1
Views: 5339
Answers (3)
Reputation: 11
If above doesn't work then replace " with '.
Below works for me
az rest --method PUT --uri https://management.azure.com/subscriptions/${SUBSCRIPTIONID}/resourceGroups/${GROUP}/providers/Microsoft.Web/sites/${WEBAPP}/extensions/onedeploy?api-version=2022-03-01 --body "{'properties': {'type': 'zip','packageUri': '${ZIP_URL}' }}"
Upvotes: 1
Reputation: 31
Using the earlier suggested solution, I ran into the following error:
"ERROR: Bad Request({"error":{"code":"BadRequest","message":"System.NullReferenceException: Object reference not set to an instance of an object.\r\n at Kudu.Services.Deployment.PushDeploymentController.<OneDeploy>d__13.MoveNext() in C:\\Kudu Files\\Private\\src\\master\\Kudu.Services\\Deployment\\PushDeploymentController.cs:line 187"}}"
I solved this by adjusting "packageUri": ${ARTIFACTURL} to "packageUri": "'"${ARTIFACTURL}"'".
The full working task for me looks like following:
- task: AzureCLI@2
displayName: Azure CLI
inputs:
azureSubscription: 'customer a'
scriptType: bash
scriptLocation: inlineScript
inlineScript: |
EXPIRY=$(date -u -d "$EXPIRY_TIME" '+%Y-%m-%dT%H:%MZ')
az storage blob upload -f $(Pipeline.Workspace)/**/*.zip --account-name $ACCOUNT -c $CONTAINER
ZIP_URL=$(az storage blob generate-sas --full-uri --permissions r --expiry $EXPIRY --account-name $ACCOUNT -c $CONTAINER -n s.zip | xargs)
az rest --method PUT --uri https://management.azure.com/subscriptions/${SUBSCRIPTIONID}/resourceGroups/${GROUP}/providers/Microsoft.Web/sites/${WEBAPP}/extensions/onedeploy?api-version=2022-03-01 --body '{"properties": {"type": "zip", "packageUri": "'"${ZIP_URL}"'" }}'
Upvotes: 3
Reputation: 649
I had the same problem and opened a Microsoft Support ticket. That was the answer: There is a problem with "az webapp deploy --src-url": It actually doesn't go via ARM API, but directly to the scm endpoint of the web-app (which is blocked due to private endpoint setup).
There is a bug reported to fix this: https://github.com/Azure/azure-cli/issues/21168
The solution in the meantime is not to use Azure cli command "az webapp deploy", but to call the ARM API directly. In your case its something like this:
az rest --method PUT --uri https://management.azure.com/subscriptions/${SUBSCRIPTIONID}/resourceGroups/${RESOURCEGROUP}/providers/Microsoft.Web/sites/${WEBAPP}/extensions/onedeploy?api-version=2022-03-01 --body '{"properties": {"type": "zip", "packageUri": ${ARTIFACTURL} }}'
This call will go via ARM proxy and won't be blocked by your private endpoint setup.
Upvotes: 3
Related Questions
- Deploy App Service with private endpoint via Azure DevOps
- How enable requests from Azure APIM to an App Service with Private Endpoint
- Deploying a web application to an Azure App Service using MSDeploy
- Can we access azure web app by private link
- How to get Azure Devops Web Applications to deploy
- Publishing Web App to Azure
- Web App Deploy in App Service of Azure
- Adding an azure web app into a App service environment
- how to deploy a azure api app to private network
- WebApp deployment to Azure