Two app services with private endpoints in the same VNet cannot communicate with eachother

Question

I have two App Services in the same subscription, a front end app which is publicly accessible, and a API/backend app which has public access disabled. The front end app needs to be able to query and pull data from the private API web app, the way it's coded, it is currently pointed at the API web app services FQDN (app-api-test39.azurewebsites.net)

The two app services both have private endpoints deployed onto the same virtual network. When public access is enabled on the API app service, everything works fine, but once it's disabled there's no connectivity over the private endpoint. I figured since both private endpoints are configured on the same VNet, they should be accessible to each other.

What am I missing here? and also is there a better way to test connectivity between the two app services?

Answer 1

Hi,

Even though you have Private endpoint to an App service, it is still a PaaS service and it will not be able to communicate with VNET resource until and unless your App Service is linked to a VNET.

Even if you link an App service to VNET, when App service try to resolve a FQDN, it uses Azure DNS. You will need to force App service to use a custom DNS server in your VNET which can return the private IP address of the private endpoint to get this setup working.

Private Endpoint is used by the resources which are native to a VNET to access PaaS resources over private IP. In this case, both the source and destination is PaaS service, so you will need to tweak your architecture to make the source Web App native to VNET and force it to use Custom DNS for resolution where it can resolve to a Private endpoint.

Regards,

Karthik Srinivas

Answer 2

@JohnTristam ,

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

Your observation is incorrect.

• A private EndPoint can only provide inbound connectivity from a VNET (or other VNETs peered) to a PaaS Service - In your case, the App Service.
• i.e., Private EndPoint cannot initiate/make an outbound connection, only accept/receive incoming traffic/connection.
• So, having two Private EndPoints of two App Services does not mean they will be able to communicate with each other over private network (VNET).

Instead,

• From your verbatim, "The front end app needs to be able to query and pull data from the private API web app, the way it's coded, it is currently pointed at the API web app services FQDN" - I take that the Front end app requires public access and should make a private connection to the API web app (backend end app).
  i.e., Front end app makes an outbound call
• You should consider VNET Integration for Front end app and Private EndPoint for Backend end app.
• Here, VNET integration supports outbound call (withing VNET) for Front End and PE supports incoming connection (within VNET) for Backend

The above is for private communication between Front end app and Backend end app in an unidirectional way.

• Should you be fine with both the Apps being public, you may simply whitelist the outbound IPs used by Front end app in the Backend end app's Access restrictions.
• Make sure to set the "Unmatched Rule" to "Deny"
• This way, only Front end app can access the Backend end app publicly.

Hope this helps.

Cheers,

Kapil