Azure App Service Deploy returns (403) Forbidden with IP restriction

I think the answer is incorrect as you might face data ex-filtration and that's the reason Microsoft provide the feature to lock down SCM portal (Kudu console) There is also a security issue on Kudu portal as it can display the secret of your keyvault (if you use keyvault) and you don't want someone in your organisation to access the Kudu portal for example.

You have to follow this link https://docs.microsoft.com/en-us/azure/devops/organizations/security/allow-list-ip-url?view=azure-devops

It will provide you Azure DevOPS IP range that you need to allow on the SCM Access restriction.

Update: To make it works as expected and to use App Service Access Restriction (same for an Azure Function), you need to use the Service Tags "AzureCloud" and not the Azure DevOPS IP range as it's not enough. on the Azure Pipeline logs, you can see the IP blocked so you can see that it's within the ServiceTags "AzureCloud" in the Service Tags JSON file It's not really clear on the MS Doc but the reason is that they struggled to define a proper IP range for Azure DevOPS Pipeline so they use IPs from AzureCloud Service Tag. https://www.microsoft.com/en-us/download/details.aspx?id=56519 enter image description here


Try adding the application setting WEBSITE_WEBDEPLOY_USE_SCM with a value of false to your Azure App Service. This was able to solve my issues deploying to a private endpoint.


In my case I was deploying using Azure DevOps and got the error. It turned out the app service where my API was being deployed to, had the box checked "Same restrictions as xxxx.azurewebsites.net", under access restrictions or IP restrictions. you need to allow scm.azurewebsites.net.


The REST site scm.azurewebsites.net must have Allow All, i.e. no restriction. Also, Same restrictions as ***.azurewebsites.net should be unchecked.

It does not need additional restriction because url access already requires Microsoft credentials. If restrictions are added, deploy will fail the firewall, hence the many complications I encountered.

Tags:

Azure

Related

How can I enable Flutter/Dart language experiments? Toggling Focus Assist mode in Win 10 Programmatically How to inject the dependency of the next handler in a chain of responsibility? Dart / Flutter error: 'toStringDeep' isn't defined for the class 'Logger' Default template parameter & lambda in unevaluated context: bug or feature? Flutter widget rebuilding when TextField widget clicked Can I get inline blame (like GitLens) on Webstorm? Floating button(FAB) on React Native wont stay on top when a Modal, iOS Actionsheet, picker component is rendered How to extends an object with class in ES6? Lambda service throws error execution role does not have permissions to call receiveMessage on SQS How do I add svg files via MatIconRegistry in unit tests? How can I use the useQuery hook to populate state in other hooks?

Recent Posts