question

RichardAD-8339 avatar image
0 Votes"
RichardAD-8339 asked ·

Why am I getting socketexception 10013 after moving a .Net5 web app from V2 to V3 app service plan?


I have an az cli script to create a new P1V3 service plan in a new resource group with a new app service and configuring vnet integration with an existing subnet to other services (SQL, Storage, keyvault) in a different resource group.

I then deploy a .Net5 webapp which gets an exception on start-up trying to connect to the keyvault.
If I change the script to generate a P1V2 service plan everything works fine.

Any ideas?

The reason for moving is that the existing resource group does not support V3. The new V3 app service is configured identically to the V2 one which works, connecting to resources in the existing resource group.

Here's the exception from the event log:
<Data>Application: w3wp.exe CoreCLR Version: 5.0.220.61120 .NET Version: 5.0.2 Description: The process was terminated due to an unhandled exception. Exception Info: System.Net.Http.HttpRequestException: An attempt was made to access a socket in a way forbidden by its access permissions. (???keyvault.vault.azure.net:443) ---> System.Net.Sockets.SocketException (10013): An attempt was made to access a socket in a way forbidden by its access permissions. at System.Net.Sockets.Socket.AwaitableSocketAsyncEventArgs.ThrowException(SocketError error, CancellationToken cancellationToken) at System.Net.Sockets.Socket.AwaitableSocketAsyncEventArgs.System.Threading.Tasks.Sources.IValueTaskSource.GetResult(Int16 token) at System.Net.Sockets.Socket.<ConnectAsync>g__WaitForConnectWithCancellation|283_0(AwaitableSocketAsyncEventArgs saea, ValueTask connectTask, CancellationToken cancellationToken) at System.Net.Http.HttpConnectionPool.DefaultConnectAsync(SocketsHttpConnectionContext context, CancellationToken cancellationToken) at System.Net.Http.ConnectHelper.ConnectAsync(Func`3 callback, DnsEndPoint endPoint, HttpRequestMessage requestMessage, CancellationToken cancellationToken) --- End of inner exception stack trace --- at Microsoft.Rest.RetryDelegatingHandler.SendAsync(HttpRequestMessage request, CancellationToken cancellationToken) at System.Net.Http.HttpClient.SendAsyncCore(HttpRequestMessage request, HttpCompletionOption completionOption, Boolean async, Boolean emitTelemetryStartStop, CancellationToken cancellationToken) at Microsoft.Azure.KeyVault.KeyVaultCredential.ProcessHttpRequestAsync(HttpRequestMessage request, CancellationToken cancellationToken) at Microsoft.Azure.KeyVault.KeyVaultClient.GetSecretsWithHttpMessagesAsync(String vaultBaseUrl, Nullable`1 maxresults, Dictionary`2 customHeaders, CancellationToken cancellationToken) at Microsoft.Azure.KeyVault.KeyVaultClientExtensions.GetSecretsAsync(IKeyVaultClient operations, String vaultBaseUrl, Nullable`1 maxresults, CancellationToken cancellationToken) at Microsoft.Extensions.Configuration.AzureKeyVault.AzureKeyVaultConfigurationProvider.LoadAsync() at Microsoft.Extensions.Configuration.AzureKeyVault.AzureKeyVaultConfigurationProvider.Load() at Microsoft.Extensions.Configuration.ConfigurationRoot..ctor(IList`1 providers) at Microsoft.Extensions.Configuration.ConfigurationBuilder.Build() at Microsoft.Extensions.Hosting.HostBuilder.BuildAppConfiguration() at Microsoft.Extensions.Hosting.HostBuilder.Build() at ???.Web.Program.Main(String[] args) in ???\Program.cs:line 19 </Data>

azure-webapps
· 7
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

For what it's worth, I can get the app working on P1V2, then I can upgrade it to P1V3 - then it still fails to start with the same exception.

0 Votes 0 ·

It appears to be an issue with the keyvault fiewall allowing traffic through from the vnet/subnet on V3. It works on V2 and when I change the firewall settings on the keyvault to 'Allow all networks' the app gets past this issue and starts-up.

It then continues on to successfully connect with SQL over the same vnet/subnet that didn't work with the keyvault.

0 Votes 0 ·

Thanks for the additional info @RichardAD-8339. I'll forward this information along to see if this is an issue or current limitation.

Regards,
Ryan

0 Votes 0 ·

I have updated the script to now also create a new vnet/subnet and add that to the existing resources.
Again though I get the same exception when connecting to the keyvault from the app running in P1V3.
When I change the plan to P1V2 it all works, so I know there are no issues with the app deployment, nor the azure resource creation.

The really odd thing is that the issue is only with the keyvault when connecting through vnet from a P1V3 plan.
The identical set-up works fine when switched to P1V2.

0 Votes 0 ·

It maybe helpful to create a support case on this if you have access. Based on what you're saying it sounds like there could be an issue with the VNET integration on the v3 sku or if you can share your application name indirectly : https://github.com/projectkudu/kudu/wiki/Reporting-your-site-name-without-posting-it-publicly

0 Votes 0 ·

Fortunately, we are going through all of this to test that is will work in production.
We're spinning up an expensive plan to ensure all of the required features are working, e.g. vnet integration etc.
When we are not testing it we pull it down so there isn't actually an app instance you can look at.
We could arrange to spin it up at a specific time, but we can't just leave it on costing us $$$ for nothing.

0 Votes 0 ·
Show more comments
BradyGaster-3562 avatar image
0 Votes"
BradyGaster-3562 answered ·

After a very cursory look at this and for some external resources on it I saw a blog post from Steve Smith here: https://ardalis.com/attempt-made-to-access-socket/

It looks like this might be related. After Windows 10 Update KB4074588, some ports are reserved by Windows and applications cannot bind to these ports. 50067 is in the blocked range. Apologies if this isn't related, but do let us know, I'll be watching this post.

· 1 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@BradyGaster-3562 thanks for your comment - I can't find the blog post though, the link above is to this issue.
Cheers
Richard.

0 Votes 0 ·
ryanchill avatar image
0 Votes"
ryanchill answered ·

We've determined the root cause to be related to PV3 SKUs not receiving the .NET5 dual stack socket support patch. There is planned fix for this omission that will roll out in the next deployment.

Regards,
Ryan

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.