Azure App Service Deploy returns (403) Forbidden with IP restriction

9
votes

In Azure, I turned on IP restrictions for:

  • Web App (Networking > Access Restrictions)
  • SQL server (Firewalls and virtual networks > Add client IP)
  • SQL database (Set server settings)

The solution still builds locally and in DevOps (aka Team Foundation Server).

However, Azure App Service Deploy now fails:

##[error]Failed to deploy App Service.
##[error]Error Code: ERROR_COULD_NOT_CONNECT_TO_REMOTESVC
More Information: Could not connect to the remote computer 
("MYSITENAME.scm.azurewebsites.net") using the specified process ("Web Management Service") because the server did not respond. Make sure that the process ("Web Management Service") is started on the remote computer.
Error: The remote server returned an error: (403) Forbidden.
Error count: 1.

How can I deploy through the firewall?

Do I need a Virtual Network to hide Azure resources behind my whitelisted IP?

5
azure
Are you trying to deploy directly (from local) or from DevOps? I assume you local IP address is included in your IP whitelist? - Bryan Lewis
First, check into DevOps. Then, deploy automatically from DevOps. My local IP has been added to all whitelists - IP restrictions have been confirmed to be in effect by trying different IPs via VPN. - Alfred Wallace
Sorry, further clarification. Is DevOps in this case your own TFS server (on prem) or Azure DevOps? - Bryan Lewis
We use Azure DevOps. - Alfred Wallace
I just realized that the SQL server is set up with SQL Server Authentication - does it mean the SQL server doesn't actually need a firewall, only the Web App? - Alfred Wallace

5 Answers

27
votes

The REST site scm.azurewebsites.net must have Allow All, i.e. no restriction. Also, Same restrictions as ***.azurewebsites.net should be unchecked.

It does not need additional restriction because url access already requires Microsoft credentials. If restrictions are added, deploy will fail the firewall, hence the many complications I encountered.

2
votes

In my case I was deploying using Azure DevOps and got the error. It turned out the app service where my API was being deployed to, had the box checked "Same restrictions as xxxx.azurewebsites.net", under access restrictions or IP restrictions. you need to allow scm.azurewebsites.net.

2
votes

I think the answer is incorrect as you might face data ex-filtration and that's the reason Microsoft provide the feature to lock down SCM portal (Kudu console) There is also a security issue on Kudu portal as it can display the secret of your keyvault (if you use keyvault) and you don't want someone in your organisation to access the Kudu portal for example.

You have to follow this link https://docs.microsoft.com/en-us/azure/devops/organizations/security/allow-list-ip-url?view=azure-devops

It will provide you Azure DevOPS IP range that you need to allow on the SCM Access restriction.

Update: To make it works as expected and to use App Service Access Restriction (same for an Azure Function), you need to use the Service Tags "AzureCloud" and not the Azure DevOPS IP range as it's not enough. on the Azure Pipeline logs, you can see the IP blocked so you can see that it's within the ServiceTags "AzureCloud" in the Service Tags JSON file It's not really clear on the MS Doc but the reason is that they struggled to define a proper IP range for Azure DevOPS Pipeline so they use IPs from AzureCloud Service Tag. https://www.microsoft.com/en-us/download/details.aspx?id=56519 enter image description here

1
votes

Try adding the application setting WEBSITE_WEBDEPLOY_USE_SCM with a value of false to your Azure App Service. This was able to solve my issues deploying to a private endpoint.

0
votes

In my case it was because the daily quota was overpassed.

So the solution in this case is either wait or pay more (scale up) the app service

screenshot