Azure App Service Restrictions - allow app service A for app service B

Question

Azure app service A needs to call Azure app service B using System.Net.WebClient class.

Access to app service B is restricted to company's IP range only, through

Azure > app service > Networking > Access Restrictions

Tried adding <public ip of app service A>/32 to B's allow list but that did not work - System.Net.WebClient.DownloadData threw a 403 Forbidden exception.

What else can I try?

Answer 1

It looks like it's impossible to restrict the Public IP address in Access Restrictions of the app service B since both app services in the same app service plan.

Azure App Service is a multi-tenant service, except for App Service Environments. Apps that are not in an App Service environment (not in the Isolated tier) share network infrastructure with other apps. If you restrict the inbound or possible outbound Public IP address of web app service, it looks like restrict the access from itself. Even this, per my understanding, it should be limit the private IP address of the instance in the web app service over the Azure backbone network. However, We could not know the private IP address of each app service.

You can use Azure service plan with isolated price tier but its high cost. So I suggest recreating the web app service A in a different service plan with a different region. Then restrict the possible outbound IP addresses in web app service A.

Additionally, you can get a further understanding of the Azure app service plan in this blog.

Answer 2

I understand what you are trying to achieve and I will suggest you utilize the Azure traffic manager.

Azure Traffic Manager is a DNS-based traffic load balancer. This service allows you to distribute traffic to your public-facing applications across the global Azure regions. Traffic Manager also provides your public endpoints with high availability and quick responsiveness.

Traffic Manager uses DNS to direct the client requests to the appropriate service endpoint based on a traffic-routing method. The traffic manager also provides health monitoring for every endpoint. The endpoint can be any Internet-facing service hosted inside or outside of Azure. Traffic Manager provides a range of traffic-routing methods and endpoint monitoring options to suit different application needs and automatic failover models. Traffic Manager is resilient to failure, including the failure of an entire Azure region.

Please visit the link below for more information https://docs.microsoft.com/en-us/azure/traffic-manager/traffic-manager-overview

Answer 3

I faced the same problem and found a solution.

• Use NAT Gateway to fix the outbound IP address on Service A https://learn.microsoft.com/en-us/azure/app-service.networking/nat-gateway-integration
  • Route all trafic and regional virtual.network integration are also needed on Service A (explained in the link above)
• Allow access the NAT gateway on Service B by specifying the IP address of the NAT gateway

This method can also disable public access to Service B.

Pivate endpoints can also be used in this scenario, but it disables the SCM(Kudu) either which is used for deployments from Azure Pipelines etc.