I'm using an Application Gateway (WAF) to route all traffic to a Proxy Function App (Premium EP1). The function app in turn takes URLs like the following and directs them to their correct Web API. (I realise this is a feature of the Path Based Routing in App Gateway, but we also do header injection to provide the correct Tenant ID).
domain.com/api1 -> api1.azurewebsites.net
domain.com/api2 -> api2.azurewebsites.net
domain.com/api3 -> api3.azurewebsites.net
This is slightly simplified, but it shows the point.
All 4 of the App Services/Function are VNet Integrated into their own Subnets, with serverFarms delegations on each, and Service Endpoints to Microsoft.Web. All 4 App Services also have Access Restrictions applied to only allow traffic from the Subnets.
For some reason though, traffic from the Proxies Function App is not getting through to the Web APIs due to Access Restrictions. When I whitelist the External IP addresses of the Function App to the App Services, the traffic is allowed through. This seems wrong to me, as I thought they would be using the private service endpoints which are whitelisted through the subnet?
Does anyone know if this is expected behaviour?
