I have an Azure App Service which I've configured to use Azure Front Door. Public network access is disabled, and the Front Door service created a private endpoint as part of that setup.
I am unable to access the Log Stream (from the Azure Portal), with the console throwing an error that it cannot resolve the SCM domain:
GET https://myapp.scm.azurewebsites.net/api/logstream/ net::ERR_NAME_NOT_RESOLVED
I have also configured an Azure Pipeline, which fails to deploy for the same reason:
##[error]Error: Error: Failed to deploy web package to App Service. Error: getaddrinfo ENOTFOUND myapp.scm.azurewebsites.net myapp.scm.azurewebsites.net:443
I have created DNS entries under Azure Private DNS for privatelink.azurewebsites.net
, though it didn't appear to have an effect. I'll note that the IP im using here, is what appears as the "Inbound address" under my app service:
myapp A 10.0.1.XXX
myapp.scm A 10.0.1.XXX
The pipeline relies on a linux VM running a self-hosted agent, where I have also manually included these DNS entries in /etc/hosts
:
10.0.1.XXX myapp.azurewebsites.net
10.0.1.XXX myapp.scm.azurewebsites.net
With the manual host mapping, the agent server can resolve the domain, but instead throws an unreachable error:
##[error]Error: Error: Failed to deploy web package to App Service. Error: connect EHOSTUNREACH 10.0.1.XXX:443
This is largely expected, since there is no longer direct public access to the app service. My question is -- whats the correct way of resolving/setting this up?
In response to Ziyang Liu-MSFT:
- If you log in to your VM, can you access your app service from the Azure portal in this VM?
I see a 403 Forbidden when I attempt to reach the app:
$ curl -I myapp.com
-------------------------------------
HTTP/1.1 403 Forbidden
Date: Thu, 22 Feb 2024 16:18:45 GMT
Content-Type: text/html
Content-Length: 1261
Connection: close
Cache-Control: no-store
x-azure-ref: 20240222T161845Z-0xxxxxxxxx0x0xx0xxxxx00x000000000xxx00000000xxxx
X-Cache: CONFIG_NOCACHE
- Is your linux VM an Azure VM? If so, have you added it to your private endpoint?
Yes, it is an Azure VM. I have not added it to my private endpoint -- I can't actually access the private endpoint resource which Front Door created. When I do, it tells me:
You do not have authorization to access this resource.
Status Code: 401
Status Message: The access token is from the wrong issuer 'https://sts.windows.net/0x0x0x00-0000-0xxx-x0x0-xx0000x0xxx0/'. It must match the tenant 'https://sts.windows.net/00x00000-0x00-0x0x-x000-0xxxxxx0x00d/' associated with this subscription.
Update #1: My error was in trying to rely on the private endpoint created by Front Door. Instead, I created a second private endpoint on my app service and connected to the same VNET where my self-hosted deploy VM is located. I subsequently updated the local /etc/hosts
file and private azure DNS records with that new private endpoint IP. After this change, the pipeline was able to deploy successfully.
However, this still leaves me unable to access the Log Stream or Kudu app. How can I resolve this?
Update #2: This appears to be a DNS limitation. By updating the hosts file on my own local windows computer, to map the Kudu/SCM site to the new private endpoint IP i created, I am able to successfully access the Kudu app (https://myapp.scm.azurewebsites.net) and therefore the log stream. Surely there is a better way to address this than to have users manually update their local windows host file?