How to grant DevOps pipeline access to app service API

Question

In my pipeline file, after I deploy to an app service slot (which has network restrictions enabled), I want to execute an API on the app service, but keep getting 403 - Forbidden.

Here is my powershell task:

- stage: Deploy
  jobs:
  - deployment:
    pool:
      vmImage: 'windows-latest'
    strategy:
      runOnce:
        deploy:
          steps:
          - task: PowerShell@2
            condition: eq(variables.deployToSlot, 'true')
            inputs:
              targetType: 'inline'
              script: |
                $repoUrl = "https://$(azureWebAppName)-staging.azurewebsites.net/api/warmup"
                Invoke-RestMethod -Uri $repoUrl -Method "GET" -ContentType "application/json; charset=utf-8"

I added AzureDevOps service tag as inbound rule under network settings on the app service slot, thinking this would allow the API call from the pipeline to succeed:

Here is the result:

Error 403 - Forbidden
The web app you have attempted to reach has blocked your access.

Answer 1

To grant access with MS-hosted agent, add "AzureCloud.region" service tag as inbound rule under network settings on your app service slot. Make sure to add all of your region's service tags. Check this link for details: https://learn.microsoft.com/en-us/azure/devops/pipelines/agents/hosted?view=azure-devops&tabs=yaml#networking

Also, from your API script, I could not see any credential. For example, username password or PAT.