In this post, let's go through an interesting scenario related to App Service
networking.
- App A: is integrated into VNet A.
|
| App A: Networking |
- App B: has Public network access enabled with
no access restrictions. But it has a Private Endpoint in
VNet B.
|
| App B: Networking |
|
| App C: Networking |
- App A -> App B: 403 Forbidden. From anywhere else -> App B: 200.
- App A -> App C: 200
I was scratching my head for a couple of days trying to understand why is
that App A -> App B: 403 Forbidden. Because
App B has Public network access enabled and also a private endpoint and public access can co-exist on an app.
I can fix this by peering VNet A and VNet B. But I still needed to figure out why App A isn't reaching App B on the default endpoint
(not on the private endpoint) as it's like App B is receiving traffic
from any other source.
Finally, I got an explanation from Mads Wolff Damgård (a Principal Product Manager at Microsoft).
This is happening because I had
Service Endpoint registered to Microsoft.Web in VNet As'
integration subnet for App A.
|
| VNet As' integration subnet for App A |
When we have a service endpoint registered, the traffic is sent over
the public channel, but as service endpoint traffic. This uses
the same protocol as the private endpoint and will then try to parse it as a
private endpoint call, but since VNet A has no knowledge about the
private endpoint, the traffic fails with 403.
Once I removed the service endpoint registration, App A was able to
reach App B without any issues.
So hope someone finds this helpful!
Happy Coding.
Regards,
Jaliya
No comments:
Post a Comment