When I run release pipeline for Azure App service with private endpoint, Below error happens Error: Failed to fetch Kudu App Settings. Error: Ip Forbidden (CODE: 403)
Any suggestion?
1
-
Is you computer IP added to the whitelist? Do you have full access to the App service? Is there anybody who has more rights?J.Wincewicz– J.Wincewicz2020-11-15 19:02:47 +00:00Commented Nov 15, 2020 at 19:02
Add a comment
|
4 Answers
The reason for this is because as you add a private endpoint to your web app, all Internet traffic to this app is cut off. Since the Azure DevOps Default build/release agents have a public IP make use of a public outbound IP to call the web app to initiate the deployment, they can't access it anymore.
To resolve your issue, in Azure create a VM or a VM Scale Set either in the same VNet as your private endpoint of the web app. Then add this scale set as a new agent pool. Finally make sure that in the release pipeline settings, the release is using this new agent pool.
2 Comments
Punter Vicky
Thank you. If the VM has public access to allow Azure Devops to communicate with the VNET to deploy appservice, wouldn't it defeat the purpose of having everything within the vnet private? Also if the access to the VNET is via APIM, should the azure devops call to the VM be routed via APIM?
YK1
@PunterVicky - no the azure devops does not call the VM. The agent running in the VM pulls work from Azure devops. So the VM does not have to have a public IP.
Another work around is to deploy via green/blue deployment slots. While the production slot is connected via private endpoint, the second slot can be restricted to the ip address of your repo. After deploying your code to the secondary slot, do a swap.
Comments
I think you need to deploy some self-hosted agents.
From Here For the Kudu console, or Kudu REST API (deployment with Azure DevOps self-hosted agents for example), you must create two records in your Azure DNS private zone or your custom DNS server.
Which they are automatically created if using privatelink.azurewebsites.net. But that now means they are local and the appservice is closed off from the internet for the internet, which blocks Microsoft's agents. So there is no line of site which means you need an agent that is hosted to hit it line of site again.
More about self-hosted agents can be found here that talks about line of site etc.
Comments
There is another option than the one explained here in the comments. You can use blob storage to deploy from it. So, you don't need to use VM.
