Azure App Service Deploy returns (403) Forbidden with IP restriction

Question

In Azure, I turned on IP restrictions for:

• Web App (Networking > Access Restrictions)
• SQL server (Firewalls and virtual networks > Add client IP)
• SQL database (Set server settings)

The solution still builds locally and in DevOps (aka Team Foundation Server).

However, Azure App Service Deploy now fails:

##[error]Failed to deploy App Service.
##[error]Error Code: ERROR_COULD_NOT_CONNECT_TO_REMOTESVC
More Information: Could not connect to the remote computer 
("MYSITENAME.scm.azurewebsites.net") using the specified process ("Web Management Service") because the server did not respond. Make sure that the process ("Web Management Service") is started on the remote computer.
Error: The remote server returned an error: (403) Forbidden.
Error count: 1.

How can I deploy through the firewall?

Do I need a Virtual Network to hide Azure resources behind my whitelisted IP?

Answer 1

I think the answer is incorrect as you might face data ex-filtration and that's the reason Microsoft provide the feature to lock down SCM portal (Kudu console) There is also a security issue on Kudu portal as it can display the secret of your keyvault (if you use keyvault) and you don't want someone in your organisation to access the Kudu portal for example.

You have to follow this link https://learn.microsoft.com/en-us/azure/devops/organizations/security/allow-list-ip-url?view=azure-devops

It will provide you Azure DevOPS IP range that you need to allow on the SCM Access restriction.

Update: To make it works as expected and to use App Service Access Restriction (same for an Azure Function), you need to use the Service Tags "AzureCloud" and not the Azure DevOPS IP range as it's not enough. on the Azure Pipeline logs, you can see the IP blocked so you can see that it's within the ServiceTags "AzureCloud" in the Service Tags JSON file It's not really clear on the MS Doc but the reason is that they struggled to define a proper IP range for Azure DevOPS Pipeline so they use IPs from AzureCloud Service Tag. https://www.microsoft.com/en-us/download/details.aspx?id=56519

Answer 2

The REST site scm.azurewebsites.net must have Allow All, i.e. no restriction. Also, Same restrictions as ***.azurewebsites.net should be unchecked.

It does not need additional restriction because url access already requires Microsoft credentials. If restrictions are added, deploy will fail the firewall, hence the many complications I encountered.

Answer 3

In my case I was deploying using Azure DevOps and got the error. It turned out the app service where my API was being deployed to, had the box checked "Same restrictions as xxxx.azurewebsites.net", under access restrictions or IP restrictions. you need to allow scm.azurewebsites.net.

Answer 4

Try adding the application setting WEBSITE_WEBDEPLOY_USE_SCM with a value of false to your Azure App Service. This was able to solve my issues deploying to a private endpoint.

Answer 5

In my case it was because the daily quota was overpassed.

So the solution in this case is either wait or pay more (scale up) the app service