Why am I getting socketexception 10013 after moving a .Net5 web app from V2 to V3 app service plan?

Question

I have an az cli script to create a new P1V3 service plan in a new resource group with a new app service and configuring vnet integration with an existing subnet to other services (SQL, Storage, keyvault) in a different resource group.

I then deploy a .Net5 webapp which gets an exception on start-up trying to connect to the keyvault.
If I change the script to generate a P1V2 service plan everything works fine.

Any ideas?

The reason for moving is that the existing resource group does not support V3. The new V3 app service is configured identically to the V2 one which works, connecting to resources in the existing resource group.

Here's the exception from the event log:
<Data>Application: w3wp.exe CoreCLR Version: 5.0.220.61120 .NET Version: 5.0.2 Description: The process was terminated due to an unhandled exception. Exception Info: System.Net.Http.HttpRequestException: An attempt was made to access a socket in a way forbidden by its access permissions. (???keyvault.vault.azure.net:443) ---> System.Net.Sockets.SocketException (10013): An attempt was made to access a socket in a way forbidden by its access permissions. at System.Net.Sockets.Socket.AwaitableSocketAsyncEventArgs.ThrowException(SocketError error, CancellationToken cancellationToken) at System.Net.Sockets.Socket.AwaitableSocketAsyncEventArgs.System.Threading.Tasks.Sources.IValueTaskSource.GetResult(Int16 token) at System.Net.Sockets.Socket.<ConnectAsync>g__WaitForConnectWithCancellation|283_0(AwaitableSocketAsyncEventArgs saea, ValueTask connectTask, CancellationToken cancellationToken) at System.Net.Http.HttpConnectionPool.DefaultConnectAsync(SocketsHttpConnectionContext context, CancellationToken cancellationToken) at System.Net.Http.ConnectHelper.ConnectAsync(Func3 callback, DnsEndPoint endPoint, HttpRequestMessage requestMessage, CancellationToken cancellationToken) --- End of inner exception stack trace --- at Microsoft.Rest.RetryDelegatingHandler.SendAsync(HttpRequestMessage request, CancellationToken cancellationToken) at System.Net.Http.HttpClient.SendAsyncCore(HttpRequestMessage request, HttpCompletionOption completionOption, Boolean async, Boolean emitTelemetryStartStop, CancellationToken cancellationToken) at Microsoft.Azure.KeyVault.KeyVaultCredential.ProcessHttpRequestAsync(HttpRequestMessage request, CancellationToken cancellationToken) at Microsoft.Azure.KeyVault.KeyVaultClient.GetSecretsWithHttpMessagesAsync(String vaultBaseUrl, Nullable1 maxresults, Dictionary2 customHeaders, CancellationToken cancellationToken) at Microsoft.Azure.KeyVault.KeyVaultClientExtensions.GetSecretsAsync(IKeyVaultClient operations, String vaultBaseUrl, Nullable1 maxresults, CancellationToken cancellationToken) at Microsoft.Extensions.Configuration.AzureKeyVault.AzureKeyVaultConfigurationProvider.LoadAsync() at Microsoft.Extensions.Configuration.AzureKeyVault.AzureKeyVaultConfigurationProvider.Load() at Microsoft.Extensions.Configuration.ConfigurationRoot..ctor(IList`1 providers) at Microsoft.Extensions.Configuration.ConfigurationBuilder.Build() at Microsoft.Extensions.Hosting.HostBuilder.BuildAppConfiguration() at Microsoft.Extensions.Hosting.HostBuilder.Build() at ???.Web.Program.Main(String[] args) in ???\Program.cs:line 19 </Data>

Answer 1

After a very cursory look at this and for some external resources on it I saw a blog post from Steve Smith here: https://ardalis.com/attempt-made-to-access-socket/

It looks like this might be related. After Windows 10 Update KB4074588, some ports are reserved by Windows and applications cannot bind to these ports. 50067 is in the blocked range. Apologies if this isn't related, but do let us know, I'll be watching this post.

Answer 2

We've determined the root cause to be related to PV3 SKUs not receiving the .NET5 dual stack socket support patch. There is planned fix for this omission that will roll out in the next deployment.

Regards,
Ryan