Private access to Web App in app service plan S1

LORENZO SALERNO 1

Hi,

I have an old App service plan S1 tier that contains 3 web apps.

The frontend webapp should be accessed only through the Application gateway exposed to the internet, so I created a private endpoint and a private dns zone associated to the vnet. The connectivity from the application gateway to the web app works properly, I have the backend healthy and the connection troubleshoot shows reachability to the private endpoint of the webapp.
User's image

The same happen if I try a tcp ping or a telnet from a VM in the same network.

The problem is that when I try to connect via browser to the webapp from the application gateway or from the VM, I got 403 unauthorized.

When I open the public access of the webapp everything works again.

KapilAnanth-MSFT 37,566 Reputation points Microsoft Employee

2024-05-15T05:26:48.44+00:00
@LORENZO SALERNO ,

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

I understand that you would like to use an Application Gateway as a revere proxy for a Web App with Private EndPoint enabled.

Wrt Probes succeeding,

I am not sure where you ran the connectivity test, but can you confirm if the probes are HTTP/HTTPS and not TCP

Note that 403 is an Application layer error (HTTP Status code) and not a connectivity related issue

Of course your connectivity is fine

The same goes for TCPPing or a Telnet from a VM - instead, you must use CURL or directly access the site from a browser using the FQDN of the App Service.

Wrt App gateway health probes,

Are you using a custom health probe or a default health probe?

While default health probe considers any status code between 200 and 399 as healthy, the same cannot be said for a custom health probe.

It is possible that you are defined a custom probe, which considers 403 as a healthy one and hence not marking the backend as unhealthy

If you are using a custom probe, please make sure you have not included 403 in the successful probe status.

If you have validated all the above,

Are you accessing the App gateway with it's public IP or you have DNS Configured.

In any case, what is the "hostname" you use in the health probe ?

If you access the App service directly from a VM in the same VNET using the Private EndPoint via Browser, what is the response?

Is there any specific reason you want to use Private EndPoint instead of Service EndPoint?

I see the documents highlighting the setup with a Service EndPoint only

See : Configure App Service with Application Gateway

Cheers,

Kapil
LORENZO SALERNO 1 Reputation point

2024-05-15T13:39:21.58+00:00
Hi Kapil,

thank you for your answer.

Wrt Probes:

It is HTTPS and the 403 is not included in the response status code.

Here the configuration of the probe: Wrt ApplicationGateway:

I connect to it by using the FQDN associated to the public IP address of the Application Gateway

In the probe I pick the hostname from the backend settings

the backend settings pick host name from backend target (the web app)

so the hostname is the one of the webapp (mywebappname.azurewebsites.net)

If I access the App service directly from a VM in the same VNET using the Private EndPoint via Browser, the response is again 403.
KapilAnanth-MSFT 37,566 Reputation points Microsoft Employee

2024-05-15T14:03:03.7966667+00:00
@LORENZO SALERNO ,

Wrt, "If I access the App service directly from a VM in the same VNET using the Private EndPoint via Browser, the response is again 403"

This indicates the issue is not with App gateway, but with Private EndPoint's configuration or DNS

From the VM, open Powershell and share the results of

nslookup <AppServiceFQDN>

nslookup <AppServiceFQDN> 168.63.129.16

tnc <AppServiceFQDN> -p 443

Please use <YOURWEBAPP>.azurewebsites.net and not <YOURWEBAPP>.privatelink.azurewebsites.net

Do you have a custom domain configured on the App Service?

Cheers,

Kapil
LORENZO SALERNO 1 Reputation point

2024-05-15T15:14:35.6033333+00:00
Yes exactly, Can it be a problem of the app service plan?

nslookup <AppServiceFQDN> Non-authoritative answer: Name: <AppServiceFQDN>.privatelink.azurewebsites.net Address: 10.220.1.160 Aliases: <AppServiceFQDN>.azurewebsites.net

nslookup <AppServiceFQDN> 168.63.129.16 same answer as above

tnc <AppServiceFQDN> -p 443
ComputerName :<AppServiceFQDN>.azurewebsites.net RemoteAddress : 10.220.1.160 RemotePort : 443 InterfaceAlias : Ethernet SourceAddress : TcpTestSucceeded : True

No custom domain configured
LORENZO SALERNO 1 Reputation point

2024-05-15T17:18:44.5733333+00:00

Hi Kapil,

I restarted the web app, recreated the Private DNS zone and private endpoint, now from the VM I can access the webapp also when in private mode! But still is not working from the application gateway...

I get this error from the connection throubleshoot:

DNS resolution is not working even if the private dns zone is attached to the application gateway vnet
KapilAnanth-MSFT 37,566 Reputation points Microsoft Employee

2024-05-19T17:30:12.85+00:00
@LORENZO SALERNO ,

The issue could be related to DNS Cache in App gateway.

You can try stopping and starting the App gateway

See : Why am I seeing 502 errors or unhealthy backend servers after I changed the DNS servers for the virtual network?

Also : How can I stop and start Application Gateway?

More details on DNS resolution error

Are you sure the App gateway and the VM use the same DNS Servers?

It is possible that the VM has a different DNS configured in the NIC Settings however App Gateway used the DNS defined in the VNET

Do you use a custom DNS Server in the VNET

or the 168.63.129.16 IP?

(I wanted to check this from your Server/Address but it was not shared in your last comment, only the DNS response was shared)

Cheers,

Kapil

Share via

Private access to Web App in app service plan S1