Share via

App Service, Access Restrictions, and Cross-Tenant Peered VNET - 403 Forbidden

Steve Sanda 1 Reputation point
2024-04-29T20:18:35+00:00

Hi All,

I am trying to figure out how to allow traffic to an App Service using Access Restrictions from a peered VNET in a different tenant. The VNET is properly peered and traffic is flowing as expected, this is obvious because we are able to access and ping adjacent resources. However, when we access the App Service, we get a 403 Forbidden error.

With a peered VNET from a different tenant, we are unable to create an Access Restriction rule for the VNET like we can when the peered VNET is in the same tenant.

We have tried adding the IP address range of the peered VNET (10.52.0.0/16, for example) but the 403 error persists.

We have tried adding the public IP addresses of a few VMs on the peered VNET but the 403 error persists then, too.

So, we are confused as to how to get traffic into the App Service from a cross-tenant peered VNET with Access Restrictions.

Would a privatelink help solve our issue? We are not using a privatelink because we need certain firewall rules to allow certain Dataverse endpoints access over the internet as well. If we can use App Service privatelink along with access restrictions for public IPs OR can get Dataverse to access the App Service via privatelink, please advise.

Many thanks!

Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
7,003 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Silvia Wibowo 3,166 Reputation points Microsoft Employee
    2024-04-30T00:38:53.81+00:00

    Hi @Steve Sanda , I understand that you want to restrict access to your App Service from a VM in a different Azure AD tenant.

    You don't need Vnet peering. You can't use Service Endpoint as your VM is in a different Azure AD tenant.

    You have 2 options:

    1. Restrict access on public IP address.
      1. Find out the outbound public IP address of your VM: either a Public IP address attached directly on your VM, NAT Gateway, or outbound IP of a Firewall.
      2. Configure your App Service: add IP restriction rule for your VM's outbound public IP address.
    2. Access using private IP address.
      1. Create a private endpoint for your App Service on your VM's subnet.
      2. Follow the steps from this guide: Cross-tenant secure access to Azure web apps with private endpoints.
      3. Optionally, you can disable public endpoint of your App Service.

    Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.

  2. ajkuma 22,841 Reputation points Microsoft Employee
    2024-05-03T06:44:25.57+00:00

    Steve Sanda,

    As you mention, peering two VNETs for connectivity - it sounds like your requirement is to keep traffic private on your network which would then require private endpoint. There isn't any other way to access a multi-tenant app service over a private IP.

     

    In this scenario/based on my understanding of your requirement, aiming to implement a subnet-based access rule from a VNET in a separate tenant, I don't believe it's achievable.

    Depending on your requirement/scenario -I’m listing out other approaches, you may checkout/consider these in case you haven’t tried:  

     

    --Instead you could use the "anyVnets" rule App Service Access restrictions - Azure App Service | Microsoft Learn but this of course allows Any VNET, even other users. 

     

    --You can include individual public IPs or CIDR ranges as IP-based rules. If this isn't effective/ not working, verify the arriving client IP. If the client has Service Endpoints for Microsoft.Web enabled on the client subnet, disable it. Only then would it utilize the public IP directly.

     

    --For cross-tenant private access, common recommendation is simply to use private link.  This has its own requirements, keep in mind when you use private link, by default it disables public access, if you require public access in parallel you would need to enable it.

     

    --It appears that the optimal approach for cross-tenant VMs would be to employ private link and in parallel enabling public access and establishing access restrictions for known internet clients. Alternatively, you could route these known internet clients through a frontend device like a WAF.

    Hope this helps. I can convert comment >answer

    If the answer helped (pointed you in the right direction) > please click Accept Answer -it will benefit the community to find the right answer quickly.

    0 comments