Best practise for Private Endpoint Enabled Docker container App Service

Posted by

This post has been republished via RSS; it originally appeared at: Microsoft Tech Community - Latest Blogs - .

Web App for Containers is a lightweighted way to manage app by docker image. CD (Continuous Deployment) is a common way to pull the updated docker image from docker registry (such as Azure Continer Registray or Docker Hub etc) to App Service automatically.
While if App Service enables Private Endpoint, the webhook from container registry should be blocked with 403 since the public access to the App Service kudu site (advanced tool site) is blocked by default. And when webhook event is trying sent to app service via Private Endpoint, it should fail with IP forbidden.
With the situation, this blog provide a workaround by allowing webhook IP to access App Service kudu site via public access and keep the remaining traffic go through Private Endpoint. So the diagram as below:
In order to implement the workaround, firstly we need to get the webhook IP and then whitelist IT in App Service inbound traffic. Below is the illustration for the two steps with more detail. For the docker registry, we use Azure Container Registry (ACR) as example.

Step 1: find the webhook IP which is blocked by App Service Private Endpoint

Once the continuous deployment is enabled for App Service, a webhook will be created automatically in the source ACR.
For ACR webhook, if it's blocked by App Service Private Endpoint, we can check the forbidden IP from the response header (x-ms-forbidden-ip). And based on my test, the ip which sending webhook is stable. So we just need to add one ip address in the following step.

Step 2: only allow the webhook IP to access the App Service kudu site via public access

In App Service -> Networking -> Access Restrictions -> Allow public access.
  • For the main site, deny unmatched action and it's unnecessary to add rule for main site. That means public access is not allowed for the main site. 17.png
  • For Advanced tool site (kudu site), excepting the same configurations with the main site, we need to add a rule to allow the webhook IP which get from step 1.



Now, Continuous Deployment should work as expected, and the webhook event can send to App Service kudu site with success.
  • Since the Continuous Deployment is using basic auth, please make sure the Basic Auth for App Service is enabled21.png
  • For using Docker hub as docker registry, since the forbidden IP from webhook is not showed in Docker hub, users can contact Azure App Service support to get the forbidden IP(s) from server side.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.