First of all, I've read https://docs.microsoft.com/en-us/answers/questions/264747/azure-app-service-with-private-endpoint-throws-403.html, which didn't resolve my problem.
I have a private network to connect a web app to a sqlserver instance. While adding the web app, a dns zone named "privatelink.azurewebsites.net" is created with 2 records (scm and not) pointed to the private ip of the web app. While adding the sqlserver instance to this zone, another dns zone is created using "privatelink.database.windows.net" as its name, with one record pointed to the sqlserver instance. 2 zones are created forcely on the same private network.
After that, I cannot visit the kudu. 403 Fordidden.
I've tried to separate them into 2 subnets. But kudu still cannot accept.
How to resolve this problem? Thanks.