I have 2 app service plans in the same Azure region running 1 app each - web frontend on one, API on the other.
I want to use access restrictions on the API to only allow access from the front end app.
I set access restriction rules using all the outgoing IP addresses associated with the frontend app (I note that these are exactly the same as the outgoing IP addresses on the API app as well) however when the frontend app tries to contact the API I get an error:
403 forbidden 'The web app you have attempted to reach has blocked your access.'
The 2 apps can communicate as normal when the access restrictions are removed.
CodePudding user response:
I turned on diagnostic settings and ran a query on IP blocking by the app.
Turns out that the FE app is using an IPv6 address instead of the v4 addresses listed in the app properties.
This is because the app has a vnet integration set up connecting to a Subnet delegated to Webservice/serverfarm.
Azure does not make it obvious that using delegated subnets forces an integrated app to use IPv6 and there does not appear to be a way to discover what v6 addresses may be in use. MS forum response suggests any firewall rule for a web app attached to a delegated subnet should allow ALL IPv6 addresses (!!) as a way of working around the problem.
CodePudding user response:
You can control the IP address of outbound traffic from your FE web app by using regional VNet integration together with a virtual network NAT gateway to direct traffic through a static public IP address. Regional VNet integration is available on Standard, Premium, PremiumV2 and PremiumV3 App Service plans. To learn more about this setup, see NAT gateway integration.
Once you FE web app has a static IP you can use that on the API web app restriction in an ALLOW rule.